To avoid detection, hackers employed a new method dubbed “MalDoc in PDF” to insert a malicious Word file into a PDF file.
Despite having magic numbers and a PDF-specific file format, a file created with MalDoc in PDF may be opened in Word.
If the file includes a configured macro, running it in Word causes VBS to launch and carry out malicious operations.
The attacks that JPCERT/CC reported used the “.doc” file extension. If Windows has the “.doc” extension associated with Word, the MalDoc in the PDF-created file will open as a Word document.
“The attacker adds an mht file created in Word with a macro attached after the PDF file object and saves it. The created file is recognized as a PDF file in the file signature, but it can also be opened in Word”, JPCERT/CC said in its blog.
Analysis of the Attack
Likely, PDF analysis tools like pdfid won’t be able to detect the malicious components in a file prepared using MalDoc.
It should also be noted that this file exhibits unintended behaviors when accessed in Word; however, malicious behaviors cannot be verified when it is opened in PDF readers, etc. Since the file is recognized as a PDF file, current antivirus or sandbox tools may not detect it.
“This technique does not bypass the setting that disables auto-execution in Word macros,” the JPCERT/CC team noted.
Nevertheless, if you are doing automated malware analysis using specific tools, sandboxes, etc. You should be cautious about the detection findings, as the files are recognized as PDFs.
Keep informed about the latest Cyber Security News by following us on Google News, Linkedin, Twitter, and Facebook.