Unraveling MalDoc in PDF Attack Techniques

Introduction:

A novel attack technique known as "MalDoc in PDF" has been discovered by JPCERT/CC, enabling the embedding of a malicious Word document within a PDF file. This method evades detection by traditional PDF analysis tools and may not trigger security alerts in PDF viewers. When opened in Word, the embedded macros execute malicious actions. This technique was employed in a July attack.

Attack Mechanics:

The attacker appends an mht file containing macros to a PDF file object before saving it. Although the file appears as a PDF, it functions as a Word document. Traditional PDF analysis tools like pdfid may not identify malicious components within this type of file. However, when opened in Word, unintended actions occur, while these behaviors remain concealed in PDF viewers. Conventional sandboxes and antivirus software may also fail to detect it due to its PDF classification.

Countermeasures:

To counter this technique, the OLEVBA analysis tool for malicious Word files remains effective. It exposes embedded macros, allowing identification of malicious segments through its analysis results. Yara rules for detection are recommended, and a warning screen when opening Excel files within PDFs is proposed to counter similar attacks. It's important to note that this technique doesn't circumvent settings that disable auto-execution in Word macros. Users are advised to exercise caution when interpreting automated malware analysis results involving such files, considering their PDF guise.

Potential Impact:

• Technical Impact: Loss of Confidentiality, Loss of Integrity
• Business Impact: Financial Damage, Privacy Violation, Reputation Damage

References:

• JPCERT/CC Blog

• MalDoc IOC

Stay vigilant and adhere to these guidelines to ensure the protection of your systems.

Stay Secure.