Just lately, the safety consultants at HP Wolf Safety have found a brand new means to make use of PDF attachments to distribute malware by way of the web. On this case, malicious Phrase paperwork are delivered by means of PDF attachments.
It’s somewhat unusual to obtain malicious electronic mail attachments in PDF format, as all most frequently malicious emails are delivered as docx or xls recordsdata with embedded malware-loading macros.
Risk actors are turning to different strategies to deploy malicious macros and evade detection as folks change into conscious of the hazard of opening Microsoft Workplace attachments containing malicious macros.
Implanting Malicious Phrase Docs in PDFs
It seems that the e-mail physique of the PDF doc that arrived by electronic mail is crammed with imprecise guarantees. Whereas the PDF is known as “Remittance Bill,” and based mostly on its title and contents, it seems that the recipient will obtain cost.
The DOCX file comprises the identical content material because the PDF file, due to this fact Adobe Reader prompts the consumer to open the DOCX file, which is likely to be complicated to the sufferer.
The Open File immediate beneath gives the next data as a result of the menace actors named the embedded doc “has been verified”:-
When you obtain this message, you’ll most likely really feel snug opening the file because it has been legitimately validated by Adobe and could be opened safely.
Though malware analysts make the most of instruments like parsers and scripts to examine embedded recordsdata in PDFs, the common consumer wouldn’t even know tips on how to begin taking a look at them or know the place to start out in the event that they obtain these difficult e-mails.
A DOCX file is often opened in Microsoft Phrase by customers usually somewhat than a special program. So, if macros are enabled, DOCX recordsdata in Microsoft Phrase will likely be downloaded into RTF format from a distant useful resource.
Within the Phrase file, there’s a command embedded with the URL for the place the payload is positioned, which can consequence within the obtain of the RTF.
Previous RCE Exploitation
It’s discovered that an OLE object has been malformed within the RTF file titled “f_document_shp.doc”, which makes it troublesome to research.
HP’s analysts had been capable of decide that it makes an attempt to take advantage of a vulnerability in Microsoft Equation Editor to be able to run arbitrary code after some focused reconstruction is finished.
On this case, the shellcode is exploiting the next vulnerability:-
Regardless of being mounted in November 2017, Equation Editor nonetheless displays a distant code execution vulnerability that have to be handled instantly if not eliminated.
You possibly can comply with us on Linkedin, Twitter, Fb for day by day Cybersecurity and hacking information updates.
