MalDoc in PDFs: Hiding malicious Word docs in PDF files


Japan’s computer emergency response team (JPCERT) is sharing a new ‘MalDoc in PDF’ attack detected in July 2023 that bypasses detection by embedding malicious Word files into PDFs.

The file sampled by JPCERT is a polyglot recognized by most scanning engines and tools as a PDF, yet office applications can open it as a regular Word document (.doc).

Polyglots are files that contain two distinct file formats that can be interpreted and executed as more than one file type, depending on the application reading/opening them.

For example, the malicious documents in this campaign are a combination of PDF and Word documents, which can be opened as either file format.

Typically, threat actors use polyglots to evade detection or confuse analysis tools, as these files may appear innocuous in one format while hiding malicious code in the other.

Read more…