Skip to content
Naked Security Naked Security

Ransomware hidden inside a Word document that’s hidden inside a PDF

Spam campaign delivers Locky ransomware that, like a Russian matryoshka doll, is nested inside not one but two layers

SophosLabs has discovered a new spam campaign where ransomware is downloaded and run by a macro hidden inside a Word document that is in turn nested within a PDF, like a Russian matryoshka doll. The ransomware in this case appears to be a variant of Locky.

Most antivirus filters know how to recognize suspicious macros in documents, but hiding those document inside a PDF could be a successful way to sidestep it, according to SophosLabs researchers.

What the latest tactic looks like

Following the typical pattern, this latest ransomware push comes as emailed spam with a PDF attachment:

The PDF has an attached document inside, which is trying to get opened by the Acrobat Reader:

Once the doc is opened in MS Word, it asks you to enable editing through a social engineering attack:

This runs a VBA macro, which downloads and runs the crypto ransomware.

What to do?

There are things people can do to better protect themselves from this sort of thing:

  • Back up regularly and keep a recent backup copy off-site. There are dozens of ways other than ransomware that files can suddenly vanish, such as fire, flood, theft, a dropped laptop or even an accidental delete. Encrypt your backup and you won’t have to worry about the backup device falling into the wrong hands.
  • Don’t enable macros in document attachments received via email. Microsoft deliberately turned off auto-execution of macros by default many years ago as a security measure. A lot of malware infections rely on persuading you to turn macros back on, so don’t do it!
  • Be cautious about unsolicited attachments. The crooks are relying on the dilemma that you shouldn’t open a document until you are sure it’s one you want, but you can’t tell if it’s one you want until you open it. If in doubt, leave it out.
  • Patch early, patch often. Malware that doesn’t come in via document macros often relies on security bugs in popular applications, including Office, your browser, Flash and more. The sooner you patch, the fewer open holes remain for the crooks to exploit. In the case of this attack, users want to be sure they are using the most updated versions of PDF and Word.
  • Use Sophos Intercept X, which stops ransomware in its tracks by blocking the unauthorized encryption of files.

Sophos detected the PDF as Troj/PDFDoc-C and the payload as Troj/Locky-UP.

Other links we think you’ll find useful:

Techknow podcast — Dealing with Ransomware:


(Audio player above not working? Listen on Soundcloud or access via iTunes.)


There is no helping someone that falls victim to this scheme. They had 4 chances to say NO and they did it anyway.
1. Don’t read unsolicited emails.
2. Don’t open attachments from unsolicited emails.
3. Don’t open .docm files from unknown origins.
4. Don’t enable macros.


Blaming the victim doesn’t help anyone either. We’re lucky there are people that open these or else it would get really difficult to tell the difference and we’d all be at risk. It’s herd protection.


Is this an issue with all PDF readers or just Adobe???


Depends on the PDF reader. (Sorry, that doesn’t help enormously :-)

This isn’t a bug or misfeature of Adobe or any other reader: PDFs can contain embedded files, just like ZIP files (or, for that matter, DOC files), and by one means or another you can extract the embedded file and open it in its turn.

(You could have, say, an EXE wrapped in a macro stored in a DOC embedded in a PDF in a PDF packaged into a TAR file that’s been GZIPped and then converted into a base64 email attachment that’s been archived into a ZIP file.)

A good anti-virus gateway product will recursively extract files of this sort, or sometimes even condemn then outright for being dubiously complex – what’s often called a “zip bomb”. And a good real-time anti-virus will check each embedded item if ever it is extracted from its cocoon, before it’s allowed to be used by the next application in the chain.

I guess what I’m trying to say is that, even if in this case a non-Adobe PDF reader might not be able to extract the embedded document, that’s won’t generically solve the problem of files embedded in PDFs, becaue that’s a feature of the PDF file format. In just the same way, in our contrived example above, using an unarchiving tool that understands ZIP and GZIP but not TAR or base64 would protect you – but more by accident than by design.

Of course, the good news is that the deeper the crooks try to bury their dodginess, the more steps they have to talk you through to reach the buried badness, and the more opportunities both you and your security software have to go, “This won’t do.”


A theoretical product with a more permanent solution for threats.

A more permanent solution which adapts quickly is for someone to invent a “virtual computer” like I have with “virtual box” with two additions. One is a “read file” where you can input something – say a document. The other is a write file where you can output a file – eg the same (or modified) document. Input to the virtual computer and output from the virtual computer can thus be “isolated” from the rest of the computer.
The virtual machine is to be totally and completely isolated from the rest of the computer except for these two points of access.

If PDF and word documents (and in the future, other programs) have a vulnerability, then set your word or pdf program to operate in the virtual environment. 99% of the development is already existing. If there is an infection – only the virtual machine is effected, not the entire machine.

It will stop most of the current threats entirely – even for those who do not do security very well.
Yes – there is development work required. But is seems to me to the best of all worlds.
You would have a very VERY large market for said to be developed product!


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!