Unraveling MalDoc in PDF Attack Techniques

Credit by Pixabay

VTA-004460 – Unraveling MalDoc in PDF Attack Techniques

JPCERT/CC recently uncovered a novel attack technique named “MalDoc in PDF,” which effectively evades detection by embedding a malicious Word document within a PDF file. This technique was employed in a July attack and is explained in detail in this blog article. Despite having PDF magic numbers and file structure, the MalDoc in PDF file can be opened in Word. If the file contains macros, opening it in Word triggers VBS execution for malicious actions.

The attacker’s approach involves appending an mht file with macros to the PDF file object before saving it. While the file’s signature appears as a PDF, it functions as a Word document. Notably, conventional PDF analysis tools like pdfid might not identify the malicious components in this type of file. Intriguingly, unintended actions occur upon opening it in Word, while these behaviors remain concealed when using PDF viewers. Traditional sandboxes and antivirus software might also fail to detect it due to its PDF classification.

To counter this technique, the OLEVBA analysis tool for malicious Word files remains effective. OLEVBA exposes embedded macros, allowing the identification of malicious segments through its analysis results. The article suggests employing Yara rules for detection, proposing a warning screen when opening Excel files within PDFs to counter similar attacks. This technique, however, doesn’t circumvent settings disabling auto-execution in Word macros. Users are advised to cautiously interpret automated malware analysis outcomes involving such files, considering their PDF guise.

Severity:
Medium

Technical Impact Analysis:
Loss of Confidentiality, Loss of Integrity

Business Impact Analysis:
Financial Damage, Privacy Violation, Reputation Damage

Attack Surfaces:
Endpoint

Tactics:
Initial Access, Execution, Defense Evasion, Impact

Techniques:
T1193 – Spearphishing Attachment
T1106 – Execution through API
T1036 – File Signature Spoofing
T1070 – Indicator Removal on Host
T1089 – Disabling Security Tools
T1486 – Data Encrypted for Impact
T1485 – Data Destruction
T1561 – Disk Wipe

Indicator or Compromise:
https://otx.alienvault.com/pulse/64ef97171fd73f1836649cd0

References:
https://blogs.jpcert.or.jp/en/2023/08/maldocinpdf.html

SuperPRO’s Threat Countermeasures Procedures: 
1. Employ reputable antivirus and anti-malware software on your systems. Regularly update the software and run scans to detect and remove potential threats.
2. Verify the sender’s identity before opening any attachments.
3. Disable macros by default in applications like Microsoft Word, Excel, and PowerPoint.
4. Utilize tools like OLEVBA to analyze and identify potentially malicious macros in Word files. This can help you uncover hidden threats within documents.
5. Consider employing Yara rules for detection, especially for identifying files with embedded macros.
6. Ensure that all software, including operating systems, browsers, and applications, is up to date with the latest security patches.

Contributed by: Narzwan