Hackers are now hiding malicious Word documents in PDFs — how to stay safe

Malware warning on a Mac
(Image credit: Shutterstock)

Hackers have begun hiding malicious documents in PDF files as a means to spread malware while avoiding detection by security software.

As reported by BleepingComputer, Japan’s computer emergency response team (JPCERT) discovered a new attack method called “MalDoc in PDF” back in July of this year.

MalDoc in PDF attacks work by using polyglots, which are files that contain two distinct file formats. In this case, the hackers behind this campaign are using Microsoft Word and PDF files. However, these types of files can be interpreted and executed as more than one file type, depending on the application that is opening them.

This isn’t the first time that hackers have leveraged polyglots in their attacks. These types of files are typically used to evade detection as they appear legitimate in one format while the other format contains malware.

Using macros to install malware

Although JPCERT hasn’t shared any details on the particular malware strain being used in this campaign, it did offer further details on how MalDoc in PDF attacks work.

The PDF files containing malicious Word documents also include a VBS macro which is used to download and install an MSI malware file on vulnerable computers when they’re opened in Microsoft Office.

Like other attacks that use Word files, this one relies on macros being enabled on a victim’s PC. Fortunately, if they’re turned off, MalDoc in PDF is unable to bypass a computer’s security settings to install malware.

According to JPCERT's blog post on the matter, the techniques used in these new MalDoc in PDF attacks are novel because they can allow the malicious documents included in these PDFs to evade PDF analysis tools like ‘pdfid”. In order to make these kinds of attacks easier for security firms and researchers to spot, the cybersecurity agency has created a new Yara rule.

Still though, an attack like this can be particularly confusing as most people would likely never imagine that a document could actually contain two different file types. 

How to stay safe from malicious documents


(Image credit: solarseven/Shutterstock)

Hackers have many different tools in their arsenal, but malicious documents remain one of the most popular after malicious apps. For this reason, you need to be extremely careful when opening any file that hits your inbox or that you’ve downloaded online.

While downloading files from your friends, family and coworkers is normally okay, you still need to be on the lookout for any red flags that might indicate the email didn’t originate from someone you know. These include spelling and grammatical errors, as well as language that seeks to instill a sense of urgency in order to get you to respond or to open a file.

At the same time, you should be using the best antivirus software on your PC, the best Mac antivirus software on your Mac and one of the best Android antivirus apps on your Android smartphone. This way, even if you do download a malicious document or other dangerous file, it will be flagged by your antivirus so that you know it’s dangerous.

Now that JPCERT has shined a light on MalDoc in PDF attacks, hackers may try to do something similar using a different file type. However, as long as you’re careful online and avoid downloading attachments or files from shady websites, you’ll be less likely to fall for their tricks.

More from Tom's Guide

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.