A sophisticated attack vector dubbed “MalDoc in PDF” allows threat actors to bypass traditional security scanning by embedding malicious Word documents into PDF files. These files appear benign when analyzed with standard PDF security tools since the malicious content is stored outside the PDF object structure but within the same file container. This technique, observed in attacks dating back to July, enables macros to execute when victims open what appears to be standard documents, potentially compromising systems while evading detection from common security tools. When processing these hybrid documents, OLEVBA successfully identifies and extracts embedded macro code, enabling security personnel to recognize malicious content. Security researchers examining file hexdumps have confirmed this structure maintains PDF headers while incorporating Word document components. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. This technique does not bypass Word’s macro security settings if automatic macro execution is disabled, users would still receive security prompts. OLEVBA, an analysis tool designed to detect malicious Office macros, remains effective against MalDoc in PDF files. Traditional security tools show significant limitations when confronting this technique. Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. In the documented attacks, files typically used the .doc extension, ensuring they would be automatically routed to Word based on default Windows file associations.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 19 Mar 2025 15:56:01 +0000