Malicious Documents: A Bit Of News

Published: 2017-04-23
Last Updated: 2017-04-23 20:04:40 UTC
by Didier Stevens (Version: 1)
2 comment(s)

This week I saw again a PDF containing a malicious Word document with macros (a downloader).

The PDF contains JavaScript to extract the malicious Word document and launch Word. The user is prompted before this action takes place, but if you want to mitigate this, you can disable JavaScript. If you use Adobe Reader version 15.009.20069 or later, then the extracted Word document is marked with a mark-of-web, regardless if the containing PDF document is marked as such.

I made a video of the analysis of this document.


There has been a lot of talk about RTF documents exploiting CVE-2017-0199, making Word download and execute an HTML application without requiring any user interaction (except taking the document out of Protected View, depending on the presence of a mark-of-web). And this without VBA macros (RTF does not support VBA macros).

After applying Microsoft's patch for CVE-2017-0199, a downloaded HTA is no longer executed, but it is still downloaded without user interaction. The attention that the RTF auto-update technique received (employed for delivering a CVE-2017-0199 exploit), will certainly stimulate the use of this technique for other purposes, like tracking.

Didier Stevens
Microsoft MVP Consumer Security

Keywords: maldoc pdf rtf word
2 comment(s)


Lets not focus on the threat, focus on the exploit which is aimed at Word. In simple terms, Word is the problem. So take MS Word out of the equation. Associate .docx, and now apparently even .rtf, with WordPad. WordPad is NOT script enabled, so at least the VBS and other scripts wont execute. Not sure if web will execute in WordPad (probably worth a test). Using WordPad isnt going to be a perfect solution, but when users see encoded characters and not documents, you may get a few more to wake up. And even when they see good docs in WordPad, its a user-level filter before running Word.
The vulnerability can be exploited via WordPad too. There is a Windows patch and an Office patch for cve-2017-0199.

Here is a screenshot of how WordPad behaves after patching:

Diary Archives