"MalDoc in PDFs: Hiding Malicious Word Docs in PDF Files"

Japan's Computer Emergency Response Team (JPCERT) reveals a new "MalDoc in PDF" attack discovered in July 2023 that evades detection by embedding malicious Word documents within PDFs. The file sampled by JPCERT is a polyglot recognized as a PDF by most scanning engines and tools, but office applications can open it as a standard Word document (.doc). Polyglots comprise two different file formats that, depending on the application reading/opening, can be interpreted and executed as more than one file type. For example, the malicious documents in this campaign are a combination of PDF and Word files that can be accessed in either format. Threat actors typically use polyglots to bypass detection or confuse analysis tools since these files may appear harmless in one format while hiding malicious code in another. In this case, the PDF file contains a Word document with a VBS macro that will download and install an MSI malware file if opened in Microsoft Office as a .doc file. This article continues to discuss the MalDoc in PDF attack. 

Bleeping Computer reports "MalDoc in PDFs: Hiding Malicious Word Docs in PDF Files"