JPCERT has warned of a new attack technique that bypasses detection by embedding malicious Word files in PDFs. Called ‘MalDoc in PDF’, the tactic makes use of polyglots to confuse analysis tools and evade detection. The polyglots contain two file formats, however, interpreted and executed as more than one file type, depending on the application reading/opening them.
More in detail
- In this particular campaign observed, the malicious documents used a combination of PDF and Word documents that can be opened in either format.
- The PDF contained a Word document embedded with a VBS macro that downloaded and installed malware if opened as a .doc file.
- However, the kind of malware installed was not disclosed by the agency.
Advantages and limitations
- The technique of embedding one file type within another is not new, however, using polyglot files to evade detection is a novel approach, according to JPCERT.
- The advantage for attackers is that traditional PDF analysis tools only examine the outer layer, allowing the malicious content to go undetected.
- Still, other analysis tools like'OLEVBA' can still detect the hidden content, so multiple layers of defense are effective against this threat.
With that said, know that the MalDoc in PDF attack does not bypass security settings that disable auto-execution of macros in Microsoft Office.
Conclusion
The agency has shared a YARA rule to help defenders and researchers identify files used in the latest attack technique. Moreover, since the files are recognized as PDFs, organizations should be careful about the detection results obtained from automated malware analysis.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/8e01_shutterstock_1501789487.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/64a4_shutterstock_1089808376.jpg)
