This malware-spreading PDF uses a sneaky file name to trick the unwary

Researchers find a malware campaign that uses file-naming trickery to get victims to download malicious files from the internet.
Written by Liam Tung, Contributing Writer

Attackers using the Snake keylogger malware for Windows are emailing malicious PDFs with embedded Word documents to infect victims' PCs and steal information. 

Malicious PDFs are an unusual tool to use today because attackers prefer Office formats like Word and Excel that are more familiar to PC users, according to threat analysts at HP's Wolf Security, who recently discovered the PDF malware campaign. 

The malicious PDF was used to infect PCs with Snake, a keylogger and credential stealer that was first spotted in late November 2020, according to HP

SEE: Just in time? Bosses are finally waking up to the cybersecurity threat

The attackers sent email with an attached PDF document named "REMMITANCE INVOICE.pdf" with an embedded Word document named "has been verified. However PDF, Jpeg, xlsx, .docs". 

The reason for choosing this odd and actually rather sneaky file name for the Word document becomes clear when viewing the prompt that Adobe Reader displays when checking whether the user approves opening this file. 

The prompt reads: "The file 'has been verified. However PDF, Jpeg, xlsx, .docs' may contain programs, macros, or viruses that could potentially harm your computer."

An employee who hastily reads the notice could mistakenly understand that the file in question has been verified and is safe to open. 

Should the recipient then select "Open this file", Microsoft Word opens. As HP notes, if Protected View is disabled, Word downloads a Rich Text Format (.rtf) file from a web server, which is then run in the context of the open document. (It should be noted that Microsoft Office opens documents from the internet in Protected View or Application Guard for Office by default.)

Upon analyzing the Word document, HP's analysts found an illegitimate URL from which an external object linking and embedding (OLE) object was loaded. The OLE object also contains shellcode that exploits the CVE-2017-11882, which is an old remote code execution vulnerability in Microsoft Office Equation Editor that's still popular with hackers.  

The shellcode downloads an executable called fresh.exe that is in fact the Snake keylogger, which has historically been distributed via malicious RFT documents or archive files attached to emails.  

"While Office formats remain popular, this campaign shows how attackers are also using weaponized PDF documents to infect systems. Embedding files, loading remotely-hosted exploits and encrypting shellcode are just three techniques attackers use to run malware under the radar. The exploited vulnerability in this campaign (CVE-2017-11882) is over four years old, yet continues being used, suggesting the exploit remains effective for attackers," HP notes. 

Editorial standards