Hackers are using polyglots to try and get their targets to install malware on their devices, experts have warned.
Research from the Japanese computer emergency response team (JPCERT) has revealed that hackers are distributing a file that can be either a .PDF file, or a .DOCX file.
Polyglots are file types that feature two different formats, and as such, carry two different extensions.
The file in question, a .PDF document, hosts a Word document that carries a VBS macro. If the victim opens the file with Microsoft Word, the file will download and install MSI malware. The silver lining here is that Macros are still disabled by default in Microsoft Office programs. That means that even if the victim downloads and runs the malicious file, they still need to manually disable these protections and unblock the file, in order to have the macro download the malware and infect the endpoint.
The Japanese researchers did not say who was behind the campaign, or which malware was being distributed. They did say that the attack was first detected in July this year, and that it managed to successfully bypass antivirus detection in at least one instance. This is probably because most scanning engines see the file as a .PDF, despite it being opened as a regular Word document, the researchers speculate.
The abuse of polyglot files to work around antivirus programs is nothing new and has been well documented before, BleepingComputer reminds, but adds that the researchers see this specific technique as “novel”.
Last year, Microsoft finally decided to block macros running on default within Office files, due to the overwhelming abuse of the feature by various threat actors. Instead, only files that weren’t downloaded from the wider internet can have macros enabled without needing to go through multiple activation steps.