top of page

Protecting Against MalDoc in PDF & Other Sophisticated Cybersecurity Threats

The cybersecurity landscape is ever-evolving, and threat actors are constantly finding ways to subvert systems. Recently, experts underscored a novel method employed to evade antivirus programs - embedding malicious Microsoft Word documents into PDF files. This innovative method, known as "MalDoc in PDF," has been utilized for in-the-wild attacks, with the first documented case in July 2023.

Researchers explained how this machination works. A file allegedly created with MalDoc in PDF can suspiciously be opened in Word, despite containing components and structure of a PDF. If the file is associated with a macro, launching it in Word triggers a Visual Basic Script (VBS) that initiates malicious activities. Aptly termed polyglots, these bespoke files embody multiple file forms - in this instance, PDF and Word (DOC).

This trickery involves adding a Word-created MHT file, macro-attached, after the PDF file object. The result is a valid PDF document that can also be launched in Word. In simpler terms, the PDF embeds a Word document equipped with a VBS macro designed to download and install malware, disguising as a .DOC file in Microsoft Office.

Threat actors are also leveraging QR codes embedded in phishing campaigns, termed 'qishing'. Following the guise of multi-factor authentication notifications, victims are lured into scanning a QR code. However, instead of reaching their intended destination, they are deceived and sent to the threat actor's phishing page.

While various techniques are being employed, such as VBS via Microsoft Excel, or redirecting victims through deceptive executable, Social engineering attacks appear to be growing in complexity and sophistication. Whether it's a meticulously crafted phone call, or an email trap, threat actors are finding new ways to gain unauthorized access to systems.

In one highly sophisticated attack, a criminal impersonating a delivery driver conned an uninformed Swiss organization employee into divulging sensitive information. Posing as a shipping company representative, the threat actor instructed the employee to read aloud a code appearing in an attachment . The seemingly innocent PDF file was, in fact, a static image implanted into the email body, masquerading as an attachment.

More recently, security issues revolving around name collisions in the Domain Name System (DNS) have emerged, indicating its potential propensity to leak sensitive data. Cisco Talos highlighted instances in which some Top-level domains (TLDs) behave unusually when encountering names that have expired or never existed. Some TLDs publish MX records and collect emails for unregistered and expired names, resolving them to IP addresses.

These emerging challenges and evolving threat landscapes underline the increasing necessity for robust cybersecurity measures. As threat actors develop new methods, businesses should consider investing in advanced cybersecurity solutions.

At Darksteel Technologies, we are an Orlando based business that can handle all aspects of your IT security. Providing compliance, training, malware protection, cloud security, devsecops, vulnerability management, penetration testing, architecture design and any other information security requirement your business needs. We focus on your cybersecurity so you don't have to.


Commenting has been turned off.
bottom of page