Saturday, January 16, 06:13
Home security The Windows Registry helps find malicious Office documents

The Windows Registry helps find malicious Office documents

If a Windows computer becomes infected and you are trying to find the source of the infection, look for the malicious Microsoft Office documents that are allowed to run on the computer.

Ransomware, RATs, and Trojans that steal information are usually distributed through phishing emails containing documents Word and Excel with malicious macros.

When a user opens one of these documents in Microsoft Office, depending on the protection of the document or whether the document contains macros, Office restricts the functionality of the document unless the user clicks the Enable Editing or Enable Content buttons ”.

When a user activates a specific feature such as editing or macros, the document will be added as a trusted document to the TrustRecords subkey under the following registry keys, depending on whether it is a Word or Excel document:

This allows Microsoft Office to remember the decision a user made and not to revisit it again in the future.

This also means that if a user allowed editing or macros in a document by pressing the appropriate button, Office will remember this decision the next time you open the document and will not ask for it again.

The good news is that we can use this information to our advantage to find Word and Excel documents with computer-enabled macros.

Confidence in Microsoft Office documents

To show how a document becomes a trusted document, let's take the steps of opening a real Word document with malicious macros that were distributed to a phishing campaign.

Since the hacker's ultimate goal is to enable macros in the document, they usually display a message after the user clicks the "Enable Content" button to execute macros and install the malicious program on computer.

In this particular example, the malicious document is protected, which means that it cannot be edited until a user clicks the "Enable Editing" button. Additionally, if a document is protected, the user must enable editing before enabling macros.

When a user clicks 'Enable Editing', the full path to the document will be added as a value under the key HKEY_CURRENT_USER \ Software \ Microsoft \ Office \ [office_version] \ Word \ Security \ Trusted Documents \ TrustRecords.

This contains separate values ​​for each document that the user has "trusted", whether the Enable Editing or Enable Content button has been clicked.

The data of a generated value will consist of a timestamp, some other information and will end with four bytes that define "which action is trusted". In this case, we clicked on "Enable editing" to set the four bytes to 01 00 00 00.

Now that the document is enabled for editing, Word will prompt the user if they want to enable macros by clicking the "Enable Content" button.

If a user clicks the Enable Content button, Office will notify TrustRecord of the document, indicating that macros are allowed in that document, and we will always be allowed to proceed.

This is done by changing the last four digits of the TrustRecord document to FF FF FF 7F as shown below.

The use of trusted documents applies not only to Word but also to other Office applications. For example, if the user clicks Enable Editing or Enable Content in an Excel Spreadsheet, a TrustRecord will be created under HKEY_CURRENT_USER \ Software \ Microsoft \ Office \ [office_version] \ Excel \ Security \ Trusted Documents \ as shown below.

Putting it all together

We now know that each time a user clicks "Enable Editing" or "Enable Content", Microsoft Office will add the path to the document as a registry value under the program's TrustRecords key.

We also know that if the last four bytes of trusted document value data are set to FF FF FF 7F, it means that users have enabled macros in the document, which is a very common symbol to infect a computer.

Using this information, we can check for potentially malicious documents whose macros have been activated by checking the values ​​below the keys below and then collecting the documents for further criminal activity.

This method is particularly useful for detecting infections Emotet, TrickBot, Ransomware or RAT.

Clear trusted documents

As TrustRecords remembers one's action user forever and would allow macros to run automatically on a document that was previously activated, it is best to trust documents be removed from the registry at regular intervals.

This can be done through login scripts, scheduled tasks or other methods.

Users can also delete their trusted documents through the Microsoft Office Trust Center, which is accessible by performing the following steps:

1. From Word or Excel, click File and then Options.

2. In Trust Center, click the Trust Center Settings button.

3. When the Trust Center opens, click on the Trusted Documents section in the left column.

4. In the “Trusted Documents” section, click the Clear button and all trusted documents will be deleted. It also means that if you open an old document, Word or Excel will ask you to re-enable Enable Editing or Enable Content.

5. Repeat the same procedure in other Office applications.

6.Close the Trust Center.


Please enter your comment!
Please enter your name here

Teo Ehc
Teo Ehc
Be the limited edition.


Android: How to see which apps have access to your site

It's no secret that smartphone apps have access to many permissions - if you let them. It is important to make sure ...

Canon lets you take pictures from space

Instead of releasing new cameras for CES 2021, Canon is doing something different: It lets you take pictures from space ....

Wikipedia vs Big tech: Who fights misinformation?

As Election Day turned into US Election Week, Facebook, Twitter and YouTube were trying to prevent ...

Tesla: It is called to recall cars due to problematic screens

The touch screen in some Tesla cars seems to have a problem, which could ...

Ransomware is responsible for half of all data breaches in hospitals

Almost half of the data breaches committed in hospitals and the wider healthcare sector are due to ransomware attacks, ...

Astronomers have just found the oldest oversized black hole

A quasar was discovered in a dark corner of space - over 13,03 billion light-years away - and contains a ...

What are the best and most affordable 5G phones for 2021

The market will soon be flooded with mid-range 5G devices. Everything that happens will be really exciting: you will be able to ...

Verified Twitter accounts in a cryptocurrency scam with the name of Elon Musk violated!

Lately, hackers have been violating verified Twitter accounts in a cryptocurrency giveaway scam, in which the name of the CEO is used ...

Classiscam: Fraudsters "fake" brands and deceive users of European markets!

Dozens of criminal gangs publish fake ads in popular online markets, to attract unsuspecting users to "fraudulent" commercial sites or phishing ...

iOS 14.4: Displays a notification for repairs with non-genuine cameras

Starting with the iPhone 11, Apple has added a notification to iOS that tells the user when the device has a ...