Sophos reported on one of the more scary ransomware strains we have seen lately. It’s called Goldeneye and encrypts the workstation twice: both the files and the Master File Table (MFT).

It’s a phishing attack with two attachments. One is a PDF and the other an Excel file. The Excel file contains a loader that pulls down all the malware. The PDF is the social engineering ruse that makes the user open the Excel file. If your user is untrained enough to open both attachments and there are crucial files on the local hard disk without a backup, you potentially get to pay ransom TWICE.

The spam email presents itself as a job application form to be filled out. It has attached an uninfected PDF with the application to get the process started, and in the PDF is a polite reference that the Excel file contains more details — no explicit demand to open up the file… just business as usual.

Opening up the Excel file, you get a suggestion how to display the aptitude test. Sophos said: “The crooks don’t openly ask you to do anything obviously risky, such as “Enable macros” or “Turn off the default security configuration”, but they do encourage you to make a change to your Office settings, something that Excel will invite you to do because the file contains what are known as Visual Basic for Applications (VBA) macros.

In fact, if you permit macros to run in this Excel file, you will quickly regret it: The VBA downloads a copy of the Goldeneye ransomware and immediately launches it.”

The VBA programming language used in Office macros is powerful enough to allow cybercriminals to control Word or Excel programmatically, but also to perform more general actions such as downloading files from the web, saving them to disk, and running them. Yikes.