New attack involves embedded Word files in PDFs

BleepingComputer reports that malicious Word files have been embedded into PDFs as polyglots in a new "MalDoc in PDF" attack last month that aimed to evade detection. Identified PDF files contained a Word document with a VBS macro enabling the download and installation of an MSI malware file, according to Japan's Computer Emergency Response Team. However, security settings deactivating automated execution of macros on Microsoft Office are not evaded by MalDoc in PDF, said JPCERT. While traditional PDF analysis tools and other automated analysis systems could not identify MalDoc in PDF, malicious polyglots could be detected by the OLEVBA analysis tool, noted JPCERT, which also emphasized the importance of multi-layered defenses in preventing threats posed by polyglot files. Moreover, security defenders and researchers could also leverage a Yara rule that inspects whether files begin with a PDF signature and feature indicators for Word files, MHT files, or Excel documents.