A New Polyglot Attack Allowing Attackers to Evade Antivirus

/in


MalDoc in PDF

Cybersecurity researchers have called attention to a new antivirus evasion technique that involves embedding a malicious Microsoft Word file into a PDF file.

The sneaky method, dubbed MalDoc in PDF by JPCERT/CC, is said to have been employed in an in-the-wild attack in July 2023.

“A file created with MalDoc in PDF can be opened in Word even though it has magic numbers and file structure of PDF,” researchers Yuma Masubuchi and Kota Kino said. “If the file has a configured macro, by opening it in Word, VBS runs and performs malicious behaviors.”

Such specially crafted files are called polyglots as they are a legitimate form of multiple different file types, in this case, both PDF and Word (DOC).

This entails adding an MHT file created in Word and with a macro attached after the PDF file object. The end result is a valid PDF file that can also be opened in the Word application.

Put differently; the PDF document embeds within itself a Word document with a VBS macro that’s designed to download and install an MSI malware file if opened as a .DOC file in Microsoft Office. It’s not immediately clear what malware was distributed in this fashion.

Cybersecurity

“When a document is downloaded from the internet or email, it’ll carry a MotW,” security researcher Will Dormann said. “As such, the user will have to click ‘Enable Editing’ to exit Protected View. At which point they’ll be learn [sic] that macros are disabled.”

While real-world attacks leveraging MalDoc in PDF were observed a little over a month ago, there’s evidence to suggest that it was being experimented (“DummymhtmldocmacroDoc.doc“) as early as May, Dormann highlighted.

The development comes amid a spike in phishing campaigns using QR codes to propagate malicious URLs, a technique called qishing.

“The samples we have observed using this technique are primarily disguised as multi-factor authentication (MFA) notifications, which lure their victims into scanning the QR code with their mobile phones to gain access,” Trustwave said last week.

MalDoc in PDF

“However, instead of going to the target’s desired location, the QR code leads them to the threat actor’s phishing page.”

One such campaign targeting the Microsoft credentials of users has witnessed an…

Source…