If it looks like a PDF file and passes traditional PDF scanning, then you might think that the file is a PDF file. When it could be a malicious word document disguised as a PDF file. Japan’s computer emergency response team (JPCERT) recently shared a newly detected attack that bypasses detection by embedding malicious word files in PDFs. The malicious polygot file is recognised by most scanning engines as being a PDF but office applications will open it as a word document. The sample file JPCERT provided is a PDF document that contains a word document that has an embedded VBS macro that will download and install a malware file. This will happen if the file is opened as a word document in Microsoft Office. While such polygot files might evade detection by scanning tools, it does not bypass Microsoft security settings, such as those that disable auto-execution of macros on Microsoft Office. For the defenders wanting to detect such files in their organisation, JPCERT has shared a Yara rule which checks if a file starts with a PDF signature followed by patterns indicative of a word or excel document.
https://blogs.jpcert.or.jp/en/2023/08/maldocinpdf.html
https://www.bleepingcomputer.com/news/security/maldoc-in-pdfs-hiding-malicious-word-docs-in-pdf-files/
This segment was created for the It’s 5:05 podcast