Japan’s JPCERT warns of new ‘MalDoc in PDF’ attack technique

Japan’s JPCERT warns of a new recently detected ‘MalDoc in PDF’ attack that embeds malicious Word files into PDFs.

Japan’s computer emergency response team (JPCERT) has recently observed a new attack technique, called ‘MalDoc in PDF’, that bypasses detection by embedding a malicious Word file into a PDF file.

The researchers explained that a file created with MalDoc in PDF has magic numbers and file structure of PDF, but can be opened in Word. If the file includes a malicious macro, the malicious code can be executed by opening the file. In the attack observed by JPCERT/CC, threat actors used a file extension .doc.

“Therefore, if a .doc file is configured to open in Word in Windows settings, the file created by MalDoc in PDF is opened as a Word file.” reads the report published by JPCERT. “The attacker adds an mht file created in Word and with macro attached after the PDF file object and saves it. The created file is recognized as a PDF file in the file signature, but it can also be opened in Word.”

Below is a watch video that shows this attack technique:

The JPCERT experts say that the OLEVBA analysis tool for malicious Word files can be used to detect malicious files crafted to carry out this attack technique However, popular PDF analysis tools like ‘pdfid’ may be not able to detect the malicious file.

“The technique described in this article does not bypass the setting that disables auto-execution in Word macro. However, since the files are recognized as PDFs, you should be careful about the detection results if you are performing automated malware analysis using some tools, sandbox, etc. Please refer to the Appendix for the C2 information and hash values of the confirmed malware.” concludes the report that also includes a Yara rule to detect files employed in the ‘MalDoc in PDF’ attacks.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, MalDoc in PDF)