A Potentially Infectious Email Containing a ZIP File and a Word Document

 A Potentially Infectious Email Containing a ZIP File and a Word Document

Hello. Ben again from Grassroots IT. Look, I really do not want to become the guy on YouTube who posts about every single new virus and infection that comes out, but I have just got hold of a new variant on those phishing emails that are coming through and wanted to show you very briefly.



What we can see here is an email that has come to my proper address. They've got my address from somewhere, not that that's hard mind, and it's come from Michael John Stone at something or other .co.uk. I have no idea who this person is for starters. That's the first thing we need to be aware of. Coming down into the body of the email. “Denied BPay transaction”. They're using the sort of bait here that's likely to get everybody interested. Denied transactions. I'd better fix that otherwise I'm going to hit with fines and fees et cetera.

They're really baiting people well. They're talking about Australian dollars here, which makes it seem a little more legitimate given that I work in Australian Dollars. Obviously there's my email address there.

Here's a couple of interesting things. Can you see the attachment? Aborted Bill Payment transaction. Can you see on the end there, it says .zip? A zip file is a compressed file, a compressed archive that may contain multiple other files. It is a classic way for spammers to send through potentially infectious payloads.

What I'm going to do, I've already checked this out in advance so don't panic, is I'm going to double click on that to open it. Now I would recommend that you do not. If you do receive one just like this, leave it alone. Delete it. Okie doke? So what we can see here is that it's uncompressed that and there is a single file in there. It is a Word document. Word 97 - 2003, so a slightly older format. Again, this is looking a little bit suspicious. I'm not sure why anyone would legitimately zip up a single word document. But I'm going to double click on that again.

Now, again, do not do this yourselves, please. I've already been through this. I know what I'm doing. These are trained professionals, people. Now this is interesting. We get a Word document. The main way that they can potentially infect your computer or cause problems, is using macros. Macros are like little scripts or computer programs that can run within a Word document. But by default, Word will not run those macros. It's got security settings in place that don't let that happen. So what they're trying to prompt you to do here is to essentially disable that security, okay?

See this, Macros must be enabled to display the contents of the document. They're actually trying to get you to disable that built-in security that Word has so that their malicious payload can run.

Now going through the document here, they do give you instructions on how to do that for every version of Microsoft Word. Again, don't do this. What I'm going to do though is do this. So I'm clicking on enable editing. Okay. So it's changed views now into the editing view of Word. You can see our document there but here's another security warning. Security warning: Macros have been disabled, so Word is still trying to protect me. Now, I'm not going to click on Enable Content. That will cause problems on my computer and I don't want that. What I am going to do, though, is show you something which is a bit geeky but I thought you might like to see it.

What we're looking at here is the Visual Basic for applications editor. This is the actual window that you can use to work with these malicious macros and scripts and so on. And there's one here. See that one there. Project Bill Pay Cancelled? That is essentially the malicious little script which will try to do nasty stuff to our computer. When I click on that, they've got it password protected so that you can't go in there and see exactly what the scripts are trying to do, etc. etc.

That's the end of this particular video but I did just want to step you through that. If you get those emails coming through, it's from somebody who you do not know. Big giveaway. It's got that zip file attachment. It ends in .zip. Be super careful about those. Probably best just to delete them to be honest. In this case, because I knew what I was doing ahead of time, I went through, opened up a Word document with macros there that would try to do something nasty to my computer and infect it. I don't know what it was going to try to do to my computer but you know what? I'd rather not find out.

For another example of a suspicious and potentially infectious email, have a look at this other post for one pretending to be from the Apple store.


Get the latest Updates

Picture of Ben Love

When not looking at ways to use technology to create a competitive advantage for his clients and build better businesses, Ben is a husband, busy father of boys, avid gardener, and keen runner and cyclist.

share the love

Recent Posts