Project Hyphae
Search

Phishing with PDF malware to evade detection

Share This Post

HP Wolf Security reported that in Q1 2022, nearly half of the malware stopped was packaged in Microsoft Office file formats. However, they also documented a recent attack where the malware was packaged in a PDF file to attempt to evade detection.

Once the PDF was opened, Adobe Reader prompted the user to open a DOCX file. The DOCX file was named “has been verified. However PDF, Jpeg, xlsx, .docx”, so when the warning from Adobe Reader that the file might contain malicious programs, macros, or viruses, pops up, it makes the user think they are opening a “verified” or “safe” file.

Choosing “Open this file” allows the malicious DOCX file that was embedded in the PDF to connect to a remotely-hosted server to download and execute another document containing OLE objects. One of these OLE objects contained shellcode that exploited a remote code execution vulnerability in Equation Editor (CVE-2017-11882). This shellcode, which was encrypted and obfuscated to avoid detection, downloaded additional malware to infect the device with the Snake Keylogger.

The full writeup of the attack is available on the HP Threat Research Blog: https://threatresearch.ext.hp.com/pdf-malware-is-not-yet-dead/

Explanation of CVE-2017-11882 from the SOCPRIME Blog: https://socprime.com/blog/cve-2017-11882-two-decades-old-vulnerability-in-microsoft-office-still-actively-leveraged-for-malware-delivery/



Reach out to our incident response team for help

More To Explore

Information Security News 3-25-2024

Developer Sues Minnesota Contractor After $735K Payment Disappears Article Link: https://www.constructiondive.com/news/beck-sues-ryan-fsa-title-cybercrime/710708/ Truck-to-Truck Worm Could Infect and Disrupt Entire US Commercial Fleet Article Link: https://www.theregister.com/2024/03/22/boffins_tucktotruck_worm/ NIST’s

Information Security News 3-18-2024

Threat Actors Leaked 70 Million Records Allegedly Stolen From AT&T Article Link: https://securityaffairs.com/160627/data-breach/70m-att-records-leaked.html Former Telecom Manager Admits to Doing SIM Swaps for $1,000 Article Link:

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.