Tracking Trusted Office Documents: A Key to Investigating Macro-Based Malware
- Feb 21
- 2 min read
Microsoft Office is widely used for business and personal tasks, but it has also been a major target for cybercriminals.
One of the most common attack methods has been malicious macros, which execute harmful scripts when an Office document is opened. Malware like Locky, Revil, and Emotet has successfully exploited this technique for years, often leading to ransomware infections and data breaches.
To combat this, Microsoft blocked macros by default in 2022 for files downloaded from the internet . However, many users still need macros for work, and attackers continuously find workarounds.
For forensic investigators and cybersecurity professionals, tracking which files a user has trusted and enabled macros for is crucial.
Microsoft Office maintains a TrustRecords registry key that logs this information. This key provides a long-term record of what documents were trusted, where they were stored, and when the user enabled macros or editing.
-------------------------------------------------------------------------------------------------------
Where is TrustRecords Stored in the Registry?
Microsoft has kept a TrustRecords key in the Windows Registry.
NTUSER\Software\Microsoft\Office\<version>\Word\Security\Trusted Documents\TrustRecords
-------------------------------------------------------------------------------------------------------
What Information Does TrustRecords Contain?
Each entry in TrustRecords logs valuable forensic data:
✅ Full File Path – The exact location of the document when it was opened (local, USB, network, or cloud).
✅ Timestamp – When the user trusted the document and enabled macros or editing.
✅ Permission Type – Whether the user allowed editing or macro execution.
This data can reveal whether a user has intentionally or unknowingly trusted a malicious document, making it an essential artifact in malware investigations.
-------------------------------------------------------------------------------------------------------
Why Is This Important in Digital Forensics?
🔍 1. Identifying Malicious Documents
If a system is infected with malware, analysts can check TrustRecords to see if the user opened and trusted a suspicious document. If an attacker sent a phishing email with a malicious macro, this registry key can confirm whether the victim enabled the macro.
💾 2. Recovering Evidence of Past Attacks
One of the most powerful aspects of TrustRecords is that it keeps logs for years. Even if a document has been deleted, its trust history remains in the Registry, making it possible to trace old infections.
🛡️ 3. Auditing Security Practices
Businesses can use TrustRecords to audit user behavior and determine if employees are frequently enabling macros in untrusted documents. This helps security teams improve training and reduce future risks.
🖥️ 4. Tracking External & Cloud Documents
The registry logs files trusted from different locations, including:
Local storage (C:\Users\PCUser\Documents\report.doc)
USB devices (E:\Malware_Invoice.doc)
Network shares (\CompanyServer\Shared\Finance.xlsm)
Microsoft 365 Cloud (OneDrive documents)
This makes it useful for tracking document movement and identifying external storage devices used in an attack.
-------------------------------------------------------------------------------------------------------
Final Thoughts: A Hidden Treasure for Investigators
The TrustRecords registry key is a goldmine of forensic evidence when investigating macro-based attacks, phishing incidents, and document-based malware infections.
Forensic investigators and cybersecurity professionals should always check this key when analyzing:
✔️ Malware infections
✔️ Phishing attacks
✔️ Insider threats
✔️ Suspicious document activity
By leveraging TrustRecords, we can uncover hidden evidence, track user behavior, and strengthen defenses against macro-based malware attacks. 🚀
---------------------------------------Dean--------------------------------
Comments