If a Windows computer becomes infected and you are trying to find the source of the infection, look for the malicious Microsoft Office documents that are allowed to run on the computer.
When a user opens one of these documents in Microsoft Office, depending on the protection of the document or whether the document contains macros, Office restricts the functionality of the document unless the user clicks the Enable Editing or Enable Content buttons ”.
When a user activates a specific feature such as editing or macros, the document will be added as a trusted document to the TrustRecords subkey under the following registry keys, depending on whether it is a Word or Excel document:
This allows Microsoft Office to remember the decision a user made and not to revisit it again in the future.
This also means that if a user allowed editing or macros in a document by pressing the appropriate button, Office will remember this decision the next time you open the document and will not ask for it again.
The good news is that we can use this information to our advantage to find Word and Excel documents with computer-enabled macros.
Confidence in Microsoft Office documents
To show how a document becomes a trusted document, let's take the steps of opening a real Word document with malicious macros that were distributed to a phishing campaign.
Since the hacker's ultimate goal is to enable macros in the document, they usually display a message after the user clicks the "Enable Content" button to execute macros and install the malicious program on computer.
In this particular example, the malicious document is protected, which means that it cannot be edited until a user clicks the "Enable Editing" button. Additionally, if a document is protected, the user must enable editing before enabling macros.
When a user clicks 'Enable Editing', the full path to the document will be added as a value under the key HKEY_CURRENT_USER \ Software \ Microsoft \ Office \ [office_version] \ Word \ Security \ Trusted Documents \ TrustRecords.
This contains separate values for each document that the user has "trusted", whether the Enable Editing or Enable Content button has been clicked.
The data of a generated value will consist of a timestamp, some other information and will end with four bytes that define "which action is trusted". In this case, we clicked on "Enable editing" to set the four bytes to 01 00 00 00.
Now that the document is enabled for editing, Word will prompt the user if they want to enable macros by clicking the "Enable Content" button.
If a user clicks the Enable Content button, Office will notify TrustRecord of the document, indicating that macros are allowed in that document, and we will always be allowed to proceed.
This is done by changing the last four digits of the TrustRecord document to FF FF FF 7F as shown below.
The use of trusted documents applies not only to Word but also to other Office applications. For example, if the user clicks Enable Editing or Enable Content in an Excel Spreadsheet, a TrustRecord will be created under HKEY_CURRENT_USER \ Software \ Microsoft \ Office \ [office_version] \ Excel \ Security \ Trusted Documents \ as shown below.
Putting it all together
We now know that each time a user clicks "Enable Editing" or "Enable Content", Microsoft Office will add the path to the document as a registry value under the program's TrustRecords key.
We also know that if the last four bytes of trusted document value data are set to FF FF FF 7F, it means that users have enabled macros in the document, which is a very common symbol to infect a computer.
Using this information, we can check for potentially malicious documents whose macros have been activated by checking the values below the keys below and then collecting the documents for further criminal activity.
Clear trusted documents
As TrustRecords remembers one's action user forever and would allow macros to run automatically on a document that was previously activated, it is best to trust documents be removed from the registry at regular intervals.
This can be done through login scripts, scheduled tasks or other methods.
Users can also delete their trusted documents through the Microsoft Office Trust Center, which is accessible by performing the following steps:
1. From Word or Excel, click File and then Options.
2. In Trust Center, click the Trust Center Settings button.
3. When the Trust Center opens, click on the Trusted Documents section in the left column.
4. In the “Trusted Documents” section, click the Clear button and all trusted documents will be deleted. It also means that if you open an old document, Word or Excel will ask you to re-enable Enable Editing or Enable Content.
5. Repeat the same procedure in other Office applications.
6.Close the Trust Center.