# PDF smuggles Microsoft Word doc to drop Snake Keylogger malware **[bleepingcomputer.com/news/security/pdf-smuggles-microsoft-word-doc-to-drop-snake-keylogger-malware/](https://www.bleepingcomputer.com/news/security/pdf-smuggles-microsoft-word-doc-to-drop-snake-keylogger-malware/)** Bill Toulas By [Bill Toulas](https://www.bleepingcomputer.com/author/bill-toulas/) May 22, 2022 12:15 PM 0 Threat analysts have discovered a recent malware distribution campaign using PDF attachments to smuggle malicious Word documents that infect users with malware. The choice of PDFs is unusual, as most malicious emails today arrive with DOCX or XLS attachments laced with malware-loading macro code. However, as people become more educated about opening malicious Microsoft Office attachments, threat actors switch to other methods to deploy malicious macros and evade detection. [In a new report by HP Wolf Security, researchers illustrate how PDFs are being used as a](https://threatresearch.ext.hp.com/pdf-malware-is-not-yet-dead/#) transport for documents with malicious macros that download and install information-stealing malware on victim's machines. ## Embedding Word in PDFs ----- In a campaign seen by HP Wolf Security, the PDF arriving via email is named "Remittance Invoice," and our guess is that the email body contains vague promises of payment to the recipient. When the PDF is opened, Adobe Reader prompts the user to open a DOCX file contained inside, which is already unusual and might confuse the victim. Because the threat actors named the embedded document "has been verified," the Open File prompt below states, "The file 'has been verified." This message could trick recipients into believing that Adobe verified the file as legitimate and that the file is safe to open. **Dialog requesting** **action approval** _(HP)_ ----- While malware analysts can inspect embedded files in PDFs using parsers and scripts, regular users who receive these tricky emails wouldn’t go that far or even know where to start. As such, many may open the DOCX in Microsoft Word, and if macros are enabled, will download an RTF (rich text format) file from a remote resource and open it. **GET request to fetch the RTF file** _(HP)_ The download of the RTF is the result of the following command, embedded in the Word file along with the hardcoded URL “vtaurl[.]com/IHytw”, which is where the payload is hosted. **URL that hosts the RTF file (HP)** ----- ## Exploiting old RCE The RTF document is named “f_document_shp.doc” and contains malformed OLE objects, likely to evade analysis. After some targeted reconstruction, HP’s analysts found that it attempts to abuse an old Microsoft Equation Editor vulnerability to run arbitrary code. **Decrypted** **shellcode presenting the payload** _(HP)_ The deployed shellcode exploits CVE-2017-11882, a remote code execution bug in Equation Editor [fixed in November 2017 but still available for exploitation in the wild.](https://www.bleepingcomputer.com/news/microsoft/microsoft-november-patch-tuesday-fixes-53-security-issues/) [That flaw immediately caught the attention of hackers when it was disclosed, while the slow](https://www.bleepingcomputer.com/news/security/a-hacking-group-is-already-exploiting-the-office-equation-editor-bug/) [patching that followed resulted in it becoming one of the most exploited vulnerabilities in](https://www.bleepingcomputer.com/news/security/80-percent-of-the-top-exploited-vulnerabilities-targeted-microsoft-in-2018/) 2018. By exploiting CVE-2017-11882, the shellcode in the RTF downloads and runs Snake Keylogger, a modular info-stealer with powerful persistence, defense evasion, credential access, data harvesting, and data exfiltration capabilities. ### Related Articles: [Historic Hotel Stay, Complementary Emotet Exposure included](https://www.bleepingcomputer.com/news/security/historic-hotel-stay-complementary-emotet-exposure-included/) [FluBot Android malware targets Finland in new SMS campaigns](https://www.bleepingcomputer.com/news/security/flubot-android-malware-targets-finland-in-new-sms-campaigns/) [German automakers targeted in year-long malware campaign](https://www.bleepingcomputer.com/news/security/german-automakers-targeted-in-year-long-malware-campaign/) ----- [Ukraine warns of chemical attack phishing pushing stealer malware](https://www.bleepingcomputer.com/news/security/ukraine-warns-of-chemical-attack-phishing-pushing-stealer-malware/) [Phishing attacks target countries aiding Ukrainian refugees](https://www.bleepingcomputer.com/news/security/phishing-attacks-target-countries-aiding-ukrainian-refugees/) [Bill Toulas](https://www.bleepingcomputer.com/author/bill-toulas/) Bill Toulas is a technology writer and infosec news reporter with over a decade of experience working on various online publications. An open source advocate and Linux enthusiast, is currently finding pleasure in following hacks, malware campaigns, and data breach incidents, as well as by exploring the intricate ways through which tech is swiftly transforming our lives. -----