One of the many strategies used by cybercriminals to try to infect their victims' computers is by sending a document from the Office suite (text documents, spreadsheets, presentations, etc.) with malicious content. The document may be attached to an email or in some cases compressed within another file, for example a ZIP file.
These documents used as decoys usually refer to different topics (invoices, receipts, etc.) in order to make people believe that it is a legitimate file and thus trick the user into running it. Thus, the attacker manages to run his malicious code on the victim's computer, such as spyware that is downloaded from a malicious site or from a legitimate site that was compromised.
Cybercriminals apply different techniques to these Office package documents to evade the security solutions installed on the computer and hide their intentions. Some of these techniques are the use of macros with different levels of obfuscation or downloading a template from a malicious URL embedded within the document.
VirusTotal is a site that offers us the possibility of analyzing files for different security solutions for free, as well as searching for a file by hash or searching from a URL.
The files that are uploaded to this site can be downloaded by any of its registered users who have a premium service.
For this reason, it is not recommended to upload files that contain sensitive information. If you want to search for a particular file, you can do it by means of its respective hash value. To obtain the hash of a file, you can open a PowerShell console and execute the Get-FileHash <File> command. In this case we are going to do it on a suspicious document.
This is a method that we could use if we receive a document from a suspicious source and we want to detect if it contains malicious code or not. It is important to remember that cybercriminals are constantly creating new evasion or obfuscation techniques, so some (or all) of these techniques may not apply in any particular case. Strategy and Security we are your allies in protection if you have any other questions do not hesitate to contact us.