MalDoc in PDF: Technique of Hiding Malicious Word Files into PDFs Raises Concern

• Written by Shipra Sanganeria Cybersecurity & Tech Writer

Security researchers at Japan’s computer emergency response team (JPCERT) discovered a new attack technique, dubbed ‘’MalDoc in PDF’’ that can evade antivirus detection.

This form of attack where malicious Word files are embedded within a legitimate looking PDF document was observed in a July 2023 investigation of an in-the-wild attack.

Although the researchers did not share any information about the type of malware, they did offer technical details about the MalDoc in PDF campaign.

The seemingly harmless PDF files containing the malicious Word document and VBS macro can be opened using Word application. Malicious activities are executed by the macros as soon as this file is launched in MS Word.

JPCERT in the confirmed attack observed the document to have a .doc file extension and not PDF. ‘’The attacker adds an mht file created in Word and with macro attached after the PDF file object and saves it. The created file is recognized as a PDF file in the file signature, but it can also be opened in Word,’’ further investigation revealed.

According to the researchers, traditional PDF tools like ‘’pdfid’’ might not be able to detect the malicious components of such a file due to its duality. These files exhibit malicious behavior when opened in Word, while similar behavior cannot be verified when launched in PDF viewer. ‘’Since the file is recognized as a PDF file, existing sandbox or antivirus software may not detect it,’’ the advisory noted.

Where the ineffectiveness of ‘’pdfid’’ as a detection tool was cited, Word file analysis tool ‘’OLEVBA’’ was seen as an effective countermeasure to this technique.

Furthermore, the agency also shared another countermeasure strategy involving the Yara rule to detect this form of attack. They embedded an Excel file in a PDF document. According to this rule a warning was displayed when it detected differences in file extensions.

In conclusion, JPCERT stated that such techniques continue to be a challenge for cybersecurity teams as they can easily bypass antivirus software and executive malicious activities on any system.

University of Sydney Suffers Third-Party Data Breach

• Written by Shipra Sanganeria Cybersecurity & Tech Writer

In the last week of August, University of Sydney disclosed a data breach incident, impacting the recent international students and applicants. The attack is said to have occurred at one of its third-party service providers.

Established in 1850, the University is among the top 20 educational institutes in Australia with 74,000 students and 8,100 academic and operations staff.

According to the published notification , only a limited number of international students that had either applied or enrolled to the University have had their personal information exposed. None of the domestic students, staff, alumni, or donors were impacted, revealed the preliminary investigation.

“The issue was isolated to a single platform and had no impact on other university systems. There is currently no evidence that any personal information has been misused. We are working to contact impacted students and applicants and will continue to monitor our systems,’’ it added.

Details about either the attack, supply chain vendor, or threat actors were not revealed in this notice. Neither was any information revealed about the number of applicants impacted nor details about the compromised information. However, the University announced that it had taken the necessary measures to mitigate the attack and secure its systems.

It had informed the relevant cybersecurity authorities and notified the New South Wales privacy commissioner. Additionally, it advised the affected individuals to reach out to the University and refer to its list of cybersecurity best practices , available on the University webpage, for students.

Students can also email to ict.support@sydney.edu.au for any questions or report any suspicious activity, like phishing or identity theft.

The recent months have witnessed an increase in cyberattacks on higher educational institutions across the world. The previous two months saw an attack on the University of Michigan and Manchester. In both the incidents, either there was a disruption in operations or extraction of data by threat actors.