Thursday November 21, 2024

Advisory ID: NCC-CSIRT-120923-033 

Summary: Japan's computer emergency response team (JPCERT) has identified a novel attack method involving the distribution of a malware known as 'MalDoc in PDF'. This technique effectively evades detection by concealing malicious Word files within PDF documents

Threat Type(s): Malware

Impact/Vulnerability: HIGH/CRITICAL

Product(s): PDF

Platform(s):  PDF Files

Version(s): All Versions 

Description: As indicated by the researchers, the compromised PDF file carrying the malicious Word Docs possesses a polyglot nature. Polyglot files exhibit the ability to be interpreted and executed in multiple ways, depending on the application used to open them. While most scanning engines and tools identify it as a PDF, standard office applications treat it as a typical Word document (.doc). Enclosed within the PDF is a Word document housing a Visual Basic Script (VBS) macro. When this file is accessed as a .doc in Microsoft Office, the VBS macro triggers the downloading and installation of a Microsoft Installer malware (MSI malware) file. However, the specific details about the nature of this installed malware have not been disclosed by the researchers.

Consequences: Attackers employ this attack technique to evade detection and confuse analysis tools. The malicious files may seem harmless in one format, while hiding malicious code in another. 

Solution: 

  • Deactivate the automatic execution of macros in Microsoft Office. How to deactivate disable macros in Microsoft Office
  • Utilize the OLEVBA tool, an analysis tool designed for assessing malicious Word files. This tool can provide an analysis of embedded macros, enabling the identification of potentially malicious components within the file. How to use OLEVBA for marco malware analysis. 
  • Apply the Yara rule offered by Japan CERT to detect files utilizing the 'MalDoc in PDF' technique. This approach involves displaying a warning screen upon the initiation of Word documents, Excel workbooks, or MHT files (webpage archives saved by a web browser) within a PDF file. This warning prompts users about differing file extensions and requires user acceptance before opening in Word, Excel, or MHT formats

References:

https://blogs.jpcert.or.jp/en/2023/08/maldocinpdf.html 

https://www.bleepingcomputer.com/news/security/maldoc-in-pdfs-hiding-malicious-word-docs-in-pdf-files/ 

https://github.com/decalage2/oletools/wiki/olevba