As we wrap up 2019, one of the most common threat vectors used by the Cyberattacker still continues to be Malware.  There have been some very nasty files that have been deployed, and they all have caused a lot of damage both in terms of downtime and the bottom line to the businesses and corporations that have been impacted by them.  In fact, our previous blogs have examined the five worst Malware attacks in history.

But when one thinks about Malware, attacks such as Ransomware, Phishing, Business Email Compromise (BEC), etc.  often come to mind.  But there is another threat vector that is gaining strong traction – Document based Malware, which is the focal point of this blog.

What Is Document based Malware?

A formal definition of this is as follows:

“It is malware that is hidden directly in the document itself or an embedded script downloads it from an external website.” (source 1)

Simply put, the malware can be anything from a malicious .EXE file or even a macro that is embedded in the document itself.  Once the victim downloads it onto their computer, the payload is then deployed and launched.  From there, the damage then starts, whether it is destroying the files on the victim’s computer, or covertly hijack the Personal Identifiable Information (PII).

The Trends in Document based Malware

  • Consider some of the latest statistics on just how Document based Malware is becoming so rampant:
  • Almost half (specifically 48%) of all Malware based files came from and were deployed by some document format; the most common infected files were those of Excel (.XLS), Word (.DOC), and Adobe Acrobat Reader (.PDF).
  • In a recent study that was conducted by Barracuda Networks, there were more than 300,000 unique, malicious documents that were identified.  This indicates that this is now becoming a prime choice for the Cyberattacker when they launch their specific threat vectors.
  • From the above, almost 59% of all the malicious documents that were detected in just the first quarter of 2019 alone.  This is an 18% growth rate from the same time period in 2018.
  • Of this, there were more than 47,000 infected PDF files, and close to 51,000 infected Microsoft Office files.  These have become even more difficult to detect by antimalware and antispyware software applications, and other security mechanisms.
  • In the financial sector, the most commonly used Document Malware downloader is known as “Emotnet”, along with its variant, “Trickbot”.  Both of these make use of Email distribution lists that are available from the Dark Web and utilize the PowerShell tool (this is an object-oriented scripting language) in order to deploy the malicious documents to the unsuspecting end user.
  • Once the victim has downloaded the infected file, the Malware in the document is either installed automatically, or by tricking them to enable the macro functionality that is available.   By default, this is disabled in Microsoft Office, it has to be enabled by the end user.

The most common types of Malware that are used to infect documents include the following:

  • Viruses;
  • Trojan Horses;
  • Spyware;
  • Worms;
  • Ransomware


In our next blog, we continue with examining Document based Malware.

  1. 1)