Microsoft Word For Mac X

Posted on |



Microsoft AutoUpdate makes sure your copy of Office will always be up-to-date with the latest security fixes and improvements. If you are a Microsoft 365 subscriber, you'll also receive the newest features and tools. Check for updates and install. Open an Office app such as Word, then on the top menu, click Help Check for Updates. It is the last version of Microsoft Word to support Windows XP Professional 64 bit edition. Word 1.0 for Mac came out in January 18, 1985. Word 3.0 for Mac came out in January 31, 1987. (There was no '2.0' version.) Word 4.0 for Mac came out in November 6, 1990. Word 5.1 for Mac came out in 1992. Word 2001 was released in 2000.

The Microsoft Word word processor was first introduced for MS-DOS in 1983. Its design made use of a mouse and WYSIWYG graphics. Its crude WYSIWYG/mouse support was a direct response to the Apple Lisa/Mac, and VisiCorp Visi On. Initially it competed against many popular word processors such as WordStar, Multimate, and WordPerfect. Word for DOS was never really successful.

  1. How to get Microsoft Word for free on Mac If you're looking for a free version of Microsoft Word on your Mac, there are some good options and some bad ones. We show which are the ones to choose.
  2. Microsoft Word, along with Microsoft Excel is the most popular office productivity application used in offices. In this Microsoft Word for Mac course, I will take you through each section of the carefully designed syllabus so that you are proficient in every area of Microsoft Word for Mac OS that you will need to work in the average busy office.

The Mac version was introduced in 1985 where it acquired a friendlier user interface and gained some popularity. A Microsoft Windows version was introduced in 1989, although Palantir WinText, NBI Legend, and Samna AMI/AMI Pro had beaten them to their own Windows platform. For a time Word for Windows competed with WordPerfect for Windows. There were also ports to OS/2, the Atari ST, and Unix.

Microsoft

The DOS, Mac, and Windows versions are quite different from each other, and each restarted their version numbering at '1.0'. Later versions are bundled with Microsoft Office. Also see a complete list of word processors archived on Winworld.


Screenshots

PreviousNext

Release notes

Microsoft Word 1.x for Macintosh was a vastly different product fromMicrosoft Word for DOS. It used Apple's windowing GUI with drop downmenus, and rendered both graphics and multiple fonts directly on thescreen similar to how they would appear on a printer.

The IBM PC would not get a version of Microsoft Word with a similar GUI until years later.

Wanted: Manual scans.

On March 16, FortiGuard Labs captured a new Word file that spreads malware by executing malicious VBA (Visual Basic for Applications) code. The sample targeted both Apple Mac OS X and Microsoft Windows systems. We then analyzed the sample, and in this blog we are going to explain how it works, step by step.

When the Word file is opened, it shows notifies victims to enable the Macro security option, which allows the malicious VBA code to be executed.

Malicious Word File is Opened

Figure 1. Asks victim to enable Macro security option

Once the malicious VBA code is executed, the AutoOpen() function is automatically called. The first thing it does is read the data from the “Comments” property of the Word file.

Figure 2. The property “Comment” of the Word file

The value of the “Comments” is base64 encoded, which can be read out and decoded by the VBA code below:

After it’s base64-decoded, we can capture the code in plaintext, which is python script, as shown below.

Next, it takes a different route depending on the OS type, Apple Mac OS X or Microsoft Windows, that it is running on. You can see this in the the flow chart in Figure 3.

Figure 3. Calling different route according to OS type

We have found that this malicious VBA code uses slightly modified code taken from a metasploit framework which you can find at hxxps://github.com/rapid7/metasploit-framework/blob/master/external/source/exploits/office_word_macro/macro.vba

How it Works for Apple Mac OS X

As you probably know, Mac OS X comes with Python pre-installed by Apple. This allows it to execute python scripts by default. As you can see above, the base64-decoded python script is passed to the ExecuteForOSX function that is going to execute it at the bottom of the function (see Figure 3).

The python script is easy to understand. It extracts the code from a base64-encoded string, and then executes it. It is decoded below, and as you can see, it is a very clear python script.

When the python script is executed, it downloads a file from “hxxps://sushi.vvlxpress.com:443/HA1QE”, and executes it. The downloaded python script is a slightly modified version of the Python meterpreter file, which is also part of the Metasploit framework. The source code of the project can be downloaded from the following URL: hxxps://github.com/rapid7/metasploit-payloads/blob/master/python/meterpreter/meterpreter.py.

