Why Word “macro malware” is back, and what you can do about it…

If you’ve ever fallen into the work-day habit of opening random programs (.EXE files) that came in via email, you’ve probably ended up in trouble with IT.

Or looking for another job.

Legitimate software hardly ever gets distributed by email, so those .EXE attachments are almost always malware: viruses, worms, password stealers, ransomware, banking Trojans, spam zombies, and so on.

→ Many companies simply block all emails that contain .EXE files, and that’s that. You probably should, too, if you aren’t doing so already.

On the other hand, you may very well open several emailed documents, such as .DOC, .DOCX and .RTF files, every day without anyone saying a word, no pun intended.

Indeed, in some jobs – office assistant, HR co-ordinator, shipping clerk, accounts payable, investment advisor, technical support – you may very well be expected to open documents that are sent to you.

You’re might even get in trouble for not opening them!

Nevertheless, many Microsoft products, including Office applications, include a component known as VBA, short for Visual Basic for Applications.

You can add VBA code into files such as documents and spreadsheets, and many people do, as part of what’s often called office automation, workflow streamlining, or simply doing things faster and more accurately.

Indeed, VBA is a programming language that is as likely to be used by accountants and auditors as by software engineers and sysadmins.

You can see where this is going.

VBA code can not only make your finance department’s job easier, but also give cybercrooks another opening through which to squeeze malware into your organisation.

Macro malware redux

And that’s why the crooks have been getting back into VBA malware – old school “macro viruses,” as they used to be called back in the late 1990s – delivered via Office documents.

Simply put, we’ve got over our fear of macro viruses because they’ve been off the menu for years…

…but in recent times, they’ve been making a comeback.

Graham Chantry of SophosLabs has been keeping his eye on the VBA malware scene for a year or more now.

So he took a recent VBA attack apart, to give you a fascinating insight into the security arms race.

The trick is that the VBA malware is usually just the start of the attack.

The malicious VBA isn’t the whole malware story: it runs once in the background when you open the document, and installs or downloads a .EXE file for you, without asking.

That means you are never confronted with a decision on whether to accept or open an executable, or to download and run a program, so you aren’t doing anything that would obviously attract the wrath of IT.

You’re only ever faced with an innocent-looking document, which you could be forgiven for opening, especially if you routinely receive and process documents sent in by customers, suppliers, colleagues and others.

But the malware writer ends up with a full-strength executable file installed – a malicious program that will keep on running in the background not only after you close the downloader document, but even when you logout or reboot.

Read Graham’s excellent analysis and learn the tell-tale signs of macro malware attack!


• Don’t be tempted to reduce security (e.g. by enabling VBA macros) because a document tells you to. Malware may even tell you that macros need to be enabled “for security purposes.” Immediately consider any such document to be untruthworthy.

• Consider blocking Office files emailed from outside if they contain macros. (Some Sophos products let you do this.) VBA macros used in your organisation should ideally only ever originate internally from IT, not from untrusted outside sources.