Cybercrime , Fraud Management & Cybercrime , Geo Focus: Asia

Hackers Using PDF Maldocs to Evade Detection in Japan

Malicious Word Files Hiding Inside PDF Files Execute Configured Macros
Hackers Using PDF Maldocs to Evade Detection in Japan

Japanese government investigators said cybercriminals are employing a new technique that tricks users into downloading malicious Word files disguised as harmless PDFs.

See Also: Live Webinar Today | Digital Doppelgängers: The Dual Faces of Deepfake Technology

Japan's Computer Emergency Response Team found that cybercriminals in July used the "maldocs" technique to bypass traditional malware detection in attacks on Japanese entities, according to JPCERT analyst Yuma Masubuchi said in a blog post. Maldocs are files that contain self-executing code and require user permission to execute. These files include PDFs with embedded malicious javascript or Microsoft Office documents with embedded VBA macros.

JPCERT observed threat actors embedding malicious Word files in PDFs. When the PDF is opened, it triggers the embedded Word file to open in Microsoft Word, and the malicious macro can then execute, potentially causing harm to the target system or data.

Threat actors also used .doc as the file extension to ensure the malicious document would open in Word even if it had magic numbers and file structure of a PDF.

Masubuchi said it is highly unlikely that any PDF analysis tool, such as PDFiD, would detect malicious code in the maldoc, and the same is the case with existing sandbox or antivirus software as the system recognizes the file as a PDF. The file, if opened in a PDF viewer, does not display any malicious behavior, but it executes malicious code if opened in Microsoft Word.

He said certain analysis tools for Microsoft Word files, such as Olevba, can detect malicious code in the maldoc as the software reads the embedded macros and analyzes the malicious code separately.

JPCERT's warning arrives not long after suspected Chinese APT groups exploited a 17-year-old Microsoft Office vulnerability in May to launch malware attacks against foreign government officials who attended a G7 summit in Hiroshima (see: Chinese Hackers Targeted G7 Summit Through MS Office Flaw).

More recently, Chinese nation-state hackers reportedly compromised U.S. Ambassador to China Nicholas Burns' email account by exploiting a zero-day vulnerability in Microsoft Office and using forged authentication tokens to gain access to the email account.

The hacker group, identified as Storm-0558 by Microsoft, also breached the email accounts of officials at 25 different organizations worldwide, including the U.S. departments of State and Commerce.

About the Author

Jayant Chakravarti

Jayant Chakravarti

Senior Editor, APAC

Chakravarti covers cybersecurity developments in the Asia-Pacific region. He has been writing about technology since 2014, including for Ziff Davis.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.