To avoid detection, hackers employed a new method dubbed “MalDoc in PDF” to insert a malicious Word file into a PDF file.
Despite having magic numbers and a PDF-specific file format, a file created with MalDoc in PDF may be opened in Word.
If the file includes a configured macro, running it in Word causes VBS to launch and carry out malicious operations.
The attacks that JPCERT/CC reported used the “.doc” file extension. If Windows has the “.doc” extension associated with Word, the MalDoc in the PDF-created file will open as a Word document.
“The attacker adds an mht file created in Word with a macro attached after the PDF file object and saves it. The created file is recognized as a PDF file in the file signature, but it can also be opened in Word”, JPCERT/CC said in its blog.
Likely, PDF analysis tools like pdfid won’t be able to detect the malicious components in a file prepared using MalDoc.
It should also be noted that this file exhibits unintended behaviors when accessed in Word; however, malicious behaviors cannot be verified when it is opened in PDF readers, etc. Since the file is recognized as a PDF file, current antivirus or sandbox tools may not detect it.
“This technique does not bypass the setting that disables auto-execution in Word macros,” the JPCERT/CC team noted.
Nevertheless, if you are doing automated malware analysis using specific tools, sandboxes, etc. You should be cautious about the detection findings, as the files are recognized as PDFs.
Keep informed about the latest Cyber Security News by following us on Google News, Linkedin, Twitter, and Facebook.
Hackers prefer phishing as it exploits human vulnerabilities rather than technical flaws which make it a highly effective and low-cost…
A very important message from the Norwegian National Cyber Security Centre (NCSC) says that Secure Socket Layer/Transport Layer Security (SSL/TLS)…
Linux is widely used in numerous servers, cloud infrastructure, and Internet of Things devices, which makes it an attractive target…
ViperSoftX malware, known for stealing cryptocurrency information, now leverages Tesseract, an open-source OCR engine, to target infected systems, which extracts…
Santander has confirmed that there was a major data breach that affected its workers and customers in Spain, Uruguay, and…
The U.S. government has offered a prize of up to $5 million for information that leads to the arrest and…