{"id":196513,"date":"2022-07-07T09:17:05","date_gmt":"2022-07-07T07:17:05","guid":{"rendered":"http:\/\/sftarticles.wpenginepowered.com\/en\/?p=196513"},"modified":"2025-07-01T20:35:51","modified_gmt":"2025-07-02T03:35:51","slug":"fake-word-docs-contain-almost-undetectable-malware","status":"publish","type":"post","link":"https:\/\/cms-articles.softonic.io\/en\/fake-word-docs-contain-almost-undetectable-malware\/","title":{"rendered":"There are fake Word docs going around that contain almost undetectable malware"},"content":{"rendered":"\n

Another malware scam has popped up that is hiding malicious files inside of seemingly legitimate files. Also, in a callback to the fake job offers that contained malware, which we reported on a while back, this scam is hidden inside infected Microsoft Word docs that are pretending to be legitimate CVs<\/strong>. Here is what you need to look out for.<\/p>\n\n\n

\r\n
\r\n
\r\n
\r\n \"Microsoft\r\n <\/div>\r\n
\r\n Microsoft Word<\/span>\r\n Download Now<\/a>\r\n <\/div>\r\n
\r\n <\/path><\/path><\/text><\/svg>\r\n <\/div>\r\n <\/div>\r\n
\r\n <\/span>\r\n <\/div>\r\n
\r\n \r\n <\/div>\r\n <\/a>\r\n <\/div>\r\n<\/div>\n\n\n\n

Researchers at threat intelligence specialists Unit 42 based at Palo Alto Networks first spotted a threat<\/a> back in May<\/strong> and have since been analyzing and breaking down the threat it represents. They say that the malicious payload was created using a tool called Bruce Ratel (BRC4)<\/strong>, which incredibly has its own website where it is sold. The site describes the tool as, \u201cA Customized Command and Control Center for Red Team and Adversary Simulation.\u201d<\/em><\/p>\n\n\n\n

This particular scam starts with a seemingly innocuous CV of a guy named Roshan Bandara. Straight away though, there are warning signs<\/strong> that should make potential victims stop and think. Unusually, the CV comes in the form of an ISO file<\/strong>, which is a disk image file and it is only after users have clicked on it that they can see the fake Word doc with the title “Roshan-Bandara_CV_Dialog”<\/em>. When users click on this it opens up CMD.EXE and runs the OneDrive updater to retrieve and install BRC4.<\/strong><\/p>\n\n\n\n

BRC4 then goes on to perform many malicious actions on the victim\u2019s devices<\/strong>, which anybody who has read our malware reports before will be familiar with. For Unit 42, however, what is most eye-catching about this form of attack is the method used to pull it off, they say:<\/p>\n\n\n\n

\u201cThis tool is uniquely dangerous in that it was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities. Its effectiveness at doing so can clearly be witnessed by the aforementioned lack of detection across vendors on VirusTotal.\u201d<\/em><\/p>\n\n\n\n

This means that this new threat is able to get past over 50 different antivirus programs undetected<\/strong>, meaning you won\u2019t get any sort of automated warning if it gets onto or near your device. You will be your main line of defense against this threat as most antivirus programs won\u2019t even know it is there. To help you stay safe we have put together an infographic to help you spot fake files like this one<\/a>.<\/p>\n\n\n\n

Image via: Unit 42<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Another malware scam has popped up that is hiding malicious files inside of seemingly legitimate files. Also, in a callback to the fake job offers that contained malware, which we reported on a while back, this scam is hidden inside infected Microsoft Word docs that are pretending to be legitimate CVs. Here is what you … Continue reading “There are fake Word docs going around that contain almost undetectable malware”<\/span><\/a><\/p>\n","protected":false},"author":9073,"featured_media":196515,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":"","wpcf-pageviews":2},"categories":[1015],"tags":[3221],"usertag":[],"vertical":[],"content-category":[],"class_list":["post-196513","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news","tag-app-subdomain-redirectionmicrosoft-word"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/posts\/196513","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/users\/9073"}],"replies":[{"embeddable":true,"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/comments?post=196513"}],"version-history":[{"count":1,"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/posts\/196513\/revisions"}],"predecessor-version":[{"id":323562,"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/posts\/196513\/revisions\/323562"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/media\/196515"}],"wp:attachment":[{"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/media?parent=196513"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/categories?post=196513"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/tags?post=196513"},{"taxonomy":"usertag","embeddable":true,"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/usertag?post=196513"},{"taxonomy":"vertical","embeddable":true,"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/vertical?post=196513"},{"taxonomy":"content-category","embeddable":true,"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/content-category?post=196513"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}