One of the many tricks employed by hackers in order to entice users into running malware voluntarily is to change the icon of a malicious executable file, so that it passes itself off as a text file, a JPG picture, or… a Word document.

But so far, this is the first time we have seen the following technique.

The show starts with an EXE file called document.exe, which has the same icon as a Word document. However, if you run a hexadecimal editor and inspect the code, its nature can be clearly seen. The MZ string identifies it as an executable file:

Once it is executed, Word opens and displays some gibberish characters. However, at the same time, the executable is carrying out its pernicious actions and is installing a DLL in the Windows system directory.

But… watch closely, as here it goes the tricky part. Once the so-called Word document is opened, its extension changes to DOC. If we run a hexadecimal editor once again, we are displayed the following screen:


We also have a video showing the complete process. Keep an eye on the Word icon on the Desktop, you’ll see how both the extension and the icon itself change.

By the way, we currently detect this file as Bck/PcClient.DS.