Beware of MalDoc in PDF: A New Polyglot Attack Allowing Attackers to Evade Antivirus

MalDoc in PDF

Cybersecurity researchers have called attention to a new antivirus evasion technique that involves embedding a malicious Microsoft Word file into a PDF file.

The sneaky method, dubbed MalDoc in PDF by JPCERT/CC, is said to have been employed in an in-the-wild attack in July 2023.

“A file created with MalDoc in PDF can be opened in Word even though it has magic numbers and file structure of PDF,” researchers Yuma Masubuchi and Kota Kino said. “If the file has a configured macro, by opening it in Word, VBS runs and performs malicious behaviors.”

Such specially crafted files are called polyglots as they are a legitimate form of multiple different file types, in this case, both PDF and Word (DOC).

This entails adding an MHT file created in Word and with a macro attached after the PDF file object. The end result is a valid PDF file that can also be opened in the Word application.

Put differently; the PDF document embeds within itself a Word document with a VBS macro that’s designed to download and install an MSI malware file if opened as a .DOC file in Microsoft Office. It’s not immediately clear what malware was distributed in this fashion.

“When a document is downloaded from the internet or email, it’ll carry a MotW,” security researcher Will Dormann said. “As such, the user will have to click ‘Enable Editing’ to exit Protected View. At which point they’ll be learn [sic] that macros are disabled.”

While real-world attacks leveraging MalDoc in PDF were observed a little over a month ago, there’s evidence to suggest that it was being experimented (“DummymhtmldocmacroDoc.doc“) as early as May, Dormann highlighted.

The development comes amid a spike in phishing campaigns using QR codes to propagate malicious URLs, a technique called qishing.

“The samples we have observed using this technique are primarily disguised as multi-factor authentication (MFA) notifications, which lure their victims into scanning the QR code with their mobile phones to gain access,” Trustwave said last week.

MalDoc in PDF

“However, instead of going to the target’s desired location, the QR code leads them to the threat actor’s phishing page.”

One such campaign targeting the Microsoft credentials of users has witnessed an increase of more than 2,400% since May 2023, Cofense noted in August, pointing out how “scanning a QR code on a mobile device puts the user outside the protections of the enterprise environment.”

Social engineering attacks, as evidenced in attacks associated with LAPSUS$ and Muddled Libra, are getting more elaborate and sophisticated as threat actors leverage vishing and phishing tactics to gain unauthorized access to target systems.

In one instance highlighted by Sophos, a threat combined phone and email lures to launch a complex attack chain against an employee of a Switzerland-based organization.

“The caller, whose voice sounded like a middle-aged man, told the employee that he was a delivery driver with an urgent package destined for one of the company locations, but that nobody was there to receive the package, and he asked for a new delivery address at the employee’s office location,” Sophos researcher Andrew Brandt said.

“In order to redeliver the package, he continued, the employee would have to read aloud a code the shipping company would email.”

The email from the purported shipping company convinced the victim to open what seemed like a PDF attachment containing the code, but in reality, it turned out to be a static image embedded in the message body designed to be “just like an Outlook message with an email attachment.”

The fake-image spam attack ultimately took the recipient to a bogus website via a redirect chain that, in turn, dropped a deceptive executable masquerading as a package service (“Universe Parcel Service.”), which, when launched, acted as a conduit to deliver additional PowerShell scripts to steal data and beacon to a remote TOR hidden service.

The developments also arrive as security concerns have been raised around name collisions in the Domain Name System (DNS) that could be exploited to leak sensitive data.

“Name collisions aren’t the only situations that can cause a [top-level domain] to act strangely,” Cisco Talos said in a recent write-up. “Some do not respond properly when presented with names that have expired or never existed.”

“In these TLDs, unregistered and expired domain names still resolve to IP addresses. Some of these TLDs even publish MX records and collect emails for the names in question.”



Original Source



A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

 To keep up to date follow us on the below channels.