Add: Maldoc in PDF polyglot fileformat module #20072
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: RAMELLA Sebastien <[email protected]>
jvoisin
reviewed
Apr 23, 2025
| }, | ||
| 'License' => MSF_LICENSE, | ||
| 'Author' => [ | ||
| 'mekhalleh (RAMELLA Sebastien)' # module author powered by EXA Reunion (https://www.exa.re/) |
There was a problem hiding this comment.
Suggested change
| 'mekhalleh (RAMELLA Sebastien)' # module author powered by EXA Reunion (https://www.exa.re/) | |
| 'RAMELLA "mekhalleh" Sebastien from XA Reunion (https://www.exa.re/)' # module author |
Signed-off-by: RAMELLA Sebastien <[email protected]>
Signed-off-by: RAMELLA Sebastien <[email protected]>
Signed-off-by: RAMELLA Sebastien <[email protected]>
There was a problem hiding this comment.
Hey @mekhalleh, reviewed your module and left some comments. The module itself seems to be working fine.
| end | ||
|
|
||
| # if no pdf injected is provided, create new PDF from template | ||
| if datastore['INJECTED_PDF'].nil? || datastore['INJECTED_PDF'].empty? |
There was a problem hiding this comment.
Suggested change
| if datastore['INJECTED_PDF'].nil? || datastore['INJECTED_PDF'].empty? | |
| if datastore['INJECTED_PDF'].blank? |
Comment on lines
+208
to
+210
| if datastore['MESSAGE_PDF'].nil? || datastore['MESSAGE_PDF'].empty? | ||
| fail_with(Failure::BadConfig, 'No MESSAGE_PDF provided') | ||
| end |
There was a problem hiding this comment.
Suggested change
| if datastore['MESSAGE_PDF'].nil? || datastore['MESSAGE_PDF'].empty? | |
| fail_with(Failure::BadConfig, 'No MESSAGE_PDF provided') | |
| end | |
| fail_with(Failure::BadConfig, 'No MESSAGE_PDF provided') if datastore['MESSAGE_PDF'].blank? |
Comment on lines
+201
to
+203
| if content&.empty? | ||
| fail_with(Failure::BadConfig, 'The MHT file content is empty') | ||
| end |
There was a problem hiding this comment.
Suggested change
| if content&.empty? | |
| fail_with(Failure::BadConfig, 'The MHT file content is empty') | |
| end | |
| fail_with(Failure::BadConfig, 'The MHT file content is empty') if content&.empty? |
|
|
||
| # saving the file | ||
| ltype = "auxiliary.fileformat.#{shortname}" | ||
| fname = File.basename(datastore['FILENAME']).sub(File.extname(datastore['FILENAME']), datastore['OUTPUT_EXT']) |
There was a problem hiding this comment.
I think this can be simplified:
Suggested change
| fname = File.basename(datastore['FILENAME']).sub(File.extname(datastore['FILENAME']), datastore['OUTPUT_EXT']) | |
| fname = File.basename(datastore['FILENAME'],'*')+datastore['OUTPUT_EXT'] |
|
|
||
| # saving the file | ||
| ltype = "auxiliary.fileformat.#{shortname}" | ||
| fname = File.basename(datastore['FILENAME']).sub(File.extname(datastore['FILENAME']), datastore['OUTPUT_EXT']) |
There was a problem hiding this comment.
Suggested change
| fname = File.basename(datastore['FILENAME']).sub(File.extname(datastore['FILENAME']), datastore['OUTPUT_EXT']) | |
| fname = File.basename(datastore['FILENAME'],'*')+datastore['OUTPUT_EXT'] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The technique is called "MalDoc in PDF". This technique hides malicious Word documents in PDF files, which is why malicious code contained in them cannot be detected by many analysis tools.
The document can be opened in both Microsoft Word and a PDF reader.
However, for the macro to run, you must open this document in Microsoft Word. The attack does not bypass configured macro locks. The malicious macros are also not executed when the file is opened in PDF readers or similar software.
Verification
List the steps needed to make sure this thing works
msfconsoleuse auxiliary/fileformat/maldoc_in_pdf_polyglotset FILENAME /tmp/macro.htmrunOptions
FILENAME
The input MHT filename with macro embedded.
INJECTED_PDF
The input PDF filename to be injected. (optional)
MESSAGE_PDF
The message to display in the local PDF template (if INJECTED_PDF is NOT used). Default: You must open this document in Microsoft Word
Results
The document can be opened in both Microsoft Word and a PDF reader.
A malicious MHT file created can be opened in Microsoft Word even though it has magic numbers and file
structure of PDF.