Beware of MalDoc in PDF: A New Polyglot Attack Allowing Attackers to Evade Antivirus

silversurfer

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,176
Content source
https://thehackernews.com/2023/09/beware-of-maldoc-in-pdf-new-polyglot.html
Cybersecurity researchers have called attention to a new antivirus evasion technique that involves embedding a malicious Microsoft Word file into a PDF file.

The sneaky method, dubbed MalDoc in PDF by JPCERT/CC, is said to have been employed in an in-the-wild attack in July 2023.

"A file created with MalDoc in PDF can be opened in Word even though it has magic numbers and file structure of PDF," researchers Yuma Masubuchi and Kota Kino said. "If the file has a configured macro, by opening it in Word, VBS runs and performs malicious behaviors."

Such specially crafted files are called polyglots as they are a legitimate form of multiple different file types, in this case, both PDF and Word (DOC).

This entails adding an MHT file created in Word and with a macro attached after the PDF file object. The end result is a valid PDF file that can also be opened in the Word application.

Put differently; the PDF document embeds within itself a Word document with a VBS macro that's designed to download and install an MSI malware file if opened as a .DOC file in Microsoft Office. It's not immediately clear what malware was distributed in this fashion.
Click to expand...

 
  • Like
  • +Reputation
Reactions: upnorth, simmerskool, Andy Ful and 4 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,142
The technique described in this article does not bypass the setting that disables auto-execution in Word macro. However, since the files are recognized as PDFs, you should be careful about the detection results if you are performing automated malware analysis using some tools, sandbox, etc.
Click to expand...
blogs.jpcert.or.jp

MalDoc in PDF - Detection bypass by embedding a malicious Word file into a PDF file – - JPCERT/CC Eyes

JPCERT/CC has confirmed that a new technique was used in an attack that occurred in July, which bypasses detection by embedding a malicious Word file into a PDF file. This blog article calls the technique “MalDoc in PDF” hereafter and...
blogs.jpcert.or.jp blogs.jpcert.or.jp
 
  • Like
Reactions: simmerskool, harlan4096, Gandalf_The_Grey and 1 other person
You must log in or register to reply here.

Similar threads

CyberTech
    • Like
    • +Reputation
    • Wow
RustBucket malware: A PDF could finish your Mac
Replies
0
Views
975
News Archive
CyberTech
CyberTech
LASER_oneXM
    • Like
    • Wow
    • +Reputation
PDF smuggles Microsoft Word doc to drop Snake Keylogger malware
Replies
1
Views
708
News Archive
brambedkar59
brambedkar59
LASER_oneXM
    • Like
    • +Reputation
    • Wow
New Cactus ransomware encrypts itself to evade antivirus
Replies
0
Views
1,036
News Archive
LASER_oneXM
LASER_oneXM

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top