Beware of emailed PDFs containing Word documents exploiting old bugs • The Register


HP cybersecurity specialists have uncovered an email campaign that ticks all the boxes: messages with an attached PDF that embeds a Word document that, upon opening, infects the victim’s Windows PC with malware by exploiting a four-year-old code execution vulnerability in Microsoft Office.

Trapping a PDF with a malicious Word document goes against the norm of the past 10 years, according to HP Wolf Security researchers. For a decade, malefactors have preferred Office file formats, such as Word and Excel, to deliver malicious code over PDFs, as users are more accustomed to obtaining and opening .docx and .xlsx files. About 45% of malware caught by HP’s threat intelligence team in the first quarter of the year used Office formats.

“The reasons are clear: users are familiar with these types of files, the applications used to open them are ubiquitous, and they are suitable for social engineering lures,” HP malware analyst Patrick Schläpfer explained in an article, adding that in this latest campaign, “the malware arrived in a PDF document – a format attackers less commonly use to infect PCs.”

Although not used at the same rate as Office files, cybercriminals have seen advantages in using PDF files for fraud and malware campaigns. In a 2019 report, researchers from cybersecurity firm TitanHQ found that to be effective, phishing campaigns must create a sense of urgency or surprise as well as a sense of trust.

PDF is a type of document that people trust. This is because the public perception is that it is a secure document that cannot be manipulated.

“This could be accomplished by spoofing your boss’s email address or attaching some kind of business document that looks official,” they wrote. “A perfect example is a PDF document. The… PDF is a type of document that people trust. This is because the public has the impression that it is a secure document that cannot be manipulated. After all, that’s why you issue an invoice as a PDF file and not a Word document. Unfortunately, users’ trust in PDFs as a ‘safe’ document is wrong.”

They noted that in 2018 there were at least 47,000 attacks involving PDF files and that number had increased to 173,000 in the first quarter of 2019. PDFs are a threat businesses need to understand, analyst Ivan Righi Principal of Threat Intelligence at Digital Shadows, Told The register.

“PDF files have similar capabilities to a web page,” Righi said. “They can interact with remote sites, launch local programs, and contain embedded files. PDFs can also include clickable links and JavaScript, which can be exploited for malicious purposes.”

As with any phishing attempt, the cyber crook’s goal is to trick users into opening malicious documents, accepting macros in embedded files, or doing anything else that will lead to a malware infection, which means that it is important for organizations to ensure that their employees are trained not to open documents from unknown or untrusted sources. Companies can also use tools like DMARC for email authentication, he said.

old and tried

The campaign HP began tracking earlier this year aims to trick brands into running the information-stealing Snake Keylogger on their PCs, and relies on several techniques to evade detection, including file embedding malware, remote hosted exploit loading, and shellcode encryption, HP’s Schläpfer wrote.

Bad actors initiate the initial access attempt via a PDF document named “Remittance Invoice” that is attached to an email, according to HP. If the recipient opens the PDF, Adobe Reader prompts the user to open a .docx file contained in the PDF: at first glance, the dialog that appears indicates that the document “has been verified” and can be opened in Microsoft Desktop .

Screenshot of the dialog that tries to trick the user

Very clever… How a carefully crafted filename for the .docx can at first glance change the meaning of a dialog. Click to enlarge. Source: HP Wolf Spider

To remove this and give the brand the impression that this file is legit, the name of the embedded .docx file is “has been verified. However PDF, Jpeg, xlsx, .docx”. When included in the text box of the dialog box, it indicates:

If Mark clicks the “Open this file” option, Word opens and – if Protected Mode is off – downloads an RTF (.rtf) document named f_document_shp.doc from a web server. The file contains two malformed OLE objects, which was probably done to evade detection and analysis. According to Schläpfer, parsing objects with OLE tools could yield confusing results.

HP was able to use a forensic program called Foremost to reconstruct the malformed objects and display their basic information. Through this, researchers were able to see code that exploits a code execution vulnerability in Microsoft Equation Editor, which was patched in November 2017 and tracked as CVE-2017-11882.

Attackers exploiting the vulnerability could run arbitrary code and take control of the PC, potentially allowing them to install programs, create new accounts with full user rights, or modify or delete data. The code used to exploit the flaw was encrypted, indicating another attempt to evade detection, Schläpfer wrote.

“While Office formats remain popular, this campaign shows how attackers are also using weaponized PDF documents to infect systems,” he wrote.

“File embedding, remote hosted exploit loading, and shellcode encryption are just three techniques used by attackers to run under-the-radar malware. The vulnerability exploited in this campaign…is over four years old , but continues to be used, suggesting that the exploit remains effective for attackers.”

Our Takeaways: Stay up to date with patches, detect and remove those PDFs from incoming messages, educate users about email security, configure your network to contain security vulnerabilities as best you can, and other techniques you are more than welcome to share in the comments. ®

Previous MatchMove buys Singapore-based Shopmatic for $200m, signaling consolidation of Indian startup ecosystem
Next Computer Task Group (NASDAQ:CTG) Releases Fiscal 2022 Revenue Forecast