Advice Request Is it possible to embed malware exe in PDF, doc file?

Please provide comments and solutions that are helpful to the author of this topic.

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
I am used to hearing about macros and other kinds of scripts embedded in doc files. But I didn't know you could do this with exe files. Is this a common attack method?
 

Mahesh Sudula

Level 17
Verified
Top Poster
Well-known
Sep 3, 2017
825
Yes.. That is what W97M.Downloader are based on.
Basically a malicious code is injected into pdf/doc..upon execution it requires you to forcefully open the text. So even if exit the process continues background.
Some advanced techniques I have seen is rarely they use process injection... Into system process like svchost.. Which is even more worst!.
Basically these spawned doc or pdf will be connected to some infected or malformed sites, that can download payload
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
I am used to hearing about macros and other kinds of scripts embedded in doc files. But I didn't know you could do this with exe files. Is this a common attack method?
You can embed in MS Office document anything you want (shellcode, DLL, EXE, script, etc.).
Simply open a document and use OLE. This method works for scripts, MSI, and EXE files, but is actually restricted by Microsoft, so some embedded OLE will be blocked:
The shellcode, EXE, or DLL files can be also embedded in VBA macro or hidden in pictures via steganography. In this case, an exploit, script or macro has to be used to decode and execute an EXE.

Yes.. That is what W97M.Downloader are based on.
Basically a malicious code is injected into pdf/doc..upon execution it requires you to forcefully open the text. So even if exit the process continues background.
Some advanced techniques I have seen is rarely they use process injection... Into system process like svchost.. Which is even more worst!.
Basically these spawned doc or pdf will be connected to some infected or malformed sites, that can download payload
W97M.Downloader works in a slightly different way. It is MS Office Word document with embedded macro or exploit, which try to download and execute an EXE (or another payload). The EXE (or payload) is not embedded in the MS Office file.:giggle:
This is the most common way of abusing Word documents.
The method of embedding the payload (for example an EXE file) into MS Office documents is rarely used, because of default MS Office restrictions.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top