Maldoc Execution Chain


Maldoc (Malicious Documents) are documents containing self-executing code or code that requires a user to grant permission or interact with the document before execution. It can be a PDF‍ with embedded malicious java script, file, etc. or a Microsoft Office document with embedded VBA‍ macros‍. Maldocs are most commonly delivered to users via phishing emails, however can be delivered via Drive-By attacks, physical USB keys/drives or other social engineering types of attacks. In many cases, such as with Microsoft Office documents, the user will be required to interact with the document prior to any code executing successfully, however it is possible no user interaction is required. Once the document is opened and any required user interaction has been performed, malicious code will execute, such as Powershell, cmd shell or similar scripting code to establish communication with the attacker’s infrastructure, download a payload or perform local actions such as persistence or sleep until a later time.


Tactic: Defense Evasion, Execution, Initial Access

Techniques: Command and Scripting Interpreter (T1059), JavaScript/JScript (T1059.001), PowerShell (T1059.004), Python (T1059.005), Rundll32 (T1059.006), Spearphishing Attachment (T1059.007), Spearphishing Link (T1218.011), Unix Shell (T1566.001), Visual Basic (T1566.002)

Join our newsletter

Follow Us

Discover More!