Japanese agency discovers malicious PDF that bypasses detection


A Japanese agency managed to detect a ‘MalDoc in PDF’ attack, involving PDFs with embedded malicious Word files that bypass detection by traditional PDF analysis tools.

On August 28th, Japan's computer emergency response team (JPCERT) released a blog post defining the technique that attackers are using to bypass detection and spread malicious PDFs.

JPCERT called the technique “MalDoc in PDF.” The malicious file has magic numbers and the file structure of a PDF – however it can be also opened using Microsoft Office. When opened as a .doc file in Microsoft Word, it performs malicious behaviors.

Since the file has a PDF file’s structure and is recognized as one, it can confuse PDF analysis tools, sandboxes, and antivirus sofware and it cannot detect the file’s malicious parts embedded in the Word format.

JPCERT explains that the MalDoc file is created by adding an mht file and macro to a "PDF" file object. According to the agency, an analysis tool for malicious Word files could be an effective countermeasure to this malicious attack technique, as it can indicate embedded macros in the file.