MalDoc in PDF: Technique of Hiding Malicious Word Files into PDFs Raises Concern

Security researchers at Japan’s computer emergency response team (JPCERT) discovered a new attack technique, dubbed ‘’MalDoc in PDF’’ that can evade antivirus detection.

This form of attack where malicious Word files are embedded within a legitimate looking PDF document was observed in a July 2023 investigation of an in-the-wild attack.

Although the researchers did not share any information about the type of malware, they did offer technical details about the MalDoc in PDF campaign.

The seemingly harmless PDF files containing the malicious Word document and VBS macro can be opened using Word application. Malicious activities are executed by the macros as soon as this file is launched in MS Word.

JPCERT in the confirmed attack observed the document to have a .doc file extension and not PDF. ‘’The attacker adds an mht file created in Word and with macro attached after the PDF file object and saves it. The created file is recognized as a PDF file in the file signature, but it can also be opened in Word,’’ further investigation revealed.

According to the researchers, traditional PDF tools like ‘’pdfid’’ might not be able to detect the malicious components of such a file due to its duality. These files exhibit malicious behavior when opened in Word, while similar behavior cannot be verified when launched in PDF viewer. ‘’Since the file is recognized as a PDF file, existing sandbox or antivirus software may not detect it,’’ the advisory noted.

Where the ineffectiveness of ‘’pdfid’’ as a detection tool was cited, Word file analysis tool ‘’OLEVBA’’ was seen as an effective countermeasure to this technique.

Furthermore, the agency also shared another countermeasure strategy involving the Yara rule to detect this form of attack. They embedded an Excel file in a PDF document. According to this rule a warning was displayed when it detected differences in file extensions.

In conclusion, JPCERT stated that such techniques continue to be a challenge for cybersecurity teams as they can easily bypass antivirus software and executive malicious activities on any system.