For the past decade, attackers have preferred to package malware in Microsoft Office file formats, particularly Word and Excel. In fact, in Q1 2022 nearly half (45%) of malware stopped by HP Wolf Security used Office formats. The reasons are clear: users are familiar with these file types, the applications used to open them are ubiquitous, and they are suited to social engineering lures.
In this post, we look at a malware campaign isolated by HP Wolf Security earlier this year that had an unusual infection chain. The malware arrived in a PDF document – a format attackers less commonly use to infect PCs – and relied on several tricks to evade detection, such as embedding malicious files, loading remotely-hosted exploits, and shellcode encryption.
Figure 1 – Alert timeline in HP Wolf Security Controller showing the malware being isolated.
PDF Campaign Delivering Snake Keylogger
A PDF document named “REMMITANCE INVOICE.pdf” was sent as an email attachment to a target. Since the document came from a risky vector – email, in this case – when the user opened it, HP Sure Click ran the file in an isolated micro virtual machine, preventing their system from being infected.
After opening the document, Adobe Reader prompts the user to open a .docx file. The attackers sneakily named the Word document “has been verified. However PDF, Jpeg, xlsx, .docx” to make it look as though the file name was part of the Adobe Reader prompt (Figure 2).