Threat Watch

Snake Keylogger Malware Delivery Using PDF Files with Embedded Word Docx and RTF

Security researchers with HP reported a recent campaign that delivered malware in a unique way to evade email security filters. The campaign used email to deliver PDF files that embedded a Microsoft Word document, which is unusual by itself. Adobe Acrobat Reader and most other PDF viewing programs display a warning prompt before opening embedded files, but the threat actor used a trick in naming the embedded Word file to make it seem like it might be more trustworthy:

By naming the malicious file “has been verified. However PDF, Jpeg, XLS, .docx” the message of the warning prompt could potentially be misinterpreted by the person opening the file to mean that the embedded file has been verified by the PDF reader.

If the person opening the PDF is tricked into clicking the OK button, Microsoft Word will open the document file. That file uses another trick, a remote object using Object Linking and Embedding (OLE) referencing a remote URL that uses the “vtaurl[.]com” link shortener service. The OLE object it downloads is a Rich Text Format (RTF) document using a “.doc” file extension. RTF files are opened by Microsoft Word by default and can also be used to deliver malware.

The RTF file uses more tricks to disguise its final payload – it exploits an old and well-known vulnerability in the Microsoft Equation Editor that has continued to plague users of older Microsoft Office suite versions that have not been patched. The shellcode is encrypted, and when it decrypts itself and runs, it downloads the final payload, an EXE file, from a URL using a hard-coded IP address ( The EXE contains Snake Keylogger malware, which steals passwords and other sensitive data typed on the keyboard and sends the stolen data via email to mail[.]saadzakhary[.]com.


As hard as threat actors try to trick users and disguise the malicious payloads they wish to deliver, enterprise defenders can defeat them through security policies and quick detection. Analyzing email attachments in a sandbox execution environment before releasing them from quarantine is a great way to catch anomalies such as this. Keeping software patched and up to date is an important step to mitigating many security issues. Deploying Microsoft’s Attack Surface Reduction (ASR) rules to prevent Word, Excel and other Office software from launching EXE files is another good prevention technique. If deploying that policy is not possible, using Endpoint Detection and Response (EDR) tools to alert when PDF viewing software launches Word, or when Word downloads and executes an EXE file, can be effective to reduce the threat. Finally, threat hunting for network connections to unusual or unauthorized mail servers is a good general technique to catch many malware varieties that use email to send stolen data out of the network.

Of course, any alerts generated by security tools must be quickly responded to by security teams. It is important to have skilled security analysts monitoring alerts, preferably 24/7, so that threat actors don’t have the chance to turn a small incident into a costly company-wide problem.

PDF Malware Is Not Yet Dead