Security experts from JPCERT/CC have identified a new attack technique called “MalDoc in PDF,” which can elude detection by embedding a malicious Word file within a seemingly harmless PDF document.
This technique, employed in a July cyber-attack, is raising alarms in the cybersecurity community due to its ability to bypass conventional security measures.
From a technical standpoint, despite preserving the usual attributes of a PDF file, the malicious Word file can be opened using Microsoft Word. This triggers the execution of Visual Basic Script (VBS) macros, enabling various malicious activities.
In the confirmed cyber-attack, the file bore a .doc file extension. However, when closely examined, it became evident that attackers inserted an MHT file, created in Word and containing macros, after the PDF file object. This file, while maintaining a PDF signature, opened in Microsoft Word.
In an advisory published last week, JPCERT/CC warned that traditional PDF analysis tools, such as pdfid, may struggle to detect the malicious components within a file created using MalDoc in PDF.
Notably, the malicious behaviors are only triggered when the file is opened in Word; they remain dormant when viewed in standard PDF viewers. Furthermore, since the file appears as a PDF, existing sandbox environments and antivirus software may not flag it as a threat.
Experts recommend using OLEVBA, an analysis tool for malicious Word files, to combat this technique. OLEVBA can effectively identify embedded macros, aiding in detecting malicious elements within the file.
Another strategy involves the use of Yara rules to detect this attack method. Yara rules can identify discrepancies in file extensions and provide warnings when an incompatible file type is detected within a PDF document.
JPCERT/CC concluded its advisory by saying that the emergence of the MalDoc in PDF technique presents a significant challenge to cybersecurity.
“The technique described in this article does not bypass the setting that disables auto-execution in Word macro,” reads the technical write-up.
“However, since the files are recognized as PDFs, you should be careful about the detection results if you are performing automated malware analysis using some tools, sandbox, etc.”