PDF Smuggles Microsoft Word Doc to Deliever Snake Keylogger Malware

Threat researchers have found a new malware distribution campaign that uses PDF attachments to transport infected Word documents into users’ computers. Most phishing emails today include DOCX or XLS attachments loaded with malware-loading macro code, thus the use of PDFs is unusual. Threat actors are switching to different methods to install harmful macros and escape identification as users grow more aware of opening fraudulent Microsoft Office attachments. 

In a new report by HP Wolf Security, researchers show how PDFs are being exploited as a transport for documents containing malicious macros that download and install information-stealing malware on victims’ devices. The PDF arriving through email in a campaign seen by HP Wolf Security is called “Remittance Invoice,” and the guess is that the email body contains vague assurances of payment to the recipient. 

When the PDF is accessed, Adobe Reader prompts the user to open a DOCX file contained therein, which is unusual and may cause the victim to become confused. “The file ‘has been verified,” says the Open File prompt, because the threat actors named the embedded document “has been verified.” This message may lead recipients to believe that Adobe has authenticated the file and that it is safe to open. While malware investigators can use parsers and scripts to investigate embedded files in PDFs, most average users wouldn’t go that far or even know where to begin. 

PDF Smuggles Microsoft Word Doc to Deliever Snake Keylogger Malware