MalDoc in PDFs: Hiding Malicious Word Docs in PDF Files

Cyber Security Threat Summary:
“Japan's computer emergency response team (JPCERT) is sharing a new 'MalDoc in PDF' attack detected in July 2023 that bypasses detection by embedding malicious Word files into PDFs. The file sampled by JPCERT is a polyglot recognized by most scanning engines and tools as a PDF, yet office applications can open it as a regular Word document (.doc). Polyglots are files that contain two distinct file formats that can be interpreted and executed as more than one file type, depending on the application reading/opening them. For example, the malicious documents in this campaign are a combination of PDF and Word documents, which can be opened as either file format. Typically, threat actors use polyglots to evade detection or confuse analysis tools, as these files may appear innocuous in one format while hiding malicious code in the other. In this case, the PDF document contains a Word document with a VBS macro to download and install an MSI malware file if opened as a .doc file in Microsoft Office. However, the Japan CERT did not share any details as to what type of malware is installed” (Bleeping Computer, 2023).

Security Officer Comments:
Thankfully Maldocs embedded in PDFs aren’t capable of bypassing security settings on Microsoft Office that disable auto-execution of macros. As such, recipients of these malicious files would need to manually disable the feature to unblock and open the file. Furthermore, although this type of attack can evade detection by traditional PDF analysis tools like ‘pdfid’ which only examines the outer layer of the file, other analysis tools like ‘OLEVBA’ are still capable of detecting malicious content hiding inside these Polyglots files, indicating that multi-layered defenses and rich detection sets should be effective against this threat.

Suggested Correction(s):
JPCERT has shared a Yara rule to help defenders identify files using the MalDoc in PDF technique. The rule has been published in the advisory released by the agency which can be accessed below: