KEY FINDINGS
- Hackers are using polyglot files to embed malicious Word documents within PDFs.
- These files can appear in one format but can be interpreted as another, depending on the application.
- The MalDoc in PDF attack can evade conventional detection mechanisms, such as PDF analysis tools, sandboxes, and antivirus software.
- However, it can be detected by certain analysis tools, such as ‘OLEVBA.’
- To protect yourself from this attack, disable macros in Microsoft Office and use a multi-layered security approach.
Security experts at Japan’s computer emergency response team (JPCERT) have uncovered a novel cyberattack technique dubbed ‘MalDoc in PDF.’ This innovative method involves embedding malicious Word files within PDF documents, allowing hackers to spread malware while evading conventional detection mechanisms.
The technique relies on the concept of polyglot files, which appear as one format but can be interpreted as another, depending on the application. Japan’s computer emergency response team (JPCERT) investigation into the ‘MalDoc in PDF’ attack capitalizes on polyglots – files containing two distinct formats that can be executed as different types, depending on the opening application. In this case, hackers utilize both PDF and Word document formats, allowing the malicious file to function in either format.
By leveraging polyglot files, cybercriminals create documents that appear harmless in one format but contain malicious code in another. In the ‘MalDoc in PDF’ attack, a PDF document conceals a Word file housing a VBS macro. When opened in Microsoft Office as a .doc file, the macro downloads and installs an MSI malware file on vulnerable systems.
However, it’s important to note that this attack relies on macros being enabled on the victim’s computer; disabling macros remains an effective security measure.
For your information, A polyglot file is a type of computer file that is designed to be valid and functional in multiple formats or applications simultaneously. Essentially, it’s a single file that can be interpreted differently depending on the software that opens it.
This characteristic is often exploited by attackers to create files that appear harmless in one context but contain malicious code in another, thus bypassing security measures that may not be capable of detecting the hidden malicious content.
The ingenuity of the ‘MalDoc in PDF’ can lead to confusion for PDF analysis tools, sandboxes, and antivirus software, which might fail to detect the embedded malicious components. However, certain analysis tools, like ‘OLEVBA,’ can still identify the concealed threats, suggesting that a multi-layered security approach remains effective.
JPCERT shares a Yara rule to aid in identifying files that deploy this method. This rule checks for patterns indicative of both PDF and Word document formats within the same file, offering a way to spot potential threats.