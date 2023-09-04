Cybersecurity researchers have discovered a new antivirus evasion technique known as MalDoc in PDF. This technique involves embedding a malicious Microsoft Word file into a PDF file. The method was used in a real-world attack discovered in July 2023.

MalDoc in PDF works by creating a file that can be opened in Word even though it has the magic numbers and file structure of a PDF. If the file contains a configured macro, opening it in Word will trigger VBS (Visual Basic Script) to run and carry out malicious actions. This technique takes advantage of the fact that certain files, called polyglots, can be recognized as multiple different file types. In this case, the file is recognized as both a PDF and a Word document.

To execute MalDoc in PDF, an MHT file created in Word with a macro attached is added after the PDF file object. This results in a valid PDF file that can also be opened in Word. If the file is opened as a .DOC file in Microsoft Office, the embedded VBS macro will download and install an MSI malware file.

The specific malware distributed using this technique is unknown. However, it is important for users to be cautious when downloading documents from the internet or email, as they may carry a malicious MotW (Mark of the Web). Users should be aware of enabling macros in documents, as they can be disabled by default to protect against potential threats.

This discovery comes at a time when phishing campaigns using QR codes to spread malicious URLs, known as qishing, are on the rise. These campaigns often disguise themselves as multi-factor authentication (MFA) notifications to trick victims into scanning QR codes with their mobile phones. Instead of leading to the desired location, the QR codes guide users to phishing pages.

Social engineering attacks are becoming more sophisticated, with threat actors combining vishing (voice phishing) and phishing tactics to gain unauthorized access to target systems. These attacks may involve elaborate methods, such as a combination of phone and email lures, to deceive victims and launch complex attack chains.

As security concerns continue to arise, it is important for individuals and organizations to stay vigilant and implement robust cybersecurity measures to protect against evolving threats.

Definitions:

– MalDoc in PDF: An antivirus evasion technique that involves embedding a malicious Microsoft Word file into a PDF file.

– Polyglots: Specially crafted files that can be recognized as multiple different file types.

– VBS (Visual Basic Script): A scripting language that allows for the execution of automated tasks in applications like Microsoft Word.

– MotW (Mark of the Web): A tag added to downloaded files indicating potential security risks.

Sources:

– JPCERT/CC: Cybersecurity researchers Yuma Masubuchi and Kota Kino.

– Will Dormann, security researcher.

– Trustwave: A cybersecurity company.

– Cofense: A cybersecurity company.

– Sophos: A cybersecurity company.

– Andrew Brandt, Sophos researcher.

– Cisco Talos: The threat intelligence and research organization within Cisco.