12

We had a user receive an email with what appears to be a Word Doc virus and it wanted them to open the file and enable editing. If they did not enable editing but merely opened the file, should we be concerned that they may have gotten a virus (assume they are telling the truth about not having enabled editing)?

sa289
  • 317
  • 3
  • 11
  • 1
    `should we be concerned` Yes. ... A definite answer like "you have a virus now" won't be possible here, but it's certainly not *im*possible. – deviantfan Dec 16 '15 at 03:20
  • Short answer: The read-only protected mode present in Office 2010 onward will protect you from many exploits that might be delivered by an Office file, but not necessarily all of them. I'll leave it to someone else to give a real, explanatory answer, but if the user really didn't click "enable" (and especially didn't click "allow" to let macros in another security warning), and your Office patching was up-to-date, and you didn't get an AV alert, you're probably fine. Probably, but definitely not with 100% certainty. – mostlyinformed Dec 16 '15 at 03:21
  • Agree with @deviantfan . Have you run the attachment through Virustotal? – mostlyinformed Dec 16 '15 at 03:22
  • @halfinformed Here's the link to the VirusTotal results http://preview.tinyurl.com/hfvyl97 – sa289 Dec 16 '15 at 04:33
  • @sa289 Yeah, it certainly smells malicious to me. It has a macro within in it, which is where you're usually going to find your malicious code in attacks against recent Office versions, plus (per VT) some obfuscated code. The hit rate of AV suites flagging it (16/55) is concerning but not definitive. Most of them flagged it generically, but the TrendMicro specifically puts it in the "W2KM" class of malware. Take a look a W2KM_ZLOD, which spreads through, yes, macros in Word documents: http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/w2km_zlod.fm – mostlyinformed Dec 16 '15 at 05:19
  • 1
    The good news: for a macro in a document from the Internet to run in a recent version of Word the user has to click "enable" to get out of protected mode and then click through another separate warning to specifically run macros. If neither of those happened, you're probably fine. Probably. (But running a one-time scan from TrendMicro's online scanner on the box that opened the document probably couldn't hurt anything. I think the service is still free, like most of its competitors' are.) – mostlyinformed Dec 16 '15 at 05:30
  • 1
    Remember: the user is always lying! – Beat Dec 16 '15 at 08:29

1 Answers1

1

No. It is still possible to get a virus via MS Word. If the virus utilisies an exploit kit, it auto-executes without any user interation. If it is a macro virus depending on the level of security, the user, assuming macro security is enabled, will either have to click 'enable' in a pop-up or won't be able to activate any macro. So it isn't impossible to get a virus via MS Word, although it isn't too likely. But still take precautions.

LockedLion
  • 11
  • 3