If this were it, this would have been nothing new, as this is the most prevalent malware distribution trick out there. By clever messages embedded in the Word document, users are enticed to enable macros inside the Word file to support newer features and/or to show new content.
Usually, enabling macros triggers a malicious script embedded in the document, which eventually installs malware. This week, Rivero spotted a Word document that behaved differently and didn't execute the malicious script until the user closed the file.
While this doesn't make a difference for victims, since they are in trouble from the moment they enabled macros inside Word, this small trick makes a huge difference when it comes to security scanners.
"For analysis purposes, many sandboxes lower the security settings of various applications and enable macros by default, which allows for the automated capture of the malicious payload,"
Rivero explains the difference. "We ascertain that in their current form, the malicious documents are likely to exhibit a harmless behavior in many sandboxes while still infecting end users that would logically close the file when they realize there is nothing to be seen."
