I need an expelnation for this. Either you know what it contains and suspect the senders PC to be infected with some nasty stuff or it is a random file that poped up somewhere.
Could you post a screenshot of the green/red meter thing?
Did you upload the file or the hash? The file will be recorded (though i cant remember if it keeps contents). It will say if its clean or not.
I uploaded the file, I sent them an email asking if they'll take it down. It said it was clean.
Thank you!!!
A couple of things to watch out for.
One is windows hiding extensions for known file types. I guess Microsoft thought it was a good idea, but like many was only useful as an exploit or attack vector. if someone sends you a file called readme.txt.exe, and they have the icon for the exe file the same as the default icon windows shows for txt files, you may not even notice it is an exe file and open it.
Another is getting a .doc file in email (for earlier versions of office) that when opened in older versions of office could run arbitrary code to no doubt install ransomware. This was not a macro, it used a buffer exploit to run its own code at the same elevation as word.
Finally, the .docx files. The x just means they moved from their proprietary document format to a zipped xml format. Usually they have a variant of the filename called .docxm meaning it contains macros. Office default settings should prevent macros from being run by default unless the code is signed with a trusted certificate. You should know many virus scanners install and trust root certificate authorities on your computer, and they have lost control of their private certificates. Dell also did this with one of their update programs. So, if you see warnings, they are there for a reason. Unfortunately, even if you don't see warnings, it doesn't mean you are in the clear. So if in any form of doubt as to the origin of the document, don't open it. You might be fine to open it in Libreoffice, but don't quote me on that. It still seems to support macros to some degree.
If you really want to look at the code, the best way is to spin up a windows VM with office installed, open the doc, leave macros disabled, and bring up the visual basic editor. Then look away. You might need to enable the developer tool ribbon thing for this. Or you could use a sacrificial laptop not connected to any network drives.
A) Why would you download something you thought was suspicious?
2) Why would you open a file you thought might be infected?
Actually that's exactly how malicious macros embedded in .docx and .xlsx files work, they run when you open the file. This is why the later versions of Word and Excel disable macros by default.
I'm not that familiar with Word but you can write code in Excel to do just about anything. I have spreadsheets that automatically send emails after a user has entered data and I have a couple files that grab information from our database at 2 in the morning (A Windows task opens the file but the spreadsheet does all the rest).
1 Like
THIS is the key bit. If you were expecting to get a file from {this person} cool. if not (from {this person} or otherwise) then DELETE IT.
Don't do this. You won't benefit from your curiosity. If it's bad, and you open it, you're screwed.
Make sure your email client BLOCKS inline and attached image downloads automatically, by default. Make sure your os NEVER runs/tries to open files by default.
1 Like
I think your fine as long as you don't turn on macros. Especially if it asks you to do so.
If u don't know who it's from then why would u keep it. Delete that bad boy
Yes - word documents can have malicious macros embedded in them.
I'd say it safe to say you're computer is now a member of a global bot net. Disconnect that machine from the internet and take it to someone who can clean it.
Please don't be a part of the global bot net problem. Disconnect - we've all downloaded stuff we shouldn't have.
2 Likes
So would a clean install of windows make it "clean" enough?
1 Like
On a fresh hdd...
yup. A Nuke and pave ( if you don't have good backups ) is good enough.
If you are on Windows, you can use a VM and poke around. ( don't allow the VM internet access ) If you are on Linux, there are several things to do one is sandbox you can type man sandbox for in-depth info.
Musicbee got hacked once and every time I went on that day it shot me to a page and it tried to make me download MP3.exe.
kek.
Assuming any malware wasn't injected into the firmware. Unlikely in this case as it seems to be clean.
1 Like
All this talk of infection seems a little over the top to me.
Any doc(x), xls(x) or other Office document could contain a malicious macro that may do nasty things to your PC.
Recent versions of Office (2010 and up I believe) have macros disabled for all files by default. In fact most Office documents that weren't made on that PC open in a read-only mode the first time.
Assuming that you haven't set your Office programs to run macros automatically, it is unlikely that simply opening the document will infect your PC. This is based on the assumption that your Office programs are up to date.
All of that aside, you need to ask yourself if this is actually likely to be a malicious document. Did it come from someone you know? Were you expecting this document? How was it sent to you?
If you don't know the answers to these, just don't download the file and forget about it.