Attackers hiding malicious Word files in PDFs
Japan’s Computer Emergency Response Team (JPCERT) discovered a new “MalDoc in PDF” malware technique that bypasses detection by hiding malicious Word files in PDFs.
It is a polyglot file — a file containing two different file formats that can be executed as more than one file type. It is recognised as a PDF but can also open in Office applications.
Malicious actors often use polyglots to bypass detection and confuse analysis tools.
The file sampled by JPCERT contains a VBS macro that downloads and installs an MSI malware file if opened as a .doc file. The team didn’t specify what type of malware it installs.
Critically, the attack vector doesn’t bypass security settings that disable auto-execution of macros in Microsoft Office, meaning they still provide adequate protection.
Users must manually deactivate these by clicking the relevant button or unblocking the file.
While embedding one file type within another isn’t a new approach attackers use, the specific technique used for MalDoc in PDF is unique.
Its main advantage is its ability to bypass detection by PDF tools like “pdfid” that only examine the file’s outer layer, which, in this case, is a legitimate PDF format.
JPCERT noted that analysis tools like “OLEVBA” still detect the malware hidden inside the polyglot, which shows that multi-layered protections and rich detection sets should still be effective.
It also shared an example of a Yara rule that can help identify files using the MalDoc in PDF approach.
The rule checks if it starts with a PDF signature and contains patterns resembling Word documents, Excel workbooks, or MHT files.