Cybercriminals are always looking for new ways to evade security systems and deliver malware. To stay one step ahead, security researchers actively look for and disclose new attack techniques to raise awareness. Recently, researchers from JPCERT/CC discovered a new polyglot security evasion technique that uses PDF files to bypass malware detection and deliver infected Word documents containing malicious macros. JPCERT named this technique “MalDoc in PDF”.
In this blog post, we tried explaining the workings of the MalDoc in PDF attack and ways security engineers can upgrade their defenses against this ingenious new technique. Let’s get started!
What is a Polyglot File?
A polyglot file is a file that is valid in multiple file formats. This allows the file to exhibit different behaviors when interpreted by different programs. For example, a file can be both a valid PDF and a Word document at the same time. When opened in a PDF reader, it will display like a PDF. But when opened in Word, it will exhibit Word document properties.
Attackers abuse this to bypass security filters looking for one type of malicious file. If a system expects a PDF, the polyglot Word/PDF document will appear benign. But when opened in Word, it can launch malware.
Polyglot documents provide an evasion technique to deliver malware while appearing harmless. The file’s “true” nature is hidden until it is interpreted by the right program. This advanced obfuscation allows attackers to bypass static signature-based malware detection that relies on predictable file magic numbers and formatting.
Analyzing ambiguous polyglot files requires looking beyond just superficial structure and content. The file’s behavior, when run in different environments, reveals its malicious intent. Security teams need effective dynamic and behavioral analysis capabilities to detect polyglot malware evasion attempts.
Summary of the MalDoc in PDF Attack
On August 28, 2023, JPCERT/CC researchers Yuma Masubuchi and Kota Kino disclosed details about the new MalDoc in PDF technique observed in July 2023. This method embeds a malicious Word document inside a PDF file. The resulting file has PDF properties but can also be opened in Word.
If the embedded Word document contains malicious macros, this technique can bypass PDF malware detection. When users open the PDF in Word, it will launch the macros and infect the system. The malware remains stealthy as long as the file is not examined too closely.
In the observed attack, the file used a .doc extension. So, on systems with .doc files set to open in Word by default, the MalDoc in PDF file would automatically launch in Word rather than a PDF reader.
JPCERT’s analysis found the MalDoc in PDF file contains a complete PDF file structure first. The attacker embeds a malicious Word MHT file (MHTML web archive format) after the PDF content. The file still has the PDF magic numbers and structure but now also contains accessible Word content.
Dump view shared by JPCERT
Security researchers noted that common PDF malware tools like pdfid fail to detect the embedded malicious content. The file only exhibits malicious behavior when opened with Word, not with PDF software. So automated systems are unlikely to flag it as suspicious.
Measures to Prevent MalDoc in PDF Attacks
It’s troublesome tasks to analyze and identify such obfuscated file types. Defending against such security evasion techniques like MalDoc in PDF requires a proactive defense-in-depth approach:
- Analyze internal file structures – Use tools like OLEVBA to look inside PDFs for embedded Office documents and macros. Static scanning of just headers is not enough.
- Monitor application launching – Detect unexpected executions like a PDF opening Word, which could indicate evasion.
- Harden configurations – Disable auto-execution of macros in Office products. This prevents infection even if malicious files slip through.
- Educate users – Train staff on the risks of enabling macros from untrusted sources. Empower them to identify and report suspicious behaviors.
- Employ dynamic analysis – Leverage sandboxing and behavioral monitoring to identify malware missed by static scanning.
- Tune detections – Create custom signatures to flag polyglot techniques and embedded Office documents in PDFs.
- Stay informed – Closely follow disclosure of new evasion methods by researchers to close gaps proactively.
With advanced threats, there is no single magic bullet. Organizations need layered security, constant tuning, and collaboration between defensive teams to counter innovative attacks like MalDoc in PDF. But with proper preparation and adoption of emerging detection methods, even sophisticated threats can be made visible and stopped.
The Bottom Line
Attackers are becoming more creative in designing cyber attacks. They always try to come back with new ways to bypass security systems using techniques like polyglot files. Ongoing collaboration between security researchers, vendors, and defenders is crucial to get ahead of novel threats. Paying attention to disclosures of new attack methods allows organizations to proactively defend against them before they become widespread. The early warning provided by JPCERT about MalDoc in PDF attacks gives the community a valuable head start.