According to threat analysts it has been found a recent malware circulation campaign using PDF attachments to smuggle malicious Word documents that infect users with malware. The fact that PDF was chosen for distribution is quite unusual as most malicious and phishing emails that arrives include DOCX or XLS attachments laced with malware infecting macrocode. But as users become more aware of social engineering attacks and suspicious attachments, threat actors switch to various other methods to do the dirty work by deploying malicious macros and evade detection.

The campaign was noticed by HP Wolf Security, the PDF arriving via email is named “Remittance Invoice”, again another common subject amongst phishing campaigns. When the document is opened, Adobe Reader prompts user to open a DOCX file contained inside, which can confuse the victim. The threat actors have embedded the document “has been verified”, and the Open File prompt states, “The file ‘has been verified.” Therefore, this message could trick victims in to believing that it is in fact legitimate.

Victims that receive such emails would not pause to think or go the extra mile to make sure it is real, while malware analysts can inspect embedded files in PDFs using parsers and scripts. They may open the DOCX in Microsoft Word, and if macros are enabled, will download an RTF (rich text format) file from a remote resource and open it. Hence, it is advised that such malicious looking emails should not be opened at any cost, and should be deleted and disregarded right away.

Source: https://www.bleepingcomputer.com/news/security/pdf-smuggles-microsoft-word-doc-to-drop-snake-keylogger-malware/