Researchers Uncover 'MalDoc in PDF,' a Stealthy New Antivirus Evasion Technique

Cybersecurity researchers from JPCERT/CC have unveiled a novel and sophisticated technique for evading antivirus systems called "MalDoc in PDF." This discovery emerged from an investigation of an in-the-wild attack that occurred in July 2023.

What is MalDoc in PDF?

According to Yuma Masubuchi and Kota Kino, the researchers who made the discovery, "a file created with MalDoc in PDF can be opened in Word even though it has magic numbers and file structure of PDF. If the file has configured macro, by opening it in Word, VBS runs and performs malicious behaviors. In the attack confirmed by JPCERT/CC, the file extension was .doc. Therefore, if a .doc file is configured to open in Word in Windows settings, the file created by MalDoc in PDF is opened as a Word file."

The Polyglot Dilemma

Files exhibiting this behavior are known as polyglots, legitimate forms of multiple file types. In this case, the MalDoc in PDF polyglot mimics both PDF and DOC (Word) files. The attackers achieve this by using an MHT file created in Word with a macro attached after the PDF file object.

This creates a file that appears to be a valid PDF but can also be opened in Word. When opened as a DOC in Microsoft Office, the file executes VBS macros designed to download and deploy MSI malware files.

The Challenge of Detection

Traditional PDF analysis tools such as pdfid may fail to recognize the malicious components of such files.

Due to the duality of the file created with MalDoc in PDF, analyzing it using traditional PDF analysis tools such as pdfid might not reveal its malicious components, according to the researchers.

While some of the news is good, such as the ability of Word file analysis tools like OLEVBA to detect embedded macros in these rogue documents, the technique still presents significant challenges.

One silver lining is that a similar technique involving Excel files triggered a warning message, alerting the user to the risk.

Implications and Precautions

While MalDoc in PDF doesn't bypass settings that disable auto-execution of Word macros, the technique can still deceive antivirus systems into thinking the malicious file is a simple PDF. This underscores the need for continued vigilance and advanced detection methods to counteract the ever-evolving tactics of cybercriminals.

As cybersecurity experts scramble for solutions, users are advised to be cautious when opening unfamiliar DOC or PDF files and to keep their antivirus software up-to-date.

For now, the specific malware deployed through this technique remains unidentified, but the investigation continues, and updates are expected soon.