New ‘MalDoc in PDF’ attack vector detected

Home / Threat Intelligence bulletins / New ‘MalDoc in PDF’ attack vector detected

Target Industry

Indiscriminate, opportunistic targeting.

Overview

Japan’s computer emergency response team (JPCERT) has released details regarding a new attack vector, known as ‘MalDoc in PDF’, that can be applied by threat actors to bypass endpoint detection and response (EDR) detection. The technique involves embedding malicious Word document files into PDFs.

JPCERT analysed a polyglot that was detected by the majority of scanning tools as a PDF. However, the analysis demonstrated that office applications could not open the file as a .doc Word document. As it pertains to the ‘MalDoc in PDF’ instance, the PDF contained a Word document with a VBS macro that allowed for the download and installation of an MSI malware file that will be executed if it is opened as a .doc file in the Microsoft Office application.

Impact

Delivery of polyglot files, such as ‘MalDoc in PDF’ will almost certainly allow threat actors to successfully evade detection within target environments as these files often appear as benign in one format while obfuscating malicious code in the other.

Detection evasion allows for threat actors to maintain persistence within a target environment, almost certainly leading to the implementation of additional attack vectors such as malware deployment, lateral movement operations and ultimately data compromise.

Incident Detection

JPCERT released a Yara rule that allows for the identification of files associated with the ‘MalDoc in PDF’ technique. The rule determines whether or not a file starts with a PDF signature and contains signatures that are consistent with Word documents, Excel workbooks, or an MHT file.

Affected Products

Windows OS

Containment, Mitigations & Remediations

‘MalDoc in PDF’ files do not bypass security settings that are set to disable auto-execution of macros on Microsoft Office. As such, it is recommended that such settings are applied via clicking on the corresponding option or unblocking the file.

Furthermore, analysis tools, such as OLEVBA, will serve as a legitimate countermeasure against the MalDoc in PDF attack vector.

Indicators of Compromise

MalDoc in PDF associated C2 infrastructure:

  • https[:]//cloudmetricsapp[.]com
  • https[:]//web365metrics[.]com

MalDoc in PDF associated file hashes (SHA-256):

  • ef59d7038cfd565fd65bae12588810d5361df938244ebad33b71882dcf683058
  • 098796e1b82c199ad226bff056b6310262b132f6d06930d3c254c57bdf548187
  • 5b677d297fb862c2d223973697479ee53a91d03073b14556f421b3d74f136b9d

Threat Landscape

The technique of embedding one file type within another has been consistently applied by threat actors in recent history. However, the specific technique involving ‘MalDoc in PDF’ represents a significant development that indicates that it is likely that at least a portion of threat actors are attempting to enhance their detection evasion attempt to remain relevant within the cyber threat landscape. As threat actors become more aware of the technical aspects of techniques such as ‘MalDoc in PDF’, it has been assessed to be highly likely that this attack vector will be deployed at increasing frequencies in future campaigns.

Threat Group

No attribution to specific threat actors or groups has been identified at the time of writing.

Mitre Methodologies

Tactic:

TA0005  – Detection Evasion

Further Information

JPCERT Blog

 

An Intelligence Terminology Yardstick to showing the likelihood of events

TIDC-0002