The Rise of Document-based Malware

Why documents are a popular attack vector, and what you can do to stop them.

By Jim Rapoza, Independent Security Technology Analyst

For almost as long as people have used computers and networks, malware has existed attempting to compromise, subvert and damage these systems. In the beginning viruses and worms spread through infected floppy disks and security holes in server-based applications.

With the rise of email and the web, executable files – spread mainly through email and files placed on websites – became a common way to trick users into installing malware on their systems.

These types of attacks were easy for somewhat savvy users and IT departments to avoid and stop. There was usually very little reason anyone would send an executable file through email. users and businesses blocked or controlled the ability to transmit program files through email and network gateways, while still permitting file types they considered safe, such as Microsoft Word documents and other Office Suite files.

But over time documents and Office files changed. They were no longer simple static files with little potential for harm. Products like Microsoft Word and Adobe PDF added macro and scripting capabilities making it possible for documents to work in much the same way as executable programs, right down to the ability to run processes and install other bits of code on user systems.

If people didn’t believe documents could be used to spread malware, a little virus named “Melissa” quickly changed their attitude. In 1999 the Melissa virus quickly spread across the Internet and in the process brought down networks and mail servers. Melissa spread by subverting the macro capabilities in Microsoft Word.

We’ve come a long way since Melissa. Modern document-based malware spreads in a variety of ways – not just through email but sometimes just by viewing the wrong website with the wrong browser and applications installed on your system.

And while vendors continually try to patch the holes malware writers use to spread their code, they are usually well behind the bad guys. Today, documents are one of the most common ways malware is spread across the Internet.

There are ways to limit or even prevent the spread of document-based malware. Awareness of the problem is half the battle. Knowing PDF files, Word documents, and other document types are used to spread malware gives users and IT departments a better chance to combat the problem.

When Documents Attack

How does one typically get infected by document-based malware? It can happen in a number of ways.

The most obvious and avoidable way is when the questionable document is attached to a questionable email. A spam or phishing email with a subject line “Heree’s that doccumint that yu asked for!” or something similar is easy to spot (though a surprising number of malware attacks are successful in what should be obviously risky email messages).

But what about a document on a website? For many people, these documents may seem safe to download. How about a search result that links directly to a document rather than a webpage? This is often tough for people to avoid.

What if the document attached to the email is from someone you know? And it really is “that document that you asked for”? Some document-based malware types have the ability to spread to other documents on an infected system. Once there, any legitimate document a user sends to friends and colleagues could end up spreading the malware.

What happens when you unfortunately open up a document infected with malware? Just as there are a number of different types of document malware, the ways they attack your system also take a number of forms.

In some cases the malware uses embedded scripting to silently download and install other malware from sites on the Internet. Often these downloaded payloads take the form of the worst kinds of malware out there, rootkits that steal information from your system or botnets that make your system part of the malicious networks used to attack both companies and networks to continue the spread of malware and spam.

Other types of document-based malware hide malicious payloads within the document itself. These executables and programs get launched separately by the macros or scripts within the document and continue to spread the malware infection throughout the user’s system.

Document-based malware can also be used to steal identities or even prevent access to files and data. A recently discovered PDF-based attack was used as a form of “ransomware,” encrypting a user’s files and sending a message requesting a payment in order for the user to access their files again.

Once an infected document is on your system and runs, the attacker can use it to launch any kind of attack or deploy any other kind of malware available.


The first and probably most important step toward protecting yourself from document-based malware is awareness of the problem itself. However, there are a number of other steps users and businesses can take to prevent being hit by infected documents.

One of the most essential practices is to make sure all of your software is up-to-date, from your operating system to your document programs to your antivirus and security tools. To a large degree, many of the most common document-based malware types take advantage of patched-up security holes. But many people are still using older, un-patched operating systems and programs.

Dedicated security tools can also go a long way toward stopping document malware before it hits your system. Desktop antivirus products detect many different attack vectors, and email and network gateway systems often detect and stop infected documents before they reach end-user systems.

Another method of prevention is to stop your document editing and reading programs from having the ability to run scripts and macros. In both Word and Adobe Reader it is possible to turn off macros and scripts, or get a notification before they can run. While not a perfect solution, this can prevent many potential problems.


Thinking about the problems of document-based malware can be daunting. It’s sometimes enough to make you want to throw your hands up and ask everyone to only send you plain text to read in Notepad

But modern document formats provide a lot of benefits – from digital signing to group collaboration to the certainty that every recipient sees the document in the exact same way. If we give up these advancements because of the existence of malware, then the bad guys win.

With a combination of awareness of the problem, caution in both the documents you open and where you go to get those documents, vigilance in keeping your systems and applications patched and up-to-date, and dedication in using the right tools and products to protect your systems, it is possible to – if not completely stop – at least limit your risk of infection by document-based malware.

download Kostenloses Virus Removal Tool downloaden
Finden Sie heraus, an welchen Punkten Ihr Anti-Virus versagt hat.