Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Threat-Loaded: Malicious PDFs Never Go Out of Style

Introduction

In the realm of cybersecurity, danger hides where we least expect it and threats never, ever, go out of style!

Over the past few months, Trustwave SpiderLabs has seen a rising trend in threat actors employing PDF documents to gain initial access through email-borne attacks. Though the use of PDF files as a malicious vector is not a novel approach, it has become more popular as threat actors continue to experiment with techniques to bypass conventional security controls.

Portable Document Format (PDF) is a file format developed by Adobe in 1992. It is commonly used for electronic documents such as resumes, manuals, invoices, and forms as it allows text and images to be displayed consistently on various devices and platforms, while preserving the original document's formatting and layout.

In this blog, we will explore the common techniques used by attackers to weaponize PDFs and what makes PDF a compelling choice for social engineering. We will also highlight campaigns we have observed in the first half of 2023 taking advantage of PDF in their attack chains.

 

What Makes PDF Files Attractive to Threat Actors?

Ubiquity: PDF files are widely used and accepted as a standard format for sharing and distributing information among users and organizations. PDFs are popular for several reasons:

  • A PDF preserves the formatting and layout of the document regardless of the platform or software used to read the files.
  • Most modern devices and operating systems come with built-in PDF readers.

This makes the ubiquitous PDF an attractive initial access vector for attackers as they can be easily distributed regardless of platform and resulting in higher phishing click rates compared to other methods.

Trustworthiness: PDF documents are often perceived as trustworthy and safe to open, particularly when received from a trusted source, which makes it easier for attackers to trick victims into opening malicious PDF documents.

Difficulty in Detection: PDF documents are often used for legitimate purposes and can contain complex data structures that make them difficult for security teams and software to analyze and detect.

 

Techniques and Methods

Malicious Hyperlinks

A hyperlink in a PDF is a clickable element that connects to an external resource, such as a website, email address or another page within the same document. When a user clicks on the linked text or image in the PDF, it will open the specified destination in their web browser. If a user is using a web browser to open a PDF document, clicking a link can make the redirection to an external resource seamless.

Attackers commonly use PDF documents to deliver malicious links to victims. For instance, a PDF may contain a link that appears to be legitimate but leads the users to a website that phishes their login credentials or drops malware onto their system. We have seen this technique being abused by operators of Qakbot and IcedID in their malspam campaigns.

 

Qakbot

Qakbot has continued to evolve and adapt to evade detection and infect victims. Right after Microsoft blocked malicious file embedding in OneNote, Qakbot operators shifted to using PDFs with embedded malicious links to deliver their payloads.

In most cases we have seen, the PDF document is designed to look like an Adobe Acrobat or Microsoft Azure update panel. It lures the users into clicking the button to view the document but once clicked, it will download an intermediate file like an archive, or scripts that will eventually lead to the download of the Qakbot DLL. There’s a variant where the embedded link drops a password-protected archive, and the password is included in the maliciously crafted PDF.

 

threat_loaded_malicious_pdf_1

Figure 1. Qakbot spoofed Adobe Acrobat to trick users into clicking the link leading to the next stage of the chain, in this case, a zip archive.

 

threat_loaded_malicious_pdf_2

Figure 2. This variant of Qakbot lure added a password in the PDF file used to unlock the follow-on ZIP archive.

 

The diagram below illustrates a typical infection chain starting with a PDF attachment.

threat_loaded_malicious_pdf_3

Figure 3. Multi-layer attack chain involving PDF as initial stage designed to deliver Qakbot payload while evading detection.

This delivery method uses the ubiquity of PDFs, tricky social engineering schemes like email thread hijacking, and high-quality social engineering to maximize the chances of installing Qakbot.

Back in 2015, we documented a campaign involving a PDF containing a malicious link. Similar techniques continue to be observed and are becoming even more prevalent in a post-macro era. Some techniques just never go out of style.

To minimize exposure, enable security features in your PDF reader like displaying a warning when a PDF tries to establish a connection to an Internet site or create restriction access to external websites.

 

Actions and JavaScript

Actions and JavaScript are PDF features that can be used to add interactivity and automation to the document.

Actions in a PDF file are events associated with certain triggers, such as clicking a button or selecting a link. JavaScript embedded in the PDF document adds advanced functionality and automation, such as form validation, calculations, and dynamic content based on user input.

While these features are created to enhance user experience, actions and JavaScript in PDF poses a security risk and can be abused by threat actors to execute malicious actions or download malware onto a victim's computer.

