PDF: The Vehicle of Choice for Malware and Fraud

Posted by Geraldine Hunt on Fri, Apr 26th, 2019

To create an effective phishing campaign scammer first need to create a sense of urgency or surprise.  That could be a past due invoice, an audit notification from the IRS, an alert that your account has been compromised and your password needs resetting.  The other is a sense of trust.  This could be accomplished by spoofing your boss’s email address or by attaching some sort of business document that looks official. A perfect example is a PDF document.  The portable document format or PDF is a document type that people trust.  That’s because the public’s perception is that it is a secure document that can’t be manipulated.  After all, that’s why you issue an invoice as a PDF file and not a Word document.  Unfortunately, the trust that users have in PDFs as a “safe” document is false.

Weaponized Documents

The fact is the PDF is a weaponized document and is often the main vehicle for spam and spear-phishing campaigns.  This is proven true by the dramatic increase in the use of PDF documents in malware attacks.  According to a leading firewall vendor, there were 47,000 new attack variants involving PDF files in 2018.  That number grew to 173,000 in the first quarter of 2019.  The dominant use of PDF files is simply an extension of the increased use of Office documents that have been rampant the past several years.  This is partially due to the deprecation of Flash which is reaching end of life in 2020 due to the ease to which it was exploited.

The main reason for the rapid growth in PDF utilization is the fact is that cybercriminals have to continually modulate their attack strategies as the effectiveness of old tricks begin to fade.  In the early days of phishing attacks, the predominant file choice was an executable. However as time goes by, even the most gullible users eventually learn that clicking on EXE file attachments isn’t a good thing.  Users now (generally) have a better sense of awareness as to what type of file attachments present the greatest risk and therefore what file types should not be clicked.  As a result, hackers are taking advantage of the undeserved trust that users have in PDF files.

Success of a Phishing Email is in the Delivery

When it comes to weaponized documents, the success of a phishing email is in the delivery.  Usually, the subject line reads something like, “Here’s the document you asked for,” or “Invoice attached.”  The effectiveness is further augmented when the sending email is spoofed as a trusted fellow employee or vendor.  When opened, the document may include an embedded link that the user is urged to click on.  But don’t think these weaponized documents are simply utilized to entice a user to click a link.  PDF attachments can also be laced with embedded scripting that silently installs other malware from malicious networks on the Internet.  These can include ransomware, rootkits, keyloggers and bank trojans to name a few.  In some instances, they can contain embedded malware that is designed to spread to other documents hosted on the infected device.  This helps to increase the spread of the infection to other devices throughout the networks. 

Weaponized PDF documents aren’t just limited to email attacks.  Many websites contain links allowing users to download seemingly safe PDF files.  A basic Google search on the Internet will often bring up search results directly linked to a PDF document.  While these sites may be totally legitimate, the documents themselves may have been compromised.  In some cases, hackers can purchase keywords in order to ensure that their malicious links appear at the top of a search.  In other cases, hackers sometimes use PDF documents to take advantage of zero-day exploits found within common PDF readers.

The CIA Extortion Scam

A recent example of a PDF-based attack was the CIA Extortion Scam that was widely distributed earlier this year.  The emails came from addresses that contained the text, “cia” or “gov” in the extension which can look legitimate from a passing glance.  The email is supposedly from a CIA technical collection officer who states that your name is part of an investigation into underage pornography.  The officer then makes an offer to wipe your information from the case files for a fee.  The payment information is contained within a password protected PDF document that is attached.  The password is contained within the email.  The user is then asked to send $5,000 in bitcoin to a designated crypto account.

How to Protect Yourself from Weaponized Documents

New malware and ransomware variants are now being released at unprecedented levels. Detecting these new malware threats require more than AV solutions.  A web filter that includes malware scanning is an effective way to stop access to malicious sites or prevent the downloading of malicious code through open sessions.  However, there is one tool that is most effective at combatting weaponized PDFs and that is a sandboxing solution.  By using a sandbox, you can truly find out if a suspicious PDF document is truly safe, or a ruse used to infect your network. 

To better protect users against these new email-based malware threats, TitanHQ has added a new sandboxing feature to SpamTitan. Suspicious file attachments are now sent to the sandbox where they can be detonated and analyzed for malicious actions. Within this secure environment, files can be assessed safely to identify obfuscated malware, new malware threats attempt to download malicious payloads, and calls to c2 servers. A broad range of file types are sent to the sandbox, including applications, executable files, and office documents.

Spamming campaigns using malicious PDFs have proven to be very successful for malware authors. Cybercriminals work hard to evade detection and are constantly considering new threat vehicles and techniques in an effort to stay undetected.  As the threat landscape is changing rapidly it’s it is essential to use up to date, powerful security products and crucially to implement a multilayered approach to combat these attacks and ensure users stay protected.