Skip to Main Content

Ransomware Is Being Hidden Inside Attachments of Attachments


Ransomware attacks are getting more and more clever as the public gets wise to them. The latest involves hiding a malicious macro inside a Word document attached to a seemingly harmless PDF file.

The new ransomware campaign, highlighted by the Naked Security blog, works like this:

  1. You’re sent a spam email with a PDF attachment (which should already be a red flag), but the PDF looks safe and clear with most antivirus apps.

  2. The PDF has an attached document that Acrobat Reader tries to open when you open the PDF.

  3. The document gets opened by Microsoft Word, then asks you to enable editing. But it’s actually a social engineering attack trying to get you to enable a VBA macro.

  4. When you say yes to enable editing, the VBA macro runs, then downloads and runs the crypto ransomware Locky.

By hiding the actual attack inside an attached document within another safe-looking document, ransomware attackers can get around most antivirus filters. SophosLabs likens the approach to a Russian matryoshka doll, hiding an attack within a file within a file.

Fortunately, to avoid these types of attacks you simply need to follow the same rules you should have been following all along—with one caveat. Be wary of email attachments, yes, but also don’t fully rely on your security software when it says a suspicious file looks safe.

Even if it looks like it’s coming from a friend, take a few extra moments to make sure it’s really them. Attackers have been getting better at masquerading as people you trust. And never enable macros in documents you receive via email. Microsoft keeps auto-execution of macros disabled by default, but don’t let clever social engineering tricks get you to turn them back on.