MalDoc: Malicious Word files in PDF documents bypass malware detection

Sicherheit (Pexels, allgemeine Nutzung)[German]Another small addendum from this week: The Japanese CERT warns of a new technique used by cyber attackers who take malicious Word files and embed them in PDF documents. This "packaging" is intended to bypass the detection of the malicious Office documents by security software. JPCERT/CC first observed such attack techniques, known as MalDoc, via infected PDF files in July 2023.


Advertising

I already stumbled across the following message from the JPCERT/CC on Twitter a few days ago. The security agency documented the whole thing in the blog post MalDoc in PDF – Detection bypass by embedding a malicious Word file into a PDF file.

MalDoc; Detection bypass

It says that JPCERT/CC confirmed that an attack in July 2023 used this new technique, called MalDoc, to bypass the detection of malicious files by security software. This involved embedding a malicious Word file in a PDF and then sending it to victims.

A file created with MalDoc in PDF can be opened in Microsoft Word, even though it has the magic bytes and file structure of PDF documents. If the Word document file masked in this way contains a macro, the VBA code is executed when the document is opened in Word. Then malicious actions can be performed via VBA.

Interestingly, the document file used in the attack confirmed by JPCERT/CC had the .doc file extension, although it had the Magic Bytes as well as the structure of a PDF file. Once the .doc file type is configured in the Windows settings to open in Word (which is the default), the file created by MalDoc in PDF will open as a Word file.


Advertising

In the JPCERT/CC post there is a video showing the attack. In addition, the blog post reveals some more details and the security agency gives some hints on what to try to detect such malicious files. A safe analysis of suspicious document files would be the tool OLEVBA, In addition, the experts of the security agency have published a YARA rule for detecting such malware.


Advertising

This entry was posted in Office, Security, Software and tagged , , . Bookmark the permalink.

One Response to MalDoc: Malicious Word files in PDF documents bypass malware detection

  1. Victor says:

    Hello I don't know if you got the answer to this, but I was searching the internet for the same answer and I came about your blog I seem to have found the solution.
    https://learn.microsoft.com/en-us/archive/msdn-technet-forums/462ec0d0-0da8-46ca-95f5-dc5fcec78c36

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).