We have started seeing instances of malicious pieces of spam hit our servers. The emails are meant to appear as a scanned image that includes a word (.docm) from the recipient to the recipient much like using a scanner to email scanned images.
The .docm documents generally contain malicious macros. A macro is a series of commands and instructions that can be grouped together as a single command to accomplish a task automatically. Macros are often used by spammers to perform malicious tasks when working with a document.
These particular emails are targeted at Windows and Microsoft Office users. Users that open the attachment with Apple or Android devices as well as Office alternatives such as LibreOffice and OpenOffice should be safe, but do not enable macros if asked by the attached file.
The email itself is a simple minimalist email with a random hex number Subject containing a .docm document with a matching hex number, as seen in the examples below. I would like to point out that in an effort to evade filters or at least make blocking these a bit harder, the spammer has been utilizing .docm files which are commonly emailed file types with no additional information in the body.
These emails contain a Locky Ransomware payload. Ransomware is a very malicious and nasty bug. Not only does it encrypt local files, but it also seeks out and encrypts attached storage as well as network shares and encrypts everything on those as well. It then prompts the user to pay a ransom to decrypt the files.
When you receive emails such as this, please place the email into your Junk folder, then delete. By adding it to the Junk folder, you are helping the system train itself to catch these in the future.
We are currently taking steps to adjust the filters on our end to capture similar emails going forward. If at anytime you are skeptical of an email you have received, please feel free to reach out to us for assistance at firstname.lastname@example.org. You can also find some additional steps on how to handle suspicious emails here.
You can also scan suspicious files and URLs using VirusTotal, located here.
Examples of the referenced spam: