THREAT DESCRIPTION – MALDOC
Maldoc (Malicious Documents) are documents containing self-executing code or code that requires a user to grant permission or interact with the document before execution. It can be a PDF with embedded malicious java script, file, etc. or a Microsoft Office document with embedded VBA macros. Maldocs are most commonly delivered to users via phishing emails, however can be delivered via Drive-By attacks, physical USB keys/drives or other social engineering types of attacks. In many cases, such as with Microsoft Office documents, the user will be required to interact with the document prior to any code executing successfully, however it is possible no user interaction is required. Once the document is opened and any required user interaction has been performed, malicious code will execute, such as Powershell, cmd shell or similar scripting code to establish communication with the attacker’s infrastructure, download a payload or perform local actions such as persistence or sleep until a later time.
MITRE ATT&CK
Tactic: Defense Evasion, Execution, Initial Access
Techniques: Command and Scripting Interpreter (T1059), JavaScript/JScript (T1059.001), PowerShell (T1059.004), Python (T1059.005), Rundll32 (T1059.006), Spearphishing Attachment (T1059.007), Spearphishing Link (T1218.011), Unix Shell (T1566.001), Visual Basic (T1566.002)
