Many new types of malware, particularly targeted attacks against high-value targets, are using a very effective vector: common document formats such as Word, PowerPoint, and PDF. Unlike executables, businesses can’t just block these ubiquitous file types. While there are ways to spot this kind of malware, many antivirus companies are lagging behind with generic detection, making AV evasion simpler than you’d be comfortable with.
We’ll start with a high level overview of the file formats for Microsoft Office (Word, Excel, PowerPoint) and PDF, and see how they can be used to distribute malware. Then, we’ll take a look at why these formats are difficult to scan using traditional (signature-based) antivirus techniques. Finally, we’ll cover effective (heuristic-based, deep inspection) methods for spotting malware which attempts to hide in file formats which can’t just be blocked.