Didier Stevens

Wednesday 18 November 2015

Maldoc Social Engineering Trick

Filed under: maldoc — Didier Stevens @ 0:00

Xavier has an interesting SANS ISC Diary entry on a malicious Word document we analyzed. The VBA macro code contains a function (func_FormatDocument) for which Xavier has no clear explanation. This function pulls of a social engineering trick. It “decodes” the document by giving the text with a white font color (thus invisible) a black font color, and by removing the headers.

I created my own document to reproduce this trick in this video:


  1. Please share the example of this doc. That template would help in security awareness phishing campaigns… (as well as for those in real phishing of course).

    Comment by jd — Monday 23 November 2015 @ 13:11

  2. @jd Xavier has shared the VBA code in his ISC SANS Diary entry. Just copy the VBA code for function func_FormatDocument and use it in your Word document.

    Comment by Didier Stevens — Monday 23 November 2015 @ 13:43

  3. […] Maldoc Social Engineering Trick […]

    Pingback by Overview of Content Published In November | Didier Stevens — Friday 11 December 2015 @ 0:00

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.