The Japanese CERT (JPCERT) is currently warning about a criminal technique called “MalDoc in PDF”. This technique hides malicious Word documents in PDF files, which is why malicious code contained in them cannot be detected by many analysis tools.
One file – two file formats
In this case, the experts were faced with a so-called polyglot file, i.e. a file that contains two different file formats and, depending on the application used, can be interpreted and executed as more than one file type.
In the case of MalDoc in PDF, the malicious file is recognized as a PDF by most programs, but as a Word document (.doc, .docx) by Office programs. This is possible because the file has a PDF structure, including magic numbers.
JPCERT has posted the following video on YouTube to show how MalDoc presents itself in PDF on Windows:
Macros download malicious code
In the examined cases, the PDF file contains a Word document with a VBS macro as MHT (MIME Encapsulation of Aggregate HTML Documents), i.e. a supposed archive of HTML pages. This macro leads to the download and installation of a contaminated MSI file. Because virus scanners only recognize the PDF document, the malicious code can be distributed – at least if macros are not disabled in Word. The attack does not bypass configured macro locks.
The malicious macros are also not executed when the file is opened in PDF readers or similar software.
The security researchers write that they first detected MalDoc in PDF in an attack in July 2023. However, information about the type of malware is not yet available.
What NoSpamProxy customers must do now
NoSpamProxy customers are protected from MalDoc in PDF if the content filter is configured accordingly, which is quite simple.
MalDoc in PDF recognizes NoSpamProxy as an unreadable PDF document. To reject these files, you just need to create a corresponding content filter set entry in your content filter.
Select as conditions
- the file type Unreadable PDF document and
- the file names *.doc and *.docx.
Setting the required conditions in NoSpamProxy Server
Setting the required conditions in NoSpamProxy Cloud
Reject all emails of this type using the appropriate content filter actions. When doing so, make sure that the corresponding content filter set entry appears before (above) other Office-related entries:
Order of content filter set entries in NoSpamProxy Server
The corresponding content filter set entry must be above other Office-related entries:
Order of content filter set entries in NoSpamProxy Cloud
The corresponding content filter set entry must be above other Office-related entries:
32Guards also protects against MalDoc in PDF
From now on, a corresponding detection is also active in 32Guards, where the described combination of file type and file name is assigned 4 SCL points.
Protection from MalDoc in PDF with NoSpamProxy Protection
With NoSpamProxy you reliably protect your company against malware attacks. You don’t have NoSpamProxy in use yet? Request your free trial version now!