Security experts from JPCERT/CC have discovered a new attack technique known as “MalDoc in PDF.” This technique involves embedding one file type within another, allowing cyber attackers to bypass traditional security measures that detect malicious Office documents.
Description
JPCERT/CC observed this attack technique in July 2023 and has provided a video demonstrating the attack. When the PDF file is opened in Microsoft Word [1] [3], the embedded Word file with a macro executes VBA code [3], enabling various malicious activities [1]. The attackers disguise the Word file as a PDF file by using the .doc file extension [3], but it still opens as a Word file [3].
To detect such malicious files [3], JPCERT/CC recommends using the analysis tool OLEVBA to identify embedded macros and using Yara rules to detect discrepancies in file extensions within PDF documents [1]. This technique poses a significant challenge to cybersecurity as it can evade detection by standard PDF viewers, sandbox environments [1], and antivirus software [1].
Conclusion
The “MalDoc in PDF” technique presents a significant challenge to cybersecurity. It allows attackers to evade detection and increase the effectiveness of their attacks on Windows systems [2]. To mitigate the risks associated with this technique, organizations should implement the recommended detection methods provided by JPCERT/CC. Additionally, further research and development are needed to enhance security measures and stay ahead of evolving attack techniques.
References
[1] https://www.infosecurity-magazine.com/news/maldoc-pdf-alarms-experts/
[2] https://www.blackhatethicalhacking.com/news/maldoc-in-pdfs-the-covert-threat-of-embedded-word-documents-into-pdfs/
[3] https://borncity.com/win/2023/09/03/maldoc-malicious-word-files-in-pdf-documents-bypass-malware-detection/