In an attempt to evade detection, hackers have adopted a novel technique known as “MalDoc in PDF,” wherein they embed a malicious Word file within a PDF file.
Despite possessing PDF-specific file format and magic numbers, a file crafted with MalDoc in PDF can be opened in Word. When such a file contains a configured macro, executing it in Word triggers the launch of VBS, enabling the execution of malicious activities.
Reports from JPCERT/CC indicate that the attacks utilizing this method employ the “.doc” file extension. If Windows associates the “.doc” extension with Word, the MalDoc in PDF-generated file will open as a Word document.
According to JPCERT/CC’s blog, attackers append an MHT file, created in Word and containing a macro, after the PDF file object, resulting in a file that is recognized as a PDF but can also be opened in Word.
Analysis of the Attack: Traditional PDF analysis tools such as pdfid may fail to detect the malicious elements in a file generated using MalDoc. Moreover, while unintended behaviors are observed when accessing the file in Word, detecting malicious activities becomes challenging when opening it in PDF readers. As the file is identified as a PDF, current antivirus or sandbox tools may not flag it.
However, the JPCERT/CC team warns that this technique does not circumvent the setting that disables auto-execution in Word macros.
Therefore, when conducting automated malware analysis using specific tools or sandboxes, it’s crucial to exercise caution regarding detection findings, considering that the files are recognized as PDFs.