Cybercriminals are always looking for new ways to evade security systems and deliver malware. To stay one step ahead, security researchers actively look for and disclose new attack techniques to raise awareness. Recently, researchers from JPCERT/CC discovered a new polyglot security evasion technique that uses PDF files to bypass malware detection and deliver infected Word documents containing malicious macros. JPCERT named this technique “MalDoc in PDF”.
In this blog post, we tried explaining the workings of the MalDoc in PDF attack and ways security engineers can upgrade their defenses against this ingenious new technique. Let’s get started!
A polyglot file is a file that is valid in multiple file formats. This allows the file to exhibit different behaviors when interpreted by different programs. For example, a file can be both a valid PDF and a Word document at the same time. When opened in a PDF reader, it will display like a PDF. But when opened in Word, it will exhibit Word document properties.
Attackers abuse this to bypass security filters looking for one type of malicious file. If a system expects a PDF, the polyglot Word/PDF document will appear benign. But when opened in Word, it can launch malware.
Polyglot documents provide an evasion technique to deliver malware while appearing harmless. The file’s “true” nature is hidden until it is interpreted by the right program. This advanced obfuscation allows attackers to bypass static signature-based malware detection that relies on predictable file magic numbers and formatting.
Analyzing ambiguous polyglot files requires looking beyond just superficial structure and content. The file’s behavior, when run in different environments, reveals its malicious intent. Security teams need effective dynamic and behavioral analysis capabilities to detect polyglot malware evasion attempts.
On August 28, 2023, JPCERT/CC researchers Yuma Masubuchi and Kota Kino disclosed details about the new MalDoc in PDF technique observed in July 2023. This method embeds a malicious Word document inside a PDF file. The resulting file has PDF properties but can also be opened in Word.
Source:
If the embedded Word document contains malicious macros, this technique can bypass PDF malware detection. When users open the PDF in Word, it will launch the macros and infect the system. The malware remains stealthy as long as the file is not examined too closely.
In the observed attack, the file used a .doc extension. So, on systems with .doc files set to open in Word by default, the MalDoc in PDF file would automatically launch in Word rather than a PDF reader.
JPCERT’s analysis found the MalDoc in PDF file contains a complete PDF file structure first. The attacker embeds a malicious Word MHT file (MHTML web archive format) after the PDF content. The file still has the PDF magic numbers and structure but now also contains accessible Word content.
Dump view shared by JPCERT
Security researchers noted that common PDF malware tools like pdfid fail to detect the embedded malicious content. The file only exhibits malicious behavior when opened with Word, not with PDF software. So automated systems are unlikely to flag it as suspicious.
Measures to Prevent MalDoc in PDF Attacks
It’s troublesome tasks to analyze and identify such obfuscated file types. Defending against such security evasion techniques like MalDoc in PDF requires a proactive defense-in-depth approach:
Analyze internal file structures – Use tools like OLEVBA to look inside PDFs for embedded Office documents and macros. Static scanning of just headers is not enough.
Monitor application launching – Detect unexpected executions like a PDF opening Word, which could indicate evasion.
Harden configurations – Disable auto-execution of macros in Office products. This prevents infection even if malicious files slip through.
Educate users – Train staff on the risks of enabling macros from untrusted sources. Empower them to identify and report suspicious behaviors.
Employ dynamic analysis – Leverage sandboxing and behavioral monitoring to identify malware missed by static scanning.
Tune detections – Create custom signatures to flag polyglot techniques and embedded Office documents in PDFs.
Stay informed – Closely follow disclosure of new evasion methods by researchers to close gaps proactively.
With advanced threats, there is no single magic bullet. Organizations need layered security, constant tuning, and collaboration between defensive teams to counter innovative attacks like MalDoc in PDF. But with proper preparation and adoption of emerging detection methods, even sophisticated threats can be made visible and stopped.
The Bottom Line
Attackers are becoming more creative in designing cyber attacks. They always try to come back with new ways to bypass security systems using techniques like polyglot files. Ongoing collaboration between security researchers, vendors, and defenders is crucial to get ahead of novel threats. Paying attention to disclosures of new attack methods allows organizations to proactively defend against them before they become widespread. The early warning provided by JPCERT about MalDoc in PDF attacks gives the community a valuable head start.
We hope this post helps you know about the polyglot files and workings of the MalDoc in PDF attack and ways security engineers can upgrade their defenses against this ingenious new technique. Visit our website thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive updates like this.
You may also like these articles:
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”
"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.
BurpGPT is a cutting-edge Burp Suite extension that harnesses the power of OpenAI's language models to revolutionize web application security testing. With customizable prompts and advanced AI capabilities, BurpGPT enables security professionals to uncover bespoke vulnerabilities, streamline assessments, and stay ahead of evolving threats.
PentestGPT, developed by Gelei Deng and team, revolutionizes penetration testing by harnessing AI power. Leveraging OpenAI's GPT-4, it automates and streamlines the process, making it efficient and accessible. With advanced features and interactive guidance, PentestGPT empowers testers to identify vulnerabilities effectively, representing a significant leap in cybersecurity.
Tenable BurpGPT is a powerful Burp Suite extension that leverages OpenAI's advanced language models to analyze HTTP traffic and identify potential security risks. By automating vulnerability detection and providing AI-generated insights, BurpGPT dramatically reduces manual testing efforts for security researchers, developers, and pentesters.
Microsoft Security Copilot is a revolutionary AI-powered security solution that empowers cybersecurity professionals to identify and address potential breaches effectively. By harnessing advanced technologies like OpenAI's GPT-4 and Microsoft's extensive threat intelligence, Security Copilot streamlines threat detection and response, enabling defenders to operate at machine speed and scale.