The Perils of Phishing Attacks: MalDoc in PDF
Japan's computer emergency response team (JPCERT) has discovered an innovative phishing attack technique known as the 'MalDoc in PDF' attack. This technique, observed in July 2023, involves the use of polyglot files to embed malicious Word documents within benign-seeming PDFs. By exploiting the ambiguity of file formats, cybercriminals aim to bypass traditional detection mechanisms and increase the effectiveness of their attacks.
Attack Details
The 'MalDoc in PDF' technique leverages polyglot files, recognized as both PDFs and Word documents. When opened in Microsoft Office as a Word document, the embedded VBS macro triggers the download and installation of an MSI malware file. The specific malware type delivered through this method has not been disclosed by JPCERT.
Evasion Strategies
The inherent differences in how various analysis tools examine files are exploited by the attackers. Conventional PDF analysis tools and automated scanners focus on the outer PDF layer, while the malicious content resides within the Word document. The defence strategy against this technique involves disabling auto-execution of macros in Microsoft Office. Users can prevent the execution of the VBS macro by manually disabling macros or unblocking files. Employing multi-layered defences, advanced analysis tools, and user education is critical to mitigate the risks posed by this attack.
Recommendations
To safeguard against the 'MalDoc in PDF' attack and similar threats, the following actions are recommended:
- Be cautious when opening attachments, especially from unknown or suspicious sources.
- Disable auto-execution of macros in Microsoft Office settings, reducing the risk associated with VBS macro execution.
- Verify files from trusted sources before opening them, even if they appear to be common document formats.
- Keep operating systems, software, and security solutions updated to ensure access to the latest security patches and enhancements.
JPCERT has shared a Yara rule to aid in detecting files using the 'MalDoc in PDF' technique. The rule assesses if a file begins with a PDF signature and contains patterns consistent with Word documents, Excel workbooks, or MHT files. This rule complements the evasion tactic identified by JPCERT.
To conclude, the 'MalDoc in PDF' technique highlights the ever-evolving nature of cyber threats. By embedding malicious Word files within polyglot PDFs, attackers challenge traditional detection mechanisms. Vigilance, user education, and a comprehensive defence approach are essential in countering this evolving threat landscape.