Unveiling the Sneaky ‘MalDoc in PDF’ Attack: A Novel Evasion Technique Detected by Japan’s Cybersecurity Team

In the ever-evolving landscape of cyber threats, attackers continue to find ingenious ways to outwit traditional security measures. The latest discovery by Japan’s computer emergency response team (JPCERT) sheds light on a strikingly clever attack technique known as the ‘MalDoc in PDF.’ This technique, detected in July 2023, manages to elude detection by embedding malicious Word files within innocuous-looking PDF documents, presenting a fresh challenge to cybersecurity experts.

Picture this: a seemingly harmless PDF file that houses a hidden Word document. JPCERT’s analysis reveals that this peculiar combination of file types forms a polyglot — a digital chameleon, if you will. Scanners and tools recognize it as a PDF, yet when opened in office applications, it transforms into a regular Word document (.doc). The magic lies in the concept of polyglots — files containing distinct formats that morph into different file types, depending on the software handling them.

Polyglots are like the master disguises of the digital realm. They confound analysis tools and security scanners by assuming different personas in different contexts. This MalDoc in PDF attack leverages this very quality to slip under the radar. Imagine malware concealed in plain sight, one form fooling the scanners while the other delivers the payload.

In this particular case, the PDF document enfolds a Word document containing a VBS macro — a script that, when executed, triggers the download and installation of an MSI malware file. The trick is in the activation — the PDF, when opened as a .doc file in Microsoft Office, initiates the chain of events. It’s important to note that security measures that disable macro auto-execution in Microsoft Office can still thwart this method, reminding us of the significance of such safeguards.

To drive home the point, JPCERT shared a demonstration video on YouTube showcasing the appearance and functioning of MalDoc in PDF on Windows systems. While the idea of embedding one file within another isn’t groundbreaking, the finesse of this technique lies in the execution. JPCERT underscores that it’s not the concept but the innovative approach that sets this apart.

MalDoc in PDF poses a challenge to standard PDF analysis tools, which typically scan the outer layer of a file, treating it as a legitimate PDF structure. This surface-level analysis conveniently overlooks the concealed Word document harboring malicious intent. Nonetheless, JPCERT emphasizes that tools like ‘OLEVBA’ can still pierce through the layers and detect the lurking danger. The key, it seems, is multi-layered defense strategies and sophisticated detection mechanisms.

To empower defenders and researchers, JPCERT generously shares a Yara rule. This rule operates as a digital sniffer dog, identifying files employing the ‘MalDoc in PDF’ technique. By inspecting whether a file begins with a PDF signature and contains telltale patterns of a Word document, Excel workbook, or MHT file, the rule pinpoints potential threats aligned with the evasion method identified in the wild.

In a digital world where the battle between defenders and attackers rages on, the ‘MalDoc in PDF’ technique serves as a testament to the limitless inventiveness of cybercriminals. As we arm ourselves with knowledge, adaptive strategies, and collaborative efforts, we stand a better chance of staying one step ahead in this high-stakes game of cybersecurity.