Add Maldoc in PDF polyglot fileformat module #20072
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: RAMELLA Sebastien <[email protected]>
jvoisin
reviewed
Apr 23, 2025
Signed-off-by: RAMELLA Sebastien <[email protected]>
Signed-off-by: RAMELLA Sebastien <[email protected]>
Signed-off-by: RAMELLA Sebastien <[email protected]>
There was a problem hiding this comment.
Hey @mekhalleh, reviewed your module and left some comments. The module itself seems to be working fine.
Signed-off-by: RAMELLA Sebastien <[email protected]>
hello @msutovsky-r7 thanks for the review. and sorry for the time taken to reply :) all is done. |
This will look better in Metasploit wrapup blog Co-authored-by: Julien Voisin <[email protected]>
msutovsky-r7
approved these changes
May 29, 2025
msutovsky-r7
changed the title
| 'Notes' => { | ||
| 'Stability' => [CRASH_SAFE], | ||
| 'Reliability' => [], | ||
| 'SideEffects' => [] |
There was a problem hiding this comment.
Suggested change
| 'SideEffects' => [] | |
| 'SideEffects' => [ARTIFACTS_ON_DISK] |
|
I'm considering one additional change: is there any way to only have a docx as template, add payload from Metasploit as macro and then do the final conversion to PDF? It would provide bit better usability as there would be no need to add macro payload manually. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The technique is called "MalDoc in PDF". This technique hides malicious Word documents in PDF files, which is why malicious code contained in them cannot be detected by many analysis tools.
The document can be opened in both Microsoft Word and a PDF reader.
However, for the macro to run, you must open this document in Microsoft Word. The attack does not bypass configured macro locks. The malicious macros are also not executed when the file is opened in PDF readers or similar software.
Verification
List the steps needed to make sure this thing works
msfconsoleuse auxiliary/fileformat/maldoc_in_pdf_polyglotset FILENAME /tmp/macro.htmrunOptions
FILENAME
The input MHT filename with macro embedded.
INJECTED_PDF
The input PDF filename to be injected. (optional)
MESSAGE_PDF
The message to display in the local PDF template (if INJECTED_PDF is NOT used). Default: You must open this document in Microsoft Word
Results
The document can be opened in both Microsoft Word and a PDF reader.
A malicious MHT file created can be opened in Microsoft Word even though it has magic numbers and file
structure of PDF.