Beware of MalDoc in PDF: A New Polyglot Attack Allowing Attackers to Evade Antivirus

silversurfer

silversurfer

Super Moderator
Thread author
Verified
Top Poster
Staff Member
Malware Hunter
Aug 17, 2014
11,542
Content source
https://thehackernews.com/2023/09/beware-of-maldoc-in-pdf-new-polyglot.html
Cybersecurity researchers have called attention to a new antivirus evasion technique that involves embedding a malicious Microsoft Word file into a PDF file.

The sneaky method, dubbed MalDoc in PDF by JPCERT/CC, is said to have been employed in an in-the-wild attack in July 2023.

"A file created with MalDoc in PDF can be opened in Word even though it has magic numbers and file structure of PDF," researchers Yuma Masubuchi and Kota Kino said. "If the file has a configured macro, by opening it in Word, VBS runs and performs malicious behaviors."

Such specially crafted files are called polyglots as they are a legitimate form of multiple different file types, in this case, both PDF and Word (DOC).

This entails adding an MHT file created in Word and with a macro attached after the PDF file object. The end result is a valid PDF file that can also be opened in the Word application.

Put differently; the PDF document embeds within itself a Word document with a VBS macro that's designed to download and install an MSI malware file if opened as a .DOC file in Microsoft Office. It's not immediately clear what malware was distributed in this fashion.
Click to expand...

 
  • Like
  • +Reputation
Reactions: upnorth, simmerskool, Andy Ful and 4 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,817
The technique described in this article does not bypass the setting that disables auto-execution in Word macro. However, since the files are recognized as PDFs, you should be careful about the detection results if you are performing automated malware analysis using some tools, sandbox, etc.
Click to expand...
blogs.jpcert.or.jp

MalDoc in PDF - Detection bypass by embedding a malicious Word file into a PDF file – - JPCERT/CC Eyes

JPCERT/CC has confirmed that a new technique was used in an attack that occurred in July, which bypasses detection by embedding a malicious Word file into a PDF file. This blog article calls the technique “MalDoc in PDF” hereafter and...
blogs.jpcert.or.jp blogs.jpcert.or.jp
 
  • Like
Reactions: simmerskool, harlan4096, Gandalf_The_Grey and 1 other person
You must log in or register to reply here.

Similar threads

CyberTech
    • Like
    • +Reputation
    • Wow
RustBucket malware: A PDF could finish your Mac
Replies
0
Views
1,297
News Archive
CyberTech
CyberTech
Gandalf_The_Grey
    • Like
Security News Keyless systems in cars in 2024 still easy to hack
Replies
3
Views
1,890
Security News
simmerskool
simmerskool
LASER_oneXM
    • Like
    • Wow
    • +Reputation
PDF smuggles Microsoft Word doc to drop Snake Keylogger malware
Replies
1
Views
943
News Archive
brambedkar59
brambedkar59

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top