New infection technique discovered by McAfee analysts uses a harmless Microsoft Word document to create a malicious macro and disable security alerts that could prevent it from running. This scheme is currently used to stealthily deliver the ZLoader malware via spam.

According to McAfee blog post, the infection chain in this case is triggered in the usual way - when a Word document attached to an email is opened. However, the document distributed in spam, against expectations, does not contain malicious code, although the user is asked to enable the macro in order to view it.

At launch, this VBA code downloads a password-protected Microsoft Excel file from a remote server, reads the cell contents, creates a new macro for the xls file and writes the cell contents as functions. After that, the document sets the policy in the system registry to ‘Disable Excel Macro Warning’ and invokes the malicious functions to download the desired DLL (ZLoader).

In order to avoid any trouble, researchers advise to enable such content only when the document received from a reliable source.

Source: anti-malware.ru