Attackers Embedding Malicious Word file into a PDF to Evade Detections

A sophisticated attack vector dubbed “MalDoc in PDF” allows threat actors to bypass traditional security scanning by embedding malicious Word documents into PDF files. 

This technique, observed in attacks dating back to July, enables macros to execute when victims open what appears to be standard documents, potentially compromising systems while evading detection from common security tools.

According to JPCERT/CC, the attack exploits a technical vulnerability that allows files to maintain PDF signatures while still functioning as Word documents. 

Despite having PDF magic numbers and file structure, these hybrid files can be opened directly in Microsoft Word, triggering embedded macros that execute malicious code. 

In the documented attacks, files typically used the .doc extension, ensuring they would be automatically routed to Word based on default Windows file associations.

MalDoc in PDF

This technique is hazardous because of its dual-nature composition. These files appear benign when analyzed with standard PDF security tools since the malicious content is stored outside the PDF object structure but within the same file container.

The attack infrastructure involves appending an mht file with embedded macros after a legitimate PDF file object. 

Security researchers examining file hexdumps have confirmed this structure maintains PDF headers while incorporating Word document components.

This enables the file to function in either application environment, but with dramatically different outcomes. When opened in standard PDF viewers, the files display normal content without executing malicious behaviors.

However, when the same file is processed by Microsoft Word, it activates the embedded macros, establishing command and control connections.

Traditional security tools show significant limitations when confronting this technique. Common PDF analysis tools such as pdfid fail to identify the malicious components because they focus exclusively on evaluating PDF structural elements. 

Similarly, sandboxes and antivirus solutions may misclassify these files based on their initial PDF signatures. Despite these evasion capabilities, security teams can implement effective countermeasures. OLEVBA, an analysis tool designed to detect malicious Office macros, remains effective against MalDoc in PDF files. 

When processing these hybrid documents, OLEVBA successfully identifies and extracts embedded macro code, enabling security personnel to recognize malicious content.

Security Measures

Security professionals can deploy custom Yara rules to detect these hybrid threats.

The following detection rule identifies potential MalDoc in PDF files by looking for both PDF signatures and embedded Office document structures:

This technique does not bypass Word’s macro security settings if automatic macro execution is disabled, users would still receive security prompts.

However, the method creates significant blind spots in automated analysis workflows, potentially allowing malware to slip through defensive layers.

Organizations should update their security protocols to incorporate specific testing for these hybrid file formats, particularly in environments where document attachments from external sources are common. 

It is recommended to implement both technical countermeasures and user awareness training to minimize risk exposure.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free