Researchers have found a sneaky way a malware campaign gets its victims to download malicious files from the internet, using file-naming trickery.

To clarify, malicious PDFs with embedded Word documents are emailed to a victim that in turn infects their PC and steals information, using the Snake keylogger malware for Windows.

But generally malicious PDFs are not an attacker’s preferred tool for a malware campaign. That’s to say, they tend to like Office formats like Word and Excel, as they are aware these are more familiar to PC users, according to threat analysts at HP’s Wolf Security.

According to HP, the malicious PDF campaign was first spotted in November 2020

And perhaps looking to trick the finance department, a PDF attachment was emailed by the attackers called “REMMITANCE INVOICE.pdf” with an embedded Word document named “has been verified”. However, PDF, Jpeg, xlsx, docs”. 

The Word documents rather odd and sneaky file name has a reason and that’s to trick the unwary. It becomes clear when viewing the prompt for Adobe Reader which reads:  “The file ‘has been verified. However, PDF, Jpeg, xlsx, docs’ may contain programs, macros, or viruses that could potentially harm your computer.”

In other words, at first glance an employee could mistakenly misread that the file has been verified, “file verified” and is therefore safe to open. 

“Open this file” can be selected by the recipient and then Microsoft Word opens. If protected view is disabled, as HP notes, Word downloads a Rich Text Format (.rtf) file from a web server. It is then run in the context of the open document. (by default Microsoft Office opens documents from the internet in Protected View or Application Guard for Office )

HP’s analysts found an illegitimate URL from which an external object linking and embedding (OLE) object was loaded upon analysing the Word document.

The OLE object also contains shellcode that exploits the CVE-2017-11882, which is an old remote code execution vulnerability in Microsoft Office Equation Editor that’s still popular with hackers.  

The shellcode downloads an executable called fresh.exe that is in fact the Snake keylogger, which has historically been distributed via malicious RFT documents or archive files attached to emails. 

HP notes, that even though Office formats are popular to infect systems attackers will use these weaponized PDF documents as well. And to run their malware under the radar attackers will use three techniques:

  • Embedding files,
  • loading remotely-hosted exploits
  • encrypting shellcode

In short, attackers will use whatever is successful even if the exploit is old. The exploited vulnerability in this campaign (CVE-2017-11882) is over four years old.

Want insights like this in your mailbox? Join our monthly mailing list

How can we make your business better with IT?