 

PDF Dropper

A case we encountered utilized JavaScript action to drop and launch embedded Office Document in the PDF file itself.

Peeking at the PDF file structure using pdfid, a tool created by Didier Stevens, revealed that it contains JavaScript, OpenAction and EmbeddedFile properties and the /Page attribute indicated that it has only one page. What we are most interested in is the JavaScript attribute.

 

threat_loaded_malicious_pdf_4

Figure 4. Properties of the PDF file scanned by PDFiD script.

Digging deeper, the JavaScript action defined in the PDF used exportDataObject function which allows exporting data from the PDF document. The parameter cName specified the name of the object to be extracted, in our case, it relates to the embedded file, and the nLaunch value 2, specified that the file will be saved in a temporary path and then launched.

 

threat_loaded_malicious_pdf_5

Figure 5. Snippet of code embedded in the PDF file used to export data.

The object name “ok.doc” was crafted in a manner that aligns with the prompt message when read by an unsuspecting user, thereby increasing the chances of the embedded file being opened.

 

threat_loaded_malicious_pdf_6

Figure 6. The PDF file pops out a prompt to whether open the embedded file or select other options.

The resulting payload is an RTF document loaded with the CVE-2017-11882 exploit and launched when opened with Microsoft Word.

JavaScript in PDFs can pose a security risk. To mitigate this risk, disable JavaScript execution in PDF readers and enable it only for trusted documents. On top of that, keep the PDF reader up to date.

 

Exploiting Vulnerabilities in PDF Reader

Threat actors can exploit vulnerabilities in PDF readers to advance their attack. For instance, threat actors can embed malicious code in a PDF file that abuses a vulnerability such as CVE-2021-28550 in an unpatched Adobe Acrobat PDF reader which could allow the attackers to take control of the target’s computer.

More than a decade ago, Adobe Acrobat was the most popular and widely used PDF reader. Threat actors took note of this huge user base and went to work creating a boom in the number of exploits targeting PDFs.

But in recent years, multiple PDF readers are now available for commercial and consumer use, even browsers and operating systems have built-in PDF support. This change has dramatically altered the threat landscape. Even though high-severity vulnerabilities are discovered every year for Adobe Reader/Adobe Acrobat, exploitation of such vulnerabilities in-the-wild is lower than a decade ago, limited and targeted.

Such a decrease in exploits against Adobe Reader can be attributed to security improvements over the years preventing attacks, and developers are more agile in fixing bugs in their software. Considering the variety of PDF readers available, modern web browsers now have built-in PDF viewers, reducing the need for standalone Adobe Reader installations. Threat actors might have also shifted target applications and tactics based on popularity and security measures of software.

While the overall number of exploits may have decreased, it is still crucial to keep all applications, including Adobe Reader, updated to protect against potential threats.

 

Social Engineering

Threat actors rely on social engineering techniques to trick users into downloading and opening PDF files. They may send an email with a fake PDF file impersonating brands, products, or services to trick users into divulging sensitive information, such as login credentials, personal details, or financial data.

The PDF documents involved in social engineering attacks are not inherently malicious but are purposely crafted for malicious intent. Threat actors take advantage of PDF’s perceived legitimacy to conduct malicious attacks.

 

Call-back Phishing

In this attack, cybercriminals initially sent an email pretending to be from a service or product provider with an attached invoice in PDF. This email was sent using a free email service where recipients are undisclosed and generically greeted as ‘customer’. The message prompts the target to call the sender to know more information about the subscription update. This creates a sense of urgency and importance while deceiving the target to act accordingly.

 

threat_loaded_malicious_pdf_7

Figure 7. Email components including headers, body, and a PDF attachment along with its unpacked components, as observed within the MailMarshal console.

Let’s look at the attached PDF invoice. Attackers spoofed the logo and branding of a known electronics vendor. In addition, the file name is patterned to look like an official invoice that carries the keywords ‘invoice number’ plus random digits and characters. No links were embedded in the PDF to direct users to malicious websites making it less likely to be inspected by security scanners.

The image within the PDF displays the fake purchase details along with a phone number controlled by the attackers. The attackers used the fear of monetary loss to manipulate the user to call the phone number and cancel the subscription.

threat_loaded_malicious_pdf_8

Figure 8. The image embedded in the PDF depicts fake purchase information from a well-known brand, accompanied by a phone number under the attackers' control.

