skip to Main Content

At The Identity Organisation, we're here to help!

    Your privacy is important to us, and we want to communicate with you in a way which has your consent and which is in line with UK Law on data protection. As a result of a change in UK law on 25th May 2018, by providing us with your personal details you consent to us processing your data in line with current GDPR requirements.

    Here is where you can review our Privacy & GDPR Statement

    To remove consent at any time, please e-mail with the word "unsubscribe" as the subject.

    +44 (0) 1628 308038

    PDF smuggles Microsoft Word doc to drop Snake Keylogger malware

    Threat analysts have discovered a recent malware distribution campaign using PDF attachments to smuggle malicious Word documents that infect users with malware.

    The choice of PDFs is unusual, as most malicious emails today arrive with DOCX or XLS attachments laced with malware-loading macro code.

    However, as people become more educated about opening malicious Microsoft Office attachments, threat actors switch to other methods to deploy malicious macros and evade detection.

    In a new report by HP Wolf Security, researchers illustrate how PDFs are being used as a transport for documents with malicious macros that download and install information-stealing malware on victim’s machines.

    Embedding Word in PDFs

    In a campaign seen by HP Wolf Security, the PDF arriving via email is named “Remittance Invoice,” and our guess is that the email body contains vague promises of payment to the recipient.

    When the PDF is opened, Adobe Reader prompts the user to open a DOCX file contained inside, which is already unusual and might confuse the victim.

    Because the threat actors named the embedded document “has been verified,” the Open File prompt below states, “The file ‘has been verified.” This message could trick recipients into believing that Adobe verified the file as legitimate and that the file is safe to open.

    The deployed shellcode exploits CVE-2017-11882, a remote code execution bug in Equation Editor fixed in November 2017 but still available for exploitation in the wild.

    That flaw immediately caught the attention of hackers when it was disclosed, while the slow patching that followed resulted in it becoming one of the most exploited vulnerabilities in 2018.

    By exploiting CVE-2017-11882, the shellcode in the RTF downloads and runs Snake Keylogger, a modular info-stealer with powerful persistence, defense evasion, credential access, data harvesting, and data exfiltration capabilities.

    With thanks to thye Cyber Defence Alliance and BleepingComputer. The full story is here:

    Request A Quote: Security Awareness Training


    New-school Security Awareness Training is critical to enabling you and your IT staff to connect with users and help them make the right security decisions all of the time. This isn’t a one and done deal, continuous training and simulated phishing are both needed to mobilize users as your last line of defense. Request your quote for KnowBe4’s security awareness training and simulated phishing platform and find out how affordable this is!

    PS: Don’t like to click on redirected buttons? Cut & Paste this link in your browser:


    Sign Up to the TIO Intel Alerts!

    Back To Top