Japan’s computer emergency response team (JPCERT) recently identified a new attack method named ‘MalDoc in PDF’, which manages to elude detection by incorporating a malicious Word file within a PDF file.
According to researchers, a MalDoc in PDF file possesses the magic numbers and file structure of a PDF, yet it can be opened using Microsoft Word. In cases where the file contains a harmful macro, executing the file can trigger the malicious code. In an incident observed by JPCERT/CC, threat actors employed a .doc file extension.
Thus, if a .doc file is configured to open with Word in Windows settings, the file produced by MalDoc in PDF will be treated as a Word file.
The report published by JPCERT states, “The attacker adds an mht file created in Word and with a macro attached after the PDF file object and saves it. The created file is recognised as a PDF file in the file signature, but it can also be opened in Word.”
To detect files manipulated for this attack, JPCERT experts suggest employing the OLEVBA analysis tool, designed for identifying malicious Word files.
However, prevalent PDF analysis tools such as ‘pdfid’ might struggle to identify the malicious file.
The report emphasises that the method described within doesn’t bypass the configuration that disables auto-execution of Word macros. Despite this, due to the files being identified as PDFs, caution is urged regarding detection outcomes, especially during automated malware analysis using tools or sandboxes.
Indicators of Compromise