Cyber Security News

Attackers Hide Malicious Word Files Inside PDFs to Evade Detection

A newly identified cybersecurity threat involves attackers embedding malicious Word files within PDFs to deceive detection systems.

This technique, confirmed by JPCERT/CC, exploits the fact that files created using MalDoc in PDF can be opened in Microsoft Word, even though they possess the magic numbers and structure of PDF files.

If these files contain macros and are opened in Word, they execute malicious scripts, often in the form of Visual Basic Scripting (VBS), leading to harmful activities on the victim’s system, as per a report by JPCERT.

Background on MalDoc in PDF

Files created using this method are built by appending an mht file—complete with macros—after a PDF file object.

Although recognized as PDFs due to their file signature, these files can still be opened in Word when configured appropriately. This dual functionality is highlighted, which shows a dump view of such a file.

The attackers’ strategy relies on Windows file settings; if a file with a .doc extension is configured to open in Word, the PDF-structured file with embedded Word content can be treated as a Word document.

This misdirection can lead to severe security breaches, especially if macros are enabled.

Dump view of MalDoc in PDF

Challenges in Detection

PDF analysis tools, like pdfid, often fail to detect the malicious components within these hybrid files.

pdfid’s analysis results

Since the file appears as a legitimate PDF, sandbox and antivirus software may overlook it, thinking it harmless.

However, tools designed for analyzing malicious Word files, such as OLEVBA, remain effective in identifying embedded macros and thus uncovering the malicious parts of the file.

OLEVBA’s analysis results

To combat this technique, users can employ detection methods using Yara rules. For instance, a rule can be created to identify when Excel files are embedded within PDFs.

This approach triggers a warning when opening such a file in Excel, if it is detected, which makes it less likely for Excel files to be used in this manner.

Here’s an example of a detection rule for identifying Word or Excel files embedded in PDFs:

rule malware_MaldocinPDF {

    strings:

        $docfile2 = "<w:WordDocument>" ascii nocase

        $xlsfile2 = "<x:ExcelWorkbook>" ascii nocase

        $mhtfile0 = "mime" ascii nocase

        $mhtfile1 = "content-location:" ascii nocase

        $mhtfile2 = "content-type:" ascii nocase

    condition:

        (uint32(0) == 0x46445025) and

        (1 of ($mhtfile*)) and

        ( (1 of ($docfile*)) or

          (1 of ($xlsfile*)) )

}

While this method doesn’t bypass Word’s macro auto-execution controls, users should remain vigilant when analyzing potentially malicious files with automation tools.

Attackers are using complex file manipulation to evade detection by embedding malicious content within seemingly innocuous PDFs. Understanding and countering these tactics is crucial for maintaining robust cybersecurity defenses.

This evolving threat landscape requires continuous awareness and adaptability to ensure effective protection against sophisticated malware tactics.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

Lumma Stealer Upgraded with PowerShell Tools and Advanced Evasion Techniques

Sophos Managed Detection and Response (MDR) in September 2024, the notorious Lumma Stealer malware has…

9 hours ago

New Noodlophile Malware Spreads Through Fake AI Video Generation Platforms

Cybercriminals have unleashed a new malware campaign using fake AI video generation platforms as a…

9 hours ago

Kimsuky Hacker Group Deploys New Phishing Techniques and Malware Campaigns

The North Korean state-sponsored Advanced Persistent Threat (APT) group Kimsuky, also known as “Black Banshee,”…

9 hours ago

APT37 Hackers Use Weaponized LNK Files and Dropbox for Command-and-Control Operations

The North Korean state-sponsored hacking group APT37, also known as ScarCruft, launched a spear phishing…

9 hours ago

Open Source Linux Firewall IPFire 2.29 – Core Update 194 Released: What’s New!

IPFire, the powerful open-source firewall, has unveiled its latest release, IPFire 2.29 – Core Update…

13 hours ago

Threat Actors Leverage DDoS Attacks as Smokescreens for Data Theft

Distributed Denial of Service (DDoS) attacks, once seen as crude tools for disruption wielded by…

13 hours ago