{ "id": "2eb66700-5cd5-46cb-a6e1-ba88942dc0ee", "created_at": "2026-04-06T00:18:02.719743Z", "updated_at": "2026-04-10T03:24:29.420738Z", "deleted_at": null, "sha1_hash": "cb2459ca94a44e94d8bf2f22ebee94abae7708b8", "title": "PDF smuggles Microsoft Word doc to drop Snake Keylogger malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3643829, "plain_text": "PDF smuggles Microsoft Word doc to drop Snake Keylogger malware\r\nBy Bill Toulas\r\nPublished: 2022-05-22 · Archived: 2026-04-05 16:59:01 UTC\r\nThreat analysts have discovered a recent malware distribution campaign using PDF attachments to smuggle malicious Word\r\ndocuments that infect users with malware.\r\nThe choice of PDFs is unusual, as most malicious emails today arrive with DOCX or XLS attachments laced with malware-loading macro code.\r\nHowever, as people become more educated about opening malicious Microsoft Office attachments, threat actors switch to\r\nother methods to deploy malicious macros and evade detection.\r\nhttps://www.bleepingcomputer.com/news/security/pdf-smuggles-microsoft-word-doc-to-drop-snake-keylogger-malware/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/pdf-smuggles-microsoft-word-doc-to-drop-snake-keylogger-malware/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nIn a new report by HP Wolf Security, researchers illustrate how PDFs are being used as a transport for documents with\r\nmalicious macros that download and install information-stealing malware on victim's machines.\r\nEmbedding Word in PDFs\r\nIn a campaign seen by HP Wolf Security, the PDF arriving via email is named \"Remittance Invoice,\" and our guess is that\r\nthe email body contains vague promises of payment to the recipient.\r\nWhen the PDF is opened, Adobe Reader prompts the user to open a DOCX file contained inside, which is already unusual\r\nand might confuse the victim.\r\nBecause the threat actors named the embedded document \"has been verified,\" the Open File prompt below states, \"The file\r\n'has been verified.\" This message could trick recipients into believing that Adobe verified the file as legitimate and that the\r\nfile is safe to open.\r\nDialog requesting action approval (HP)\r\nWhile malware analysts can inspect embedded files in PDFs using parsers and scripts, regular users who receive these tricky\r\nemails wouldn’t go that far or even know where to start.\r\nAs such, many may open the DOCX in Microsoft Word, and if macros are enabled, will download an RTF (rich text format)\r\nfile from a remote resource and open it.\r\nhttps://www.bleepingcomputer.com/news/security/pdf-smuggles-microsoft-word-doc-to-drop-snake-keylogger-malware/\r\nPage 3 of 6\n\nGET request to fetch the RTF file (HP)\r\nThe download of the RTF is the result of the following command, embedded in the Word file along with the hardcoded URL\r\n“vtaurl[.]com/IHytw”, which is where the payload is hosted.\r\nURL that hosts the RTF file (HP)\r\nExploiting old RCE\r\nThe RTF document is named “f_document_shp.doc” and contains malformed OLE objects, likely to evade analysis. After\r\nsome targeted reconstruction, HP’s analysts found that it attempts to abuse an old Microsoft Equation Editor vulnerability to\r\nrun arbitrary code.\r\nhttps://www.bleepingcomputer.com/news/security/pdf-smuggles-microsoft-word-doc-to-drop-snake-keylogger-malware/\r\nPage 4 of 6\n\nDecrypted shellcode presenting the payload (HP)\r\nThe deployed shellcode exploits CVE-2017-11882, a remote code execution bug in Equation Editor fixed in November 2017\r\nbut still available for exploitation in the wild.\r\nThat flaw immediately caught the attention of hackers when it was disclosed, while the slow patching that followed resulted\r\nin it becoming one of the most exploited vulnerabilities in 2018.\r\nBy exploiting CVE-2017-11882, the shellcode in the RTF downloads and runs Snake Keylogger, a modular info-stealer with\r\npowerful persistence, defense evasion, credential access, data harvesting, and data exfiltration capabilities.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nhttps://www.bleepingcomputer.com/news/security/pdf-smuggles-microsoft-word-doc-to-drop-snake-keylogger-malware/\r\nPage 5 of 6\n\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/pdf-smuggles-microsoft-word-doc-to-drop-snake-keylogger-malware/\r\nhttps://www.bleepingcomputer.com/news/security/pdf-smuggles-microsoft-word-doc-to-drop-snake-keylogger-malware/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.bleepingcomputer.com/news/security/pdf-smuggles-microsoft-word-doc-to-drop-snake-keylogger-malware/" ], "report_names": [ "pdf-smuggles-microsoft-word-doc-to-drop-snake-keylogger-malware" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434682, "ts_updated_at": 1775791469, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cb2459ca94a44e94d8bf2f22ebee94abae7708b8.pdf", "text": "https://archive.orkl.eu/cb2459ca94a44e94d8bf2f22ebee94abae7708b8.txt", "img": "https://archive.orkl.eu/cb2459ca94a44e94d8bf2f22ebee94abae7708b8.jpg" } }