Ransomware attacks are getting more and more clever as the public gets wise to them. The latest involves hiding a malicious macro inside a Word document attached to a seemingly harmless PDF file.
The new ransomware campaign, highlighted by the Naked Security blog, works like this:
- You’re sent a spam email with a PDF attachment (which should already be a red flag), but the PDF looks safe and clear with most antivirus apps.
- The PDF has an attached document that Acrobat Reader tries to open when you open the PDF.
- The document gets opened by Microsoft Word, then asks you to enable editing. But it’s actually a social engineering attack trying to get you to enable a VBA macro.
- When you say yes to enable editing, the VBA macro runs, then downloads and runs the crypto ransomware Locky.
By hiding the actual attack inside an attached document within another safe-looking document, ransomware attackers can get around most antivirus filters. SophosLabs likens the approach to a Russian matryoshka doll, hiding an attack within a file within a file.