Cybersecurity researchers at Japan’s JPCERT/CC team have uncovered an attack technique that exploits a novel approach to bypass detection. Dubbed “MalDoc in PDF,” this technique involves embedding a Word document with malicious macros within a PDF file, effectively allowing the file to be opened by Adobe as well as Microsoft Word.

Although malicious files embedded in other files is not unheard of, bypassing security and analysis tools using this specific version of the technique is unique. This type of file with multiple file formats is sometimes referred to as a polyglot, traditionally a term used to describe a person who can communicate using several languages.

The MalDoc in PDF technique takes advantage of the magic numbers and file structure of a PDF, which is what a lot of security tools and programs use to determine the type of file. However, the embedded macro enables the execution of malicious Visual Basic Script (VBS) actions upon opening the file in Word.

Notably, this approach respects the default setting of macros being disabled in Microsoft Office, necessitating user approval for execution. This is typically dealt with by misleading or tricking the user into enabling macros, which allows the malicious scripts to execute.

Files generated through the MalDoc in PDF technique seem to be elusive when analyzed with traditional PDF analysis tools such as pdfid, which may not be able to identify the malicious components of the file. However, OLEVBA, a tool designed for analyzing Word files, was able to reveal the embedded macros and expose the malicious segments of the file.

The MalDoc in PDF technique can also be detected using Yara rules, which can alert on files being opened with non-matching extension types. An example rule is available in the JPCERT/CC article.

The emergence of this technique emphasizes the need for ongoing vigilance. As attack methods evolve, staying informed about new tactics is essential. Proactive measures such as refining defense strategies, raising employee awareness, and implementing advanced detection tools are vital in countering evolving threats.

In Summary: An attack method dubbed “MalDoc in PDF” has been discovered that involves embedding malicious Word documents with macros inside a PDF. This approach enables the file to be opened by either default program while evading detection from security tools.

Why It Matters: This unique tactic showcases adversaries’ innovative evasion strategies. MSPs must actively educate clients about new techniques, encouraging heightened vigilance and the adoption of tailored defenses. Through threat awareness, refining security measures, and leveraging advanced detection tools, MSPs and their clients can collaboratively enhance their cyber resilience against evolving attack vectors.