A. M. PDF files, known for their simplicity and widespread use, have become a common tool for cybercriminals. ESET, a leading cybersecurity company, warns that the popularity of this format is being exploited to deceive users.
Therefore, it is essential to verify the source of documents and adopt good security practices. These malicious files can be a gateway for installing malware, stealing information, or exploiting malicious programs.
A malicious PDF can install or download malware, steal private or sensitive information, or even exploit vulnerabilities in the system or PDF readers. According to ESET, they are generally distributed as attachments in phishing emails that appeal to urgency, emotion, or concern to induce users to open them.
According to ESET’s latest Threat Report, PDF files rank sixth in the TOP 10 threat detections and are a trending topic in malicious email attacks.
“Attackers strive to avoid user detection and pretend to be legitimate PDFs. They can easily contain malicious elements that are imperceptible at first glance, especially for users unfamiliar with cybersecurity or IT”, says Fabiana Ramírez Cuenca, Information Security Researcher at ESET Latin America.
Among the most common examples of the different ways in which malicious PDFs are disguised are:
• Purchase or debt invoices, with names like “Invoice.pdf”
• Job resumes, mainly in attacks targeting companies
• Medical test results
• Documents linked to financial, banking, or government entities
One of the most common methods used by attackers is to embed scripts—code fragments—that may be designed to download malware, open remote connections, or execute commands and processes in the background, among other malicious actions.
They can also contain hidden links that open when interacting with certain file functions. Furthermore, they can exploit vulnerabilities or flaws in popular readers, such as Adobe Reader, Foxit, and others.
A phishing campaign documented by ESET used PDF files to distribute the Grandoreiro banking Trojan. The attack began with a malicious link that led to the download of the infected PDF.
At first, the document’s appearance does not generate suspicion and it appears to be a real PDF file.
There are certain signs that could indicate you have received a malicious PDF. To identify one, ESET recommends considering some of the following characteristics:
• They are compressed in a ZIP or RAR file: To avoid detection by systems or antivirus programs, they are usually compressed to evade email filters and even hide other suspicious extensions.
• They have misleading or generic names, such as document.pdf.exe or invoice.pdf: Since campaigns are usually targeted at many users, people tend to use generic names or take advantage of the .pdf extension to confuse users and send an .exe file, which may even be hidden.
• The sender does not match what the file says: For example, if an email claims to be from a known entity or person, but the sender is unidentifiable. A strange domain is a clear red flag.
• It does not make sense to receive it: Ask yourself if you were expecting that file, if you know the sender, or if it makes sense for them to send it to you.
If you suspect you have received a malicious PDF, ESET shares some recommendations for analyzing the file and determining its nature:
• Scan it with VirusTotal: From this site, you can upload the suspicious document and scan it with multiple antivirus programs.
• Enable extension view in your operating system’s file explorer to see the actual file extensions and detect phishing attempts.
• Check the file size and name before opening it.
• Avoid opening suspicious compressed files.
• Always use PDF viewers updated to the latest versions to avoid exploiting known vulnerabilities.
• Always use security solutions, such as antivirus and antimalware, to detect threats.
What should you do if the PDF has already been opened?
If you have already opened a malicious PDF, there are several measures you can take:
• Disconnect from the internet: This could prevent the infection chain from completing and malware from entering, or prevent the infected device from connecting to the criminals’ server (C2). It also prevents information from being exfiltrated or additional tools from being downloaded, as well as the infection from spreading to other devices connected to the same network.
• Scan your computer with anti-malware: If the PDF contained or downloaded malware, the scan may detect it.
• Review active system processes: This will identify the presence of suspicious processes or processes that shouldn’t be running. It also allows you to see if there is abnormal CPU, network, or memory usage.
• Change passwords: Given the possibility of infection, it is advisable to change passwords for email, networks, financial accounts, etc., to prevent criminals from using those they manage to leak.
•Contact professionals: When in doubt, and if you do not have enough knowledge, it is always advisable to consult specialists who can identify intrusions.
“PDF files are part of our daily lives, but they can also be used as deception tools by cybercriminals. Maintaining good security practices, verifying the origin of files, and being alert for warning signs is key to protecting yourself”, concludes Ramirez Cuenca of ESET Latin America.
