MALWARE ALERT: Word Doc Attached to Craigslist Reply Executes Virus

We're blocking an unusual malware attack that originates from Craigslist job postings. Although the initial target is narrow, this could quickly spread as traditional anti-virus providers cannot keep up with the threat.

March 16, 2015 Update

Cragislist job posting reply spam is hitting again, as we predicted.

The attached Word doc has a new MD5 hash and the file name is no longer "resume.doc" (randomized numbers instead, such as "00296897.doc"). Other than that, the dangerous macros are the same, so read below for more information on this threat.

This is a great example of why Cloud antispam that includes 24/7/365 professional spam blocking now protects against email threats better than antivirus scanning. We blocked the first one at 12:12 am (ET). By 11:42 am (11 hours later), only 4 out of 57 antivirus vendors were detecting it.

Expected Reply to Craigslist Ad

The messages we've seen so far have been in the form of replies to job postings on Craigslist. Since the recipients are expecting to receive resumes from job seekers, the spammer has named the attached file "resume.doc" to make the email seem legitimate. And the text looks harmless. Here's an example:

Hey, My name is [redacted] and I'm interested in your posting. Attached is my CV. Thanks Sent from my iPhone ------------------------------------------------------------------------ Original craigslist post: http://[redacted][redacted].html About craigslist mail: Please flag unwanted messages (spam, scam, other):[redacted] ------------------------------------------------------------------------

The initial target audience is small: people posting job ads on Craigslist. But this idea might be implemented with other types of ads where the poster is expecting a certain kind of reply. Also, the viruses could spread quickly to the contacts of the recipients.

Dangerous Macro in Word Doc

We've analyzed the Word docs attached to a number of these, and they all do about the same thing. A VBA macro in the file downloads and then executes a virus or trojan from a hacked website. The specific file changes from one email to the next, but the method doesn't.

Since Word no longer runs macros (by default) in downloaded files, the spammer has to trick many recipients into executing the malware. When opened, the Word document displays a giant message that provides step-by-step instructions for enabling macros. Don't do it. Here's what that looks like:

Dangerous Word Doc

This Word doc encourages you to enable macros so the file can execute a virus.

Traditional Anti-Virus Vendors Can't Keep Up

On day zero of this attack, most antivirus vendors were not recognizing the malware. For example, according to VirusTotal, only 13/57 vendors were able to detect obi.exe (which appears to be a Zeus banking trojan or variant). And a measly 1 out of 57 were able to detect dro.exe.

Cloud antispam now provides better zero-day protection than traditional antivirus against these email-borne malware attacks. People relying on traditional antivirus to protect them were exposed to this threat. Our customers were protected from day zero.

SpamStopsHere blocks threats like this from day-zero because we examine not just the dangerous payload (the executable file), but the entire delivery package for suspicious clues. We also analyze global email traffic patterns to help us detect spam and email-borne viruses. And we update our database every two minutes, so there's no waiting to download the latest virus definitions.

For more about how we do that, see our recent blog comparing Cloud antispam to antivirus.

Cloud antispam protects better than traditional antivirus against email-borne malware

SpamStopsHere analyzes the entire delivery mechanism and global traffic patterns to block rapidly changing threats.

Virus Could Spread

This is a clever attack, initially targeted at people expecting to receive something very specific: a resume in response to a job posting. So, it's designed to achieve a high open-rate. Once the macro executes the malware, it could do untold damage to the user's computer or network, and could possibly try to spread itself to others.


SpamStopsHere is updated every two minutes, 24/7/365. Because it works in the Cloud, spam filtering updates take effect immediately without the user downloading or installing anything.

If you're having trouble keeping up with these threats, consider trying SpamStopsHere FREE for 30 days. It blocks 99.5% of spam with a false positive rate of less than 0.001%. That means we block fewer that 1 out of 100,000 good emails, which is why businesses and professionals love our service.

Click here for more about SpamStopsHere and our 24/7/365 live support

Marks used in this article are the properties of their respective owners. This article is for informational purposes. No endorsement by third parties is implied and none should be inferred.