Connect with our team of offensive security, AI security and pen testing experts at Black Hat Europe 2023. Learn More

Connect with our team of offensive security, AI security and pen testing experts at Black Hat Europe 2023. Learn More

Managed Detection & Response

Eradicate cyberthreats with world-class intel and expertise

Managed Security Services

Expand your team’s capabilities and strengthen your security posture

Consulting & Professional Services

Tap into our global team of tenured cybersecurity specialists

Penetration Testing

Subscription- or project-based testing, delivered by global experts

Database Security

Get ahead of database risk, protect data and exceed compliance requirements

Email Security & Management

Catch email threats others miss with layered security & maximum control

Co-Managed SOC (SIEM)

Eliminate alert fatigue, focus your SecOps team, stop threats fast, and reduce cyber risk

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
The Trustwave Approach
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Platform
SpiderLabs Fusion Center
Security Operations Centers
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Stealthy VBA Macro Embedded in PDF-like Header Helps Evade Detection

In the ever-evolving landscape of malware threats, threat actors are continually creating new techniques to bypass detection. A recent discovery by JPCERT/CC sheds light on a new technique that involves embedding a malicious Word document within a seemingly benign PDF file using a .doc file extension.

In the file, researchers discovered the malicious Word document contained a magic header signature, `%PDF-1.7` - a header normally associated with PDF files. Furthermore, following the fake PDF structure, they came across a MIME encapsulation of aggregate HTML documents (MHTML Web Archive) containing an embedded Base64 encoded ActiveMIME object. ActiveMIME is an undocumented Microsoft file format that contains a ZLIB-compressed data often used to store VBA Macros.



Figure 1. Fake PDF header complete with PDF tags structures



Figure 2. Embedded in the file is a Word document in MHT format after the Fake PDF object.


As you may be aware, the delivery of malicious documents via MHT files is not new. We have been observing this type of malware as early as 2015. One noteworthy, but unfortunate, aspect of Microsoft Office is its wide array of file formats that can house malicious macros, allowing for unconventional file containers.



Figure 3. A document file can be saved with various formats including MHT or MHTML.


By changing the file’s extension to ‘.doc’, the Microsoft Office application can open the embedded MHT file and execute embedded malicious macros if they are enabled by the user.


VBAMacro4Figure 4. A sample discovered by JPCERT – an MHT file featuring a fake PDF header containing a malicious VBA macro


There are several obfuscation techniques employed in these new samples, all designed to evade detection based on signatures.

  1. Use of a non-compliant MIME type in the content-type header for the ActiveMIME object file. For example, as indicated in Figure 5, it utilizes the ‘image/jpeg’ MIME type instead of the anticipated ‘application/x-mso.’


  1. The Base64 encoded strings of the ActiveMIME Object are fragmented by multiple whitespaces (also shown in Figure 5). This tactic aids in circumventing signature-based detection, as it breaks up continuous strings.


Figure 5. ActiveMime Object uses a non-conventional MIME type in the MIME header, moreover, the Base64 encoded string is fragmented. ActiveMime comprises zlib-compressed data starting at offset 0x32, then a standard OLE file housing a VBA macro project.


  1. Use of URL percent-encoded strings to obscure the link to the ActiveMIME object.


Figure 6. The document conceals an MSO link to the ActiveMime Object by obfuscating it through URL percent-encoded characters.


We experimented with this file, and what's particularly concerning is this embedded MHT document file doesn't actually require a PDF header. Any text preceding the MHT file will still allow MS Word to open the document file and execute the malicious macro if enabled. This was not clear in the early reports of this flaw.



Figure 7. Removing the PDF header doesn’t hinder the MS Office application from opening the malicious MHT document.


This manoeuvre can evade signature-based detection systems that specifically scan for a PDF header. This is highlighted in the VirusTotal results displayed below: the DOC file with a PDF header is detected by 35 out of 59 vendors, whereas without the PDF header, only six out of 59 vendors detect the sample.



Figure 8. Comparing the VirusTotal detection results between a sample with a fake PDF header and one with the PDF header removed


To wrap up, the range of techniques used in this attack, from using non-compliant file headers and MIME types, to fragmented Base64 encoding strings, highlights a clever approach to evading traditional detection mechanisms used by most anti-virus engines. Equally concerning is the fact that MHT document files can be concealed within a plain text file, allowing Microsoft Word to open them seamlessly.


Here is some key mitigation advice to protect users:

  1. Configure Microsoft Office to disable macros by default, effectively blocking the execution of macros. The Center for Internet Security has provided a comprehensive article detailing the steps for both network administrators and end-users on how to implement this security measure.
  2. Restrict macro execution to documents sourced exclusively from trusted origins and consider enforcing a policy that permits only digitally signed macros to run.
  3. Educate users about the potential risks when enabling macros and promote user awareness of the consequences involved.
  4. Use a robust secure email gateway like Trustwave MailMarshal to scan incoming attachments and document files for malicious content.

Also, here’s a YARA rule, based on JPCERT’s YARA suggestions, to identify potential malicious macros embedded in files without conducting PDF header checking:


rule suspect_malware_mht_activemime



         desc = "MHT document with ActiveMime Object"

         reference = ""


         $mhtfile1 = "mso" nocase ascii

         $mhtfile2 = "nextpart" nocase ascii

         $mhtfile3 = "mime" nocase ascii

$mhtfile4 = "content-location:" nocase ascii

         $mhtfile5 = "content-type:" nocase ascii

         $mhtfile6 = /multipart\/(related|mixed)/ nocase ascii

         $mhtfile7 = "base64" nocase ascii

         $mhtfile8 = /\s-Version:/ nocase ascii

         $wordfile = "<w:WordDocument>" nocase ascii

         $excelfile = "<x:ExcelWorkbook>" nocase ascii

         $activemime1 = /\nQ\s{0,999}?W\s{0,999}?N\s{0,999}?0\s{0,999}?a/  // Base64 encoded 'ActiveMime' with spaces

         $activemime2 = "ActiveMime" base64


         all of ($mhtfile*) and ($wordfile or $excelfile) and ($activemime1 or $activemime2)


Figure 9. JPCERT YARA rule suggestions to identify potential malicious macros embedded in files without conducting PDF header checking

Latest SpiderLabs Blogs

The 2023 Retail Services Sector Threat Landscape: A Trustwave Threat Intelligence Briefing

The annual holiday shopping season is poised for a surge in spending, a fact well-known to retailers, consumers, and cybercriminals alike. The latter group, however, is poised to exploit any...

Read More

Pwning Electroencephalogram (EEG) Medical Devices by Default

Overall Analysis of Vulnerability Identification – Default Credentials Leading to Remote Code Execution During internal network testing, a document was discovered titled the “XL Security Site...

Read More

Hidden Data Exfiltration Using Time, Literally

I was looking at my watch last week and my attention was moved towards the seconds over at the right of the watch face, incrementing nicely along as you’d expect. Now, I don’t know if I’d just spent...

Read More