Threat analysts from HP Wolf Security have discovered a new technique for delivering malware to targets. According to the analysts, some threat actors are currently delivering malicious MS Word files by embedding them into PDF files.
From PDF to keylogger
The PDF is named to carry the Word file malicious macros are Remittance Invoice as it was discovered in a campaign, and it indeed looks like an actual invoice file. When the Remittance Invoice PDF file is opened, Adobe Reader software asks for a .docx file to be run which is embedded into the file. Additionally, the name of the .docx file is set as “has been verified” which further confuses the victim; making him/her think it passed Adobe Reader’s security measures and is safe to open.
As the victim opens the .docx file, it will start downloading another .rtf file from a host which is named F_document_shp.doc which contains malformed OLE objects. After the investigation, security analysts have discovered that the final .rtf file is targeting the bug in the Microsoft Equation Editor, which can be tracked as CVE-2017-11882. The bug allows remote code execution. In the end, it downloads and runs a keylogging malware named Snake.
The bug was fixed in November 2017. However, the patch distribution was slow and it became one of the most exploited flaws in 2018 as it was disclosed.