It is worth noting that the content usually found in plain text was intentionally embedded as an image. This technique leaves very few artifacts for scrutiny and is more likely to evade traditional email gateways.

Callback phishing was first spotted in the wild in the early 2021 where users were prompted through phishing emails to call a number to cancel a subscription, redirecting them to a website where they unwittingly download the malware, dubbed as BazarCall.

Once the target user calls the phone number to cancel the subscription, the scammer will take advantage of the opportunity to acquire sensitive information such as login credentials and financial data or instruct the target to install software and gain access on their system. Worst still, attackers can cash in on the stolen information by threatening the victim and demanding sizable sums of money. Aside from that, attackers can leverage the system access to drop a follow up threat such as ransomware.

Awareness is a strong defense against social engineering as it helps people recognize and resist manipulative tactics, reducing the likelihood of falling victim to such attacks. Being aware enables people to remain cautious, question shady requests, and protect their sensitive information and assets effectively.

 

Conclusion

By and large, PDF is undeniably a superb choice for threats actors due to its widespread use and cross-platform compatibility, making the file format an effective vehicle for delivering malicious content to a broader audience. Malicious PDF documents are here to stay as its popularity among organizations and users is an opportunity to cybercriminals.

As malicious macro documents lose their appeal due to improved security measures, this shift fosters a new wave of PDF-based threats.

SpiderLabs Research constantly monitors the threat landscape to understand the latest deceptive schemes to warn our customers and end-users. Trustwave MailMarshal provides protection against these threat-loaded PDFs.

We always remind everyone to stay vigilant in this ever-changing digital landscape.

 

Indicators of Compromise

Qakbot

File Name

Hash Type

Hashes

ProjectFunding-238992265.pdf

SHA256

ce3a18f51cd723a680e6d108a3803dc6d56f25477472042aa63d77f59fa9d5e7

SHA1

b25bd2589c93bb4cb4378b296cc9fe1a08af14e4

MD5

c9fce8da66737ef10a06982b0abf667b

ProjectFunding_D392.wsf

SHA256

37dc95539b7255458a64617a2e71f84c618053ad02634bbdfa554627c664d6ad

SHA1

02965537fa2e861e4b4c494ac18e21d628d8afc0

MD5

3166b32e8a67f5c232d114c4f8ef576b

aGiEOMg5zFKYNbCw.txt (XMLHTTP)

SHA256

fae5d5b3cc272c4c542f0f2e69e130c68e7ecda9cae57d3ba2361b2756c53f59

SHA1

e168d0959d3c6ccb1e6431f0bd0f215f665bba5f

MD5

8115abad945f7fe4a3368b7e9f576add

asX6RVUBjtpro2bP9.txt (XMLHTTP)

SHA256

295135b99cc246b7877a50f9702c60583ee78ef1dc109a2296e2150c0c3c3cc3

SHA1

59b53852484300545b25511a25aa2eb6a673db5e

MD5

6f461d5d0a7c0fe9de4d21871af29fb6

URL

 

 

hxxp://ncs[.]com[.]pk/pki/64482841d65cc[.]zip

hxxps://4iptv[.]eu/tsqu/tsqu[.]php

 

PDF Dropper

File Name

Hash Type

Hashes

Pharmaceutical Products Inquiry.pdf

SHA256

c6e3a5466dbee8c259fb68d1e89d62a089be90feef03c71a06ce7e12ed7d65d1

SHA1

c5a85dd1eb2f61de90e056e7689bd2a3efdfcaa7

MD5

a60e4b542628e9198f86388fba9da522

ok.doc (CVE-2017-11882)

SHA256

18d421df73beeefbaaad7d02807e7eabb839fc91c5269eb65fe63b07994130f7

SHA1

f2f8d608ba03a9be1472308b8b7776702a7dd9b6

MD5

df3a9c8f7cf2af5ac7fbb022038a28be

 

Callback Phishing

File Name

Hash Type

Hashes

Invoice Number - _ - 325461236 NJHDGNJN 12451324324.pdf

SHA256

ce3a18f51cd723a680e6d108a3803dc6d56f25477472042aa63d77f59fa9d5e7

SHA1

a9f86b2ff957484c798d243e6bbc10cac3cbbc1b

MD5

d3d73a1810de1ddfffb3d880743959ec

 

 

Latest SpiderLabs Blogs

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising

During an Advanced Continual Threat Hunt (ACTH) investigation that took place in early December 2023, Trustwave SpiderLabs discovered Ov3r_Stealer, an infostealer distributed using Facebook...

Read More