**Note: The content in this article is only for educational purposes and understanding of cybersecurity concepts. It should enable people and organizations to have a better grip on threats and know how to protect themselves against them. Please use this information responsibly.**
PDF-based attacks are common tactic cybercriminals use to distribute malware and exploit system vulnerabilities. PDFs are widely used and trusted documents, making them an attractive vector for attackers. Malicious PDFs can contain embedded scripts, links, or other content designed to execute harmful actions when opened. Understanding attackers’ primary methods to distribute these malicious files can help individuals and organizations enhance their cybersecurity defences.
Vectors used by attackers to distribute malicious pdf
1. Email Attachments: Attackers often send emails with malicious PDFs attached, disguised as legitimate documents such as invoices or reports.
2. Phishing Campaigns: Emails that appear to come from trusted sources but contain links or attachments to malicious PDFs.
3. Malicious Websites: Attackers create or compromise websites to host malicious PDFs, tricking users into downloading them.
4. File Sharing Services: Malicious PDFs are uploaded to services like Google Drive or Dropbox, with links shared to lure users into downloading them.
5. Social Engineering: Attackers use techniques to convince users to open malicious PDFs, often by impersonating someone the victim knows or trusts.
Using email attachments for PDF-based attacks is a prevalent and effective method employed by cybercriminals. This technique leverages email’s widespread use and trust as a communication tool.
After opening the PDF from an email, the exploitation will depend on whether the device has an “old and unpatched PDF reader” or the “latest version of PDF reader.”
- For PDF Reader Outdated Version: In outdated and unpatched versions of Acrobat Reader, PDFs directly execute embedded JavaScript using MSHTA, subsequently launching PowerShell, which facilitates process injection. This execution method allows for the direct initiation of the infection chain involving Agent Tesla, among others, from an email containing a PDF attachment.
- For PDF Reader Latest Version: In the latest version of Acrobat Reader, PDFs are unable to execute JavaScript directly. Instead, they redirect to a malicious website from which the script is downloaded. The subsequent process remains consistent with the previous case, initiating the infection chain involving Agent Tesla, among others, which ultimately facilitates the dissemination of the payload.
The following steps take place when you open a pdf from email:
- Granting permission for redirection, the user is directed to the website https://bio0king[.]blogspot[.]com. Connection to embedded URL
Connection to embedded URL
- As illustrated in the figure below, Microsoft Defender SmartScreen alerts the user to this website’s harmful nature. Despite the warning, proceeding to the website will result in the third step.
Connection to disguised website
- Upon accessing the website, it was observed that a JavaScript file named “Booking.com-1728394029.js” was promptly downloaded.
Prompt of JS file download
- Upon execution, it can lead to credential theft targeting online banking apps, potentially compromising sensitive financial information. Additionally, it may exploit vulnerabilities or install malware on the device, posing security risks. Users should exercise caution when working with PDF files to prevent falling prey to financial fraud and phishing attacks.
PDF attacks remain a significant threat due to their effectiveness in exploiting human trust and the ubiquity of email communication. To reduce the risks resulting from these attacks, individuals and organizations must adopt robust security practices. These include regularly updating PDF reader software to patch vulnerabilities, employing advanced email filtering to detect and block malicious attachments, and educating users on recognizing phishing attempts and suspicious emails. By implementing these preventive measures, the potential impact of email-based PDF attacks can be significantly reduced, enhancing overall cybersecurity posture.
