Hackers have begun hiding malicious documents in PDF files as a means to spread malware while avoiding detection by security software.
As reported by BleepingComputer, Japan’s computer emergency response team (JPCERT) discovered a new attack method called “MalDoc in PDF” back in July of this year.
MalDoc in PDF attacks work by using polyglots, which are files that contain two distinct file formats. In this case, the hackers behind this campaign are using Microsoft Word and PDF files. However, these types of files can be interpreted and executed as more than one file type, depending on the application that is opening them.
This isn’t the first time that hackers have leveraged polyglots in their attacks. These types of files are typically used to evade detection as they appear legitimate in one format while the other format contains malware.
Using macros to install malware
Although JPCERT hasn’t shared any details on the particular malware strain being used in this campaign, it did offer further details on how MalDoc in PDF attacks work.
The PDF files containing malicious Word documents also include a VBS macro which is used to download and install an MSI malware file on vulnerable computers when they’re opened in Microsoft Office.
Like other attacks that use Word files, this one relies on macros being enabled on a victim’s PC. Fortunately, if they’re turned off, MalDoc in PDF is unable to bypass a computer’s security settings to install malware.
According to JPCERT's blog post on the matter, the techniques used in these new MalDoc in PDF attacks are novel because they can allow the malicious documents included in these PDFs to evade PDF analysis tools like ‘pdfid”. In order to make these kinds of attacks easier for security firms and researchers to spot, the cybersecurity agency has created a new Yara rule.
Still though, an attack like this can be particularly confusing as most people would likely never imagine that a document could actually contain two different file types.
How to stay safe from malicious documents
Hackers have many different tools in their arsenal, but malicious documents remain one of the most popular after malicious apps. For this reason, you need to be extremely careful when opening any file that hits your inbox or that you’ve downloaded online.
While downloading files from your friends, family and coworkers is normally okay, you still need to be on the lookout for any red flags that might indicate the email didn’t originate from someone you know. These include spelling and grammatical errors, as well as language that seeks to instill a sense of urgency in order to get you to respond or to open a file.
At the same time, you should be using the best antivirus software on your PC, the best Mac antivirus software on your Mac and one of the best Android antivirus apps on your Android smartphone. This way, even if you do download a malicious document or other dangerous file, it will be flagged by your antivirus so that you know it’s dangerous.
Now that JPCERT has shined a light on MalDoc in PDF attacks, hackers may try to do something similar using a different file type. However, as long as you’re careful online and avoid downloading attachments or files from shady websites, you’ll be less likely to fall for their tricks.