Threat actors have been leveraging malicious PDF attachments to facilitate the distribution of the Snake Keylogger malware, according to BleepingComputer
The malware campaign
commences with the delivery of an email with a PDF file dubbed "Remittance Invoice," which when opened will trigger Adobe Reader to open an attached DOCX file, an HP Wolf Security report showed. With the document named by attackers as "has been verified," recipients may be deceived into believing that the file has been marked as safe by Adobe. Meanwhile, opening the DOCX in Microsoft Word may prompt the download and opening of an RTF file dubbed "f_document_shp.doc" in the event of enabled macros.
Researchers discovered malformed OLE objects embedded in the RTF document in an effort to bypass detection and analysis. Moreover, the shellcode deployed by the document also exploits a remote code execution vulnerability in Equation Editor, tracked as CVE-2017-11882, to facilitate arbitrary code execution.