JPCERT/CC reports a new technique called MalDoc in PDF that embeds a Word file inside a PDF to bypass detection. When opened in Word, a macro can trigger VBScript to perform malicious behaviors, potentially evading PDF-focused analysis and traditional sandboxes. Hashtags: #MalDocInPDF #JPCERTCC #OLEVBA #pdfid #YARA #DidierStevens #MaldocinPDF #cloudmetricsapp #web365metrics
Keypoints
- JPCERT/CC identifies a technique named MalDoc in PDF that hides a Word-macro payload inside a PDF file.
- Opening the file in Word can execute VBScript via macros, enabling malicious behavior.
- The attack reportedly used a .doc extension, and Windows settings that open .doc as Word can trigger execution from a MalDoc in PDF file.
- Detection can be bypassed because the file signature resembles PDF and some tools may miss malicious parts (e.g., pdfid limitations; sandbox/AV may not detect).
- OLEVBA is cited as an effective countermeasure for analyzing embedded Word macros within such files.
- A sample Yara rule is provided to detect PDFs containing embedded Word/Excel content and warn users before Excel opens the file.
- The Appendix lists C2 information and malware hashes associated with the confirmed sample.
MITRE Techniques
- [T1059.005] Visual Basic – “by opening it in Word, VBS runs and performs malicious behaviors.”
- [T1204] User Execution – “by opening it in Word” to trigger macro execution.
- [T1036] Masquerading – “The created file is recognized as a PDF file in the file signature, but it can also be opened in Word.”
- [T1071] Web Protocols – “…the communication occurs.” (video shows the process from opening the file to communication.)
Indicators of Compromise
- [Hash] Malware hashes – ef59d7038cfd565fd65bae12588810d5361df938244ebad33b71882dcf683058, 098796e1b82c199ad226bff056b6310262b132f6d06930d3c254c57bdf548187, 5b677d297fb862c2d223973697479ee53a91d03073b14556f421b3d74f136b9d
- [Domain] C2 domains – cloudmetricsapp.com, web365metrics.com
Read more: https://blogs.jpcert.or.jp/en/2023/08/maldocinpdf.html