The major changes between the downloaded file (HA1QE) and the original file are the following:

Figure 4. Differences between HA1QE and meterpreter.py

Microsoft Word For Mac

The HTTP_CONNECTION_URL constant (hxxps://sushi.vvlxpress.com:443/TtxCTzF1Q2gqND8gcvg-cwGEk5tPhorXkzS0gXv9-zFqsvVHxi-1804lm2zGUE31cs/) is set to the Metasploit end-point that the script will be connecting to.

The PAYLOAD_UUID constant is used as an identifier for the client, which we believe is also being used by the attackers for campaign-tracking purposes.

Once the script is executed, it attempts to connect to the host “sushi.vvlxpress.com” on port 443. But at the time the request was made during our analysis, the listener (server) was not answering client requests.

Figure 5. Wireshark showing TCP retransmission error while connecting to the server

Microsoft Word For Mac Catalina

The python process remains active on the system while trying to connect to a reachable server.

Figure 6. Python script attempting connection to listener

How it Works for Microsoft Windows

Although the argument of the ExecuteForWindows function is as same as the ExecuteForOSX function, it does not use it. What it does instead is making a DOS-style command string starting with cmd.exe. When it is executed, powershell.exe is started without window (-w hidden), and it executes the base64-encoded code (-e base64-encoded code.) For more details, see the following screenshot.

Figure 7. Dos-style command

It’s base64 again. This malware’s author likes using base64 to encode the sensitive code. We will see more base64 encoded data in the rest of the analysis.

Decoding the base64-encoded data, we get the following powershell script:

The main job of the above powershell script is to decompress a piece of gzip data, which is in base64-encoded code, to get another powershell script (by calling FromBase64String() and GzipStream()) and execute it (by calling Start($s)).

Next, let’s move on to see the decompressed powershell code. To improve understanding, I modified some of the function and variable names.

Here is the code snippet:

From the above powershell code we can see that it first decodes the base64-encoded data. In fact, it is 64-bit binary code that is going to be executed later. Then, it allocates a buffer in the current process (powershell.exe) and copies the 64-bit code into the buffer by calling the VirtualAlloc and Copy functions. Finally, it calls the CreateThread function, whose thread function points to the new buffer. That means that the 64 bit code is the thread function and is executed. Based on our analysis, this malware only affects 64-bit Windows.

Microsoft Word For Mac X

Figure 8. 64-bit ASM code

We analyzed the 64-bit code in IDA Pro, as shown in the above screenshot. Once it starts, it downloads a file from “hxxps://pizza.vvlxpress.com:443/kH-G5” into a newly allocated buffer. The downloaded file is actually a 64-bit DLL file. Before the thread function finishes, its stack return address is set to the newly allocated buffer that holds the downloaded 64-bit DLL. That means that the 64-bit DLL gets executed when the thread function is returned.

Microsoft Word For Mac Crashing Mojave

Next, we see that the DLL can communicate with its server, such as “hxxps:// pizza.vvlxpress.com:443/5MTb8oL0ZTfWeNd6jrRhOA1uf-yhSGVG-wS4aJuLawN7dWsXayutfdgjFmFG9zbExdluaHaLvLjjeB02jkts1pq2bR/”. We can see it in the debugger, as shown below.

Figure 9. Communication with its server

At this point, we are still working on analyzing the downloaded DLL and trying to gather more information from it. We’ll share more details about this malware later as we uncover more interesting details.

Microsoft Word For Mac Os X 10.11.6

Mitigation

The original Word sample file has been detected as “WM/Agent.7F67!tr” by FortiGuard AntiVirus service.

IoCs

URL:

hxxps://sushi.vvlxpress.com:443/HA1QE

hxxps://pizza.vvlxpress.com:443/kH-G5

hxxps://pizza.vvlxpress.com:443/5MTb8oL0ZTfWeNd6jrRhOA1uf-yhSGVG-wS4aJuLawN7dWsXayutfdgjFmFG9zbExdluaHaLvLjjeB02jkts1pq2bR/

hxxps://sushi.vvlxpress.com:443/TtxCTzF1Q2gqND8gcvg-cwGEk5tPhorXkzS0gXv9-zFqsvVHxi-1804lm2zGUE31cs/

Sample SHA256:

Sample.doc 06A134A63CCAE0F5654C15601D818EF44FBA578D0FDF325CADFA9B089CF48A74

Microsoft Word For Mac Cheap

For

HA1QE.py 3A0924D55FB3BF3C5F40ADCE0BD281D75E62D0A52D8ADFA05F2084BA37D212C8

Microsoft Word For Macbook

kH-G5.dll C36021A2D80077C2118628ED6DB330FEF57D76810FF447EF80D2AB35B95099BC

Sign up for weekly Fortinet FortiGuard Labs Threat Intelligence Briefs and stay on top of the newest emerging threats.