Japan’s Latest MalDoc in PDF Attack
August 30th, 2023 - Written By CyberLabs
In a digital world where security breaches continue to make headlines, staying ahead of cybercriminals’ tactics is of paramount importance. The ‘MalDoc in PDF’ attack technique discovered by Japan’s computer emergency response team (JPCERT) is a stark reminder of the relentless innovation displayed by malicious actors.
Understanding MalDoc in PDF Attacks
At its core, the MalDoc in PDF attack is a cunning approach where threat actors embed malicious Word files within PDF documents. What makes this attack particularly insidious is that the PDF documents appear legitimate and benign to most scanning engines and tools. However, when opened in office applications, these PDFs reveal their true nature as Word documents, potentially containing malicious code.
The term ‘polyglot’ in this context refers to files that encompass multiple file formats, allowing them to be interpreted and executed differently based on the application used to open them. In the case of the MalDoc in PDF attack, a single file acts as both a PDF and a Word document. This duality not only confuses analysis tools but also evades detection, as the file appears harmless on the surface.
The utilization of polyglot files serves a specific purpose: concealing the malicious payload. By presenting one format to scanners and another to users, cybercriminals exploit the disparity in how these formats are interpreted. As a result, traditional detection methods often fail to identify the hidden threat within the file.
JPCERT’s Discovery and Analysis
JPCERT’s detection of the MalDoc in PDF attack sheds light on a unique cyber threat. While detailed specifics about the type of malware installed through this attack remain undisclosed, JPCERT’s findings have highlighted the necessity for adaptive security measures.
The attack’s evasion technique hinges on the automatic execution of macros in Microsoft Office. The PDF document contains a Word file with a VBS macro, poised to download and install an MSI malware file when opened as a .doc file. It’s important to note that this technique is rendered ineffective if security settings disabling auto-execution of macros are enabled.
Defenses Against MalDoc in PDF Attacks
To counter the growing threat of MalDoc in PDF attacks, cybersecurity experts emphasize the importance of multi-layered defenses. While some traditional PDF analysis tools might only scrutinize the surface layer of a file, more sophisticated tools like ‘OLEVBA’ can penetrate the polyglot structure and identify concealed malicious content.
In response to this emerging threat, JPCERT has shared a Yara rule designed to aid researchers and defenders in identifying files utilizing the ‘MalDoc in PDF’ technique. This rule detects files with PDF signatures containing patterns indicative of Word documents, Excel workbooks, or MHT files—aligning with the evasion technique witnessed in the wild.
The ‘MalDoc in PDF’ attack discovered by JPCERT serves as a reminder that cyber threats are evolving at an alarming pace. As threat actors continue to innovate, the cybersecurity community must adapt and develop comprehensive defense strategies to safeguard sensitive data and systems.
Reference
- https://blogs.jpcert.or.jp/en/2023/08/maldocinpdf.html
- https://www.bleepingcomputer.com/news/security/maldoc-in-pdfs-hiding-malicious-word-docs-in-pdf-files/
