Security News > 2023 > August > MalDoc in PDFs: Hiding malicious Word docs in PDF files
Japan's computer emergency response team is sharing a new 'MalDoc in PDF' attack detected in July 2023 that bypasses detection by embedding malicious Word files into PDFs. The file sampled by JPCERT is a polyglot recognized by most scanning engines and tools as a PDF, yet office applications can open it as a regular Word document.
The malicious documents in this campaign are a combination of PDF and Word documents, which can be opened as either file format.
Typically, threat actors use polyglots to evade detection or confuse analysis tools, as these files may appear innocuous in one format while hiding malicious code in the other.
JPCERT released the following video on YouTube to demonstrate how MalDoc in PDF files appears and works on Windows.
Although embedding one file type within another isn't new, as attackers deploying polyglot files to evade detection has been well documented, the specific technique is novel, says JPCERT. The main advantage of MalDoc in PDF for attackers is the ability to evade detection by traditional PDF analysis tools like 'pdfid' or other automated analysis tools that will only examine the outer layer of the file, which is a legitimate PDF structure.
The rule checks if a file starts with a PDF signature and contains patterns indicative of a Word document, Excel workbook, or an MHT file, which aligns with the evasion technique JPCERT spotted in the wild.