Japan's computer emergency response team, JPCERT, has identified a novel attack method that embeds malicious Word files within PDF documents, bypassing conventional detection mechanisms.
Embedding Malicious Word Files in PDFs
The technique, termed “MalDoc in PDF”, involves the creation of a file that, while having the structure and magic numbers of a PDF, can be opened in Microsoft Word. If the file contains a malicious macro, it can execute harmful code when opened. In the specific attack observed by JPCERT/CC, the file had a .doc extension. As a result, if a user's Windows settings are configured to open .doc files in Word, the MalDoc in PDF file will open as a Word document.
JPCERT/CC‘s Yuma Masubuchi stated that attackers might add an mht file created in Word and with a macro attached after the PDF file object and saves it. The created file then is recognized as a PDF file in the file signature, but it can also be opened in Word.
Analysis and Detection Challenges
Traditional PDF analysis tools, such as ‘pdfid', may struggle to detect these malicious files. However, the OLEVBA analysis tool, designed for malicious Word files, remains effective against this new technique. JPCERT/CC emphasized that while the file might appear as a PDF, automated malware analysis tools and sandboxes might not detect it due to its dual nature.
Masubuchi further elaborated, “This file performs unintentional behaviors when opened in Word, while malicious behaviors cannot be confirmed when it is opened in PDF viewers. Furthermore, since the file is recognized as a PDF file, existing sandbox or antivirus software may not detect it.”
Countermeasures and Recommendations
While the MalDoc in PDF technique does not bypass settings that prevent auto-execution in Word macros, JPCERT/CC advises caution, especially when conducting automated malware analysis. The organization also provided a Yara rule to help researchers and defenders identify files utilizing this technique.
JPCERT/CC concluded by stating, “The technique described in this article does not bypass the setting that disables auto-execution in Word macro. However, since the files are recognized as PDFs, you should be careful about the detection results if you are performing automated malware analysis using some tools, sandbox, etc.”
