Get in Touch
Indiscriminate, opportunistic targeting.
Japan’s computer emergency response team (JPCERT) has released details regarding a new attack vector, known as ‘MalDoc in PDF’, that can be applied by threat actors to bypass endpoint detection and response (EDR) detection. The technique involves embedding malicious Word document files into PDFs.
JPCERT analysed a polyglot that was detected by the majority of scanning tools as a PDF. However, the analysis demonstrated that office applications could not open the file as a .doc Word document. As it pertains to the ‘MalDoc in PDF’ instance, the PDF contained a Word document with a VBS macro that allowed for the download and installation of an MSI malware file that will be executed if it is opened as a .doc file in the Microsoft Office application.
Delivery of polyglot files, such as ‘MalDoc in PDF’ will almost certainly allow threat actors to successfully evade detection within target environments as these files often appear as benign in one format while obfuscating malicious code in the other.
Detection evasion allows for threat actors to maintain persistence within a target environment, almost certainly leading to the implementation of additional attack vectors such as malware deployment, lateral movement operations and ultimately data compromise.
JPCERT released a Yara rule that allows for the identification of files associated with the ‘MalDoc in PDF’ technique. The rule determines whether or not a file starts with a PDF signature and contains signatures that are consistent with Word documents, Excel workbooks, or an MHT file.
Containment, Mitigations & Remediations
‘MalDoc in PDF’ files do not bypass security settings that are set to disable auto-execution of macros on Microsoft Office. As such, it is recommended that such settings are applied via clicking on the corresponding option or unblocking the file.
Furthermore, analysis tools, such as OLEVBA, will serve as a legitimate countermeasure against the MalDoc in PDF attack vector.
Indicators of Compromise
MalDoc in PDF associated C2 infrastructure:
MalDoc in PDF associated file hashes (SHA-256):
The technique of embedding one file type within another has been consistently applied by threat actors in recent history. However, the specific technique involving ‘MalDoc in PDF’ represents a significant development that indicates that it is likely that at least a portion of threat actors are attempting to enhance their detection evasion attempt to remain relevant within the cyber threat landscape. As threat actors become more aware of the technical aspects of techniques such as ‘MalDoc in PDF’, it has been assessed to be highly likely that this attack vector will be deployed at increasing frequencies in future campaigns.
No attribution to specific threat actors or groups has been identified at the time of writing.
TA0005 – Detection Evasion