A newly emerged malware distribution campaign leveraging PDF attachments to transport infected Word documents for targeting users with malware has been discovered by threat researchers.

Most phishing emails currently include DOCX or XLS attachments containing malware-loading macro code; therefore, the use of PDFs is rare.

As users grow more aware of the dangers of opening fraudulent Microsoft Office attachments, however, threat actors resort to different techniques to distribute harmful macros and avoid detection.

In a recent analysis from HP Wolf Security, researchers demonstrate how PDFs are being leveraged as a delivery mechanism for documents containing malicious macros that download and install information-stealing malware on victims' computers.

Clasping Word Documents into PDFs

In a campaign seen by HP Wolf Security, the PDF attachment coming through email is titled "Remittance Invoice," and the email body likely provides ambiguous assurances of payment.

Adobe Reader invites the user to open a DOCX file when the PDF is accessed, which is already odd and may confuse the victim.

Because the threat actors titled the embedded document " has been validated," the Open File question displays "The file has been confirmed." This message may mislead readers into assuming that Adobe has authenticated the file and that it is safe to open.

PDF document prompting the user to open another document

Malware experts can investigate embedded PDF files using parsers and scripts, but average users who receive these deceptive emails would not go that far or even know where to begin.

As a result, many individuals may open the DOCX file in Microsoft Word, and if macros are allowed, they will download and open an RTF (rich text format) file from a remote location.

HTTP GET request returning RTF file

The payload is hosted at the URL "vtaurl[.]com/IHytw", which is hardcoded into the Word document. The RTF file is downloaded as a consequence of the following command, which is inserted in the Word document with the URL "vtaurl[.]com/IHytw".

List of URLs in the Word document

Exploiting Undisclosed RCE

The "f_document_shp.doc" RTF document contains malformed OLE objects that are likely to circumvent detection. HP's experts discovered that it tries to exploit an outdated Microsoft Equation Editor vulnerability to launch arbitrary code after doing some targeted rebuilding.

Decrypted shellcode presenting the payload (HP)

The shellcode attacks CVE-2017-11882, a remote code execution vulnerability in Equation Editor patched in November 2017 but is still exploitable in the wild.

As a result of the sluggish patching that followed the disclosure of this vulnerability, it became one of the most abused flaws of 2018.

Through exploitation of CVE-2017-11882, the shellcode in the RTF downloads and executes Snake Keylogger, a modular information thief with potent persistence, defense evasion, credential access, data harvesting, and data exfiltration capabilities.