MalDoc: Malicious Word files in PDF documents bypass malware detection

[German]Another small addendum from this week: The Japanese CERT warns of a new technique used by cyber attackers who take malicious Word files and embed them in PDF documents. This "packaging" is intended to bypass the detection of the malicious Office documents by security software. JPCERT/CC first observed such attack techniques, known as MalDoc, via infected PDF files in July 2023.

I already stumbled across the following message from the JPCERT/CC on Twitter a few days ago. The security agency documented the whole thing in the blog post MalDoc in PDF – Detection bypass by embedding a malicious Word file into a PDF file.

It says that JPCERT/CC confirmed that an attack in July 2023 used this new technique, called MalDoc, to bypass the detection of malicious files by security software. This involved embedding a malicious Word file in a PDF and then sending it to victims.

A file created with MalDoc in PDF can be opened in Microsoft Word, even though it has the magic bytes and file structure of PDF documents. If the Word document file masked in this way contains a macro, the VBA code is executed when the document is opened in Word. Then malicious actions can be performed via VBA.

Interestingly, the document file used in the attack confirmed by JPCERT/CC had the .doc file extension, although it had the Magic Bytes as well as the structure of a PDF file. Once the .doc file type is configured in the Windows settings to open in Word (which is the default), the file created by MalDoc in PDF will open as a Word file.

In the JPCERT/CC post there is a video showing the attack. In addition, the blog post reveals some more details and the security agency gives some hints on what to try to detect such malicious files. A safe analysis of suspicious document files would be the tool OLEVBA, In addition, the experts of the security agency have published a YARA rule for detecting such malware.