YouTube player

If it looks like a PDF file and passes traditional PDF scanning, then you might think that the file is a PDF file. When it could be a malicious word document disguised as a PDF file. Japan’s computer emergency response team (JPCERT) recently shared a newly detected attack that bypasses detection by embedding malicious word files in PDFs. The malicious polygot file is recognised by most scanning engines as being a PDF but office applications will open it as a word document. The sample file JPCERT provided is a PDF document that contains a word document that has an embedded VBS macro that will download and install a malware file. This will happen if the file is opened as a word document in Microsoft Office. While such polygot files might evade detection by scanning tools, it does not bypass Microsoft security settings, such as those that disable auto-execution of macros on Microsoft Office. For the defenders wanting to detect such files in their organisation, JPCERT has shared a Yara rule which checks if a file starts with a PDF signature followed by patterns indicative of a word or excel document.

This segment was created for the It’s 5:05 podcast