A group of Japanese experts involved in the processing of urgent cyber incidents (JPCERT) spoke about a new attack vector - "MalDoc in PDF", which allows you to avoid detection by embedding malicious Word documents in PDF.
One such file, which JPCERT got its hands on, looks like a PDF document to most anti-virus engines. At the same time, office applications can open it as a regular Word-file (.doc).
Such files are called "polyglots" and come in two different formats, allowing multiple applications to open them. The file involved in this campaign, for example, is a mixture of PDF and Word and can be opened as any of these file types.
As a rule, attackers use "polyglots" to avoid detection or obfuscate various analyzers. In one part of such a file, there can be absolutely harmless code, in the other - a malicious load.
The MalDoc in PDF attack is different in that the PDF file contains a document in Word format. The latter has a built-in VBS macro that downloads and installs a malicious MSI file.
It is worth noting that the MalDoc in PDF technique is powerless over settings that disable automatic macro execution in Office. The JPCERT team has posted a video demonstration of MalDoc in PDF on YouTube.
The researchers noted that the new vector can confuse common PDF parsing tools like pdfid, but the OLEVBA tool is able to detect the payload in the malicious part of the file.
www.youtube.com
One such file, which JPCERT got its hands on, looks like a PDF document to most anti-virus engines. At the same time, office applications can open it as a regular Word-file (.doc).
Such files are called "polyglots" and come in two different formats, allowing multiple applications to open them. The file involved in this campaign, for example, is a mixture of PDF and Word and can be opened as any of these file types.
As a rule, attackers use "polyglots" to avoid detection or obfuscate various analyzers. In one part of such a file, there can be absolutely harmless code, in the other - a malicious load.
The MalDoc in PDF attack is different in that the PDF file contains a document in Word format. The latter has a built-in VBS macro that downloads and installs a malicious MSI file.
It is worth noting that the MalDoc in PDF technique is powerless over settings that disable automatic macro execution in Office. The JPCERT team has posted a video demonstration of MalDoc in PDF on YouTube.
The researchers noted that the new vector can confuse common PDF parsing tools like pdfid, but the OLEVBA tool is able to detect the payload in the malicious part of the file.
[Demo] MalDoc in PDF
MalDoc in PDF - 悪性なWordファイルを無害なPDFファイルに見せかける手法 -https://blogs.jpcert.or.jp/ja/2023/08/maldocinpdf.html
www.youtube.com
