Japan’s computer emergency response team (JPCERT) recently identified a new attack method named ‘MalDoc in PDF’, which manages to elude detection by incorporating a malicious Word file within a PDF file.

image

According to researchers, a MalDoc in PDF file possesses the magic numbers and file structure of a PDF, yet it can be opened using Microsoft Word. In cases where the file contains a harmful macro, executing the file can trigger the malicious code. In an incident observed by JPCERT/CC, threat actors employed a .doc file extension.

Thus, if a .doc file is configured to open with Word in Windows settings, the file produced by MalDoc in PDF will be treated as a Word file.

The report published by JPCERT states, “The attacker adds an mht file created in Word and with a macro attached after the PDF file object and saves it. The created file is recognised as a PDF file in the file signature, but it can also be opened in Word.”

To detect files manipulated for this attack, JPCERT experts suggest employing the OLEVBA analysis tool, designed for identifying malicious Word files.

image

However, prevalent PDF analysis tools such as ‘pdfid’ might struggle to identify the malicious file.

image

The report emphasises that the method described within doesn’t bypass the configuration that disables auto-execution of Word macros. Despite this, due to the files being identified as PDFs, caution is urged regarding detection outcomes, especially during automated malware analysis using tools or sandboxes.


Indicators of Compromise

URL/HASH
https[:]//cloudmetricsapp[.]com
https[:]//web365metrics[.]com
ef59d7038cfd565fd65bae12588810d5361df938244ebad33b71882dcf683058
098796e1b82c199ad226bff056b6310262b132f6d06930d3c254c57bdf548187
5b677d297fb862c2d223973697479ee53a91d03073b14556f421b3d74f136b9d