Hackers are now hiding malicious Word documents in PDFs — how to stay safe

Malware warning on a Mac
(Image credit: Shutterstock)

Hackers have begun hiding malicious documents in PDF files as a means to spread malware while avoiding detection by security software.

As reported by BleepingComputer, Japan’s computer emergency response team (JPCERT) discovered a new attack method called “MalDoc in PDF” back in July of this year.

MalDoc in PDF attacks work by using polyglots, which are files that contain two distinct file formats. In this case, the hackers behind this campaign are using Microsoft Word and PDF files. However, these types of files can be interpreted and executed as more than one file type, depending on the application that is opening them.

This isn’t the first time that hackers have leveraged polyglots in their attacks. These types of files are typically used to evade detection as they appear legitimate in one format while the other format contains malware.

Using macros to install malware

Although JPCERT hasn’t shared any details on the particular malware strain being used in this campaign, it did offer further details on how MalDoc in PDF attacks work.

The PDF files containing malicious Word documents also include a VBS macro which is used to download and install an MSI malware file on vulnerable computers when they’re opened in Microsoft Office.

Like other attacks that use Word files, this one relies on macros being enabled on a victim’s PC. Fortunately, if they’re turned off, MalDoc in PDF is unable to bypass a computer’s security settings to install malware.

According to JPCERT's blog post on the matter, the techniques used in these new MalDoc in PDF attacks are novel because they can allow the malicious documents included in these PDFs to evade PDF analysis tools like ‘pdfid”. In order to make these kinds of attacks easier for security firms and researchers to spot, the cybersecurity agency has created a new Yara rule.

Still though, an attack like this can be particularly confusing as most people would likely never imagine that a document could actually contain two different file types. 

How to stay safe from malicious documents

Malware

(Image credit: solarseven/Shutterstock)

Hackers have many different tools in their arsenal, but malicious documents remain one of the most popular after malicious apps. For this reason, you need to be extremely careful when opening any file that hits your inbox or that you’ve downloaded online.

While downloading files from your friends, family and coworkers is normally okay, you still need to be on the lookout for any red flags that might indicate the email didn’t originate from someone you know. These include spelling and grammatical errors, as well as language that seeks to instill a sense of urgency in order to get you to respond or to open a file.

At the same time, you should be using the best antivirus software on your PC, the best Mac antivirus software on your Mac and one of the best Android antivirus apps on your Android smartphone. This way, even if you do download a malicious document or other dangerous file, it will be flagged by your antivirus so that you know it’s dangerous.

Now that JPCERT has shined a light on MalDoc in PDF attacks, hackers may try to do something similar using a different file type. However, as long as you’re careful online and avoid downloading attachments or files from shady websites, you’ll be less likely to fall for their tricks.

More from Tom's Guide

TOPICS
Anthony Spadafora
Managing Editor Security and Home Office

Anthony Spadafora is the managing editor for security and home office furniture at Tom’s Guide where he covers everything from data breaches to password managers and the best way to cover your whole home or business with Wi-Fi. He also reviews standing desks, office chairs and other home office accessories with a penchant for building desk setups. Before joining the team, Anthony wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Read more
and image of the Google Chrome logo on a laptop
Google Docs under attack from info-stealing malware — how to keep your data and your emails safe
A hacker typing quickly on a keyboard
Thousands of WordPress sites hijacked to spread Windows and Mac malware - how to stay safe
A hacker typing quickly on a keyboard
Hackers are posing as Apple and Google to infect Macs with malware — don’t fall for these fake browser updates
An image of a CAPTCHA
Hackers are using reCAPTCHA to trick users into infecting their own PCs with malware — how to stay safe
Mobile malware
New malware uses infected VPN apps to take over your device — here's how to stay safe
and image of the Google Chrome logo on a laptop
Google Chrome at risk from shape-shifting browser extensions — how to stay safe
Latest in Online Security
Apple iPhone 16 Plus Review.
Apple just released an emergency security update for a flaw used in an ‘extremely sophisticated attack’ — update your devices right now
A person trying to set up a new Wi-Fi router
Thousands of TP-Link routers have been infected by a botnet to spread malware
An image of a CAPTCHA
Hackers are using reCAPTCHA to trick users into infecting their own PCs with malware — how to stay safe
A smartphone screen displaying the Android name and logo next to a sign reading 'MALWARE'.
Fake Google Play Store pages are spreading Trojan malware that can steal your financial data
Best antivirus software
How does antivirus software work
and image of the Google Chrome logo on a laptop
Google Chrome at risk from shape-shifting browser extensions — how to stay safe
Latest in News
iPhone 16
Hoping for a new iPhone 16 color? You’re probably out of luck
iOS Photos app
iOS 18.4 Photos update makes it easier to sort, hide and delete your photos on iPhone — here’s what you can do
Dyson Purifier Cool (TP11) in office
Dyson just launched its new high-tech air purifier — right in time for allergy season
Nvidia RTX 5090
RTX 5060 breaks cover in Acer gaming PC — is Nvidia’s next GPU launch imminent?
Samsung Galaxy Tab S10 FE renders
Samsung's Galaxy Tab S10 FE crushes its predecessor with 40% speed boost in leaked benchmark
The camera assembly on the Google Pixel 9
The latest Google Pixel update is breaking fingerprint scanners — but there may be a fix