Project Hyphae

Phishing with PDF malware to evade detection

Share This Post

HP Wolf Security reported that in Q1 2022, nearly half of the malware stopped was packaged in Microsoft Office file formats. However, they also documented a recent attack where the malware was packaged in a PDF file to attempt to evade detection.

Once the PDF was opened, Adobe Reader prompted the user to open a DOCX file. The DOCX file was named “has been verified. However PDF, Jpeg, xlsx, .docx”, so when the warning from Adobe Reader that the file might contain malicious programs, macros, or viruses, pops up, it makes the user think they are opening a “verified” or “safe” file.

Choosing “Open this file” allows the malicious DOCX file that was embedded in the PDF to connect to a remotely-hosted server to download and execute another document containing OLE objects. One of these OLE objects contained shellcode that exploited a remote code execution vulnerability in Equation Editor (CVE-2017-11882). This shellcode, which was encrypted and obfuscated to avoid detection, downloaded additional malware to infect the device with the Snake Keylogger.

The full writeup of the attack is available on the HP Threat Research Blog:

Explanation of CVE-2017-11882 from the SOCPRIME Blog:

More To Explore

Information Security News 3-20-2023

LockBit 3.0 Ransomware: Inside the Cyberthreat That’s Costing Millions Article Link: BianLian Ransomware Crew Goes 100% Extortion After Free Decryptor Lands Article Link:

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.