Threat-Loaded: Malicious PDFs Never Go Out of Style
Introduction
In the realm of cybersecurity, danger hides where we least expect it and threats never, ever, go out of style!
Over the past few months, Trustwave SpiderLabs has seen a rising trend in threat actors employing PDF documents to gain initial access through email-borne attacks. Though the use of PDF files as a malicious vector is not a novel approach, it has become more popular as threat actors continue to experiment with techniques to bypass conventional security controls.
Portable Document Format (PDF) is a file format developed by Adobe in 1992. It is commonly used for electronic documents such as resumes, manuals, invoices, and forms as it allows text and images to be displayed consistently on various devices and platforms, while preserving the original document's formatting and layout.
In this blog, we will explore the common techniques used by attackers to weaponize PDFs and what makes PDF a compelling choice for social engineering. We will also highlight campaigns we have observed in the first half of 2023 taking advantage of PDF in their attack chains.
What Makes PDF Files Attractive to Threat Actors?
Ubiquity: PDF files are widely used and accepted as a standard format for sharing and distributing information among users and organizations. PDFs are popular for several reasons:
- A PDF preserves the formatting and layout of the document regardless of the platform or software used to read the files.
- Most modern devices and operating systems come with built-in PDF readers.
This makes the ubiquitous PDF an attractive initial access vector for attackers as they can be easily distributed regardless of platform and resulting in higher phishing click rates compared to other methods.
Trustworthiness: PDF documents are often perceived as trustworthy and safe to open, particularly when received from a trusted source, which makes it easier for attackers to trick victims into opening malicious PDF documents.
Difficulty in Detection: PDF documents are often used for legitimate purposes and can contain complex data structures that make them difficult for security teams and software to analyze and detect.
Techniques and Methods
Malicious Hyperlinks
A hyperlink in a PDF is a clickable element that connects to an external resource, such as a website, email address or another page within the same document. When a user clicks on the linked text or image in the PDF, it will open the specified destination in their web browser. If a user is using a web browser to open a PDF document, clicking a link can make the redirection to an external resource seamless.
Attackers commonly use PDF documents to deliver malicious links to victims. For instance, a PDF may contain a link that appears to be legitimate but leads the users to a website that phishes their login credentials or drops malware onto their system. We have seen this technique being abused by operators of Qakbot and IcedID in their malspam campaigns.
Qakbot
Qakbot has continued to evolve and adapt to evade detection and infect victims. Right after Microsoft blocked malicious file embedding in OneNote, Qakbot operators shifted to using PDFs with embedded malicious links to deliver their payloads.
In most cases we have seen, the PDF document is designed to look like an Adobe Acrobat or Microsoft Azure update panel. It lures the users into clicking the button to view the document but once clicked, it will download an intermediate file like an archive, or scripts that will eventually lead to the download of the Qakbot DLL. There’s a variant where the embedded link drops a password-protected archive, and the password is included in the maliciously crafted PDF.
Figure 1. Qakbot spoofed Adobe Acrobat to trick users into clicking the link leading to the next stage of the chain, in this case, a zip archive.
Figure 2. This variant of Qakbot lure added a password in the PDF file used to unlock the follow-on ZIP archive.
The diagram below illustrates a typical infection chain starting with a PDF attachment.
Figure 3. Multi-layer attack chain involving PDF as initial stage designed to deliver Qakbot payload while evading detection.
This delivery method uses the ubiquity of PDFs, tricky social engineering schemes like email thread hijacking, and high-quality social engineering to maximize the chances of installing Qakbot.
Back in 2015, we documented a campaign involving a PDF containing a malicious link. Similar techniques continue to be observed and are becoming even more prevalent in a post-macro era. Some techniques just never go out of style.
To minimize exposure, enable security features in your PDF reader like displaying a warning when a PDF tries to establish a connection to an Internet site or create restriction access to external websites.
Actions and JavaScript
Actions and JavaScript are PDF features that can be used to add interactivity and automation to the document.
Actions in a PDF file are events associated with certain triggers, such as clicking a button or selecting a link. JavaScript embedded in the PDF document adds advanced functionality and automation, such as form validation, calculations, and dynamic content based on user input.
While these features are created to enhance user experience, actions and JavaScript in PDF poses a security risk and can be abused by threat actors to execute malicious actions or download malware onto a victim's computer.
PDF Dropper
A case we encountered utilized JavaScript action to drop and launch embedded Office Document in the PDF file itself.
Peeking at the PDF file structure using pdfid, a tool created by Didier Stevens, revealed that it contains JavaScript, OpenAction and EmbeddedFile properties and the /Page attribute indicated that it has only one page. What we are most interested in is the JavaScript attribute.
Figure 4. Properties of the PDF file scanned by PDFiD script.
Digging deeper, the JavaScript action defined in the PDF used exportDataObject function which allows exporting data from the PDF document. The parameter cName specified the name of the object to be extracted, in our case, it relates to the embedded file, and the nLaunch value 2, specified that the file will be saved in a temporary path and then launched.
Figure 5. Snippet of code embedded in the PDF file used to export data.
The object name “ok.doc” was crafted in a manner that aligns with the prompt message when read by an unsuspecting user, thereby increasing the chances of the embedded file being opened.
Figure 6. The PDF file pops out a prompt to whether open the embedded file or select other options.
The resulting payload is an RTF document loaded with the CVE-2017-11882 exploit and launched when opened with Microsoft Word.
JavaScript in PDFs can pose a security risk. To mitigate this risk, disable JavaScript execution in PDF readers and enable it only for trusted documents. On top of that, keep the PDF reader up to date.
Exploiting Vulnerabilities in PDF Reader
Threat actors can exploit vulnerabilities in PDF readers to advance their attack. For instance, threat actors can embed malicious code in a PDF file that abuses a vulnerability such as CVE-2021-28550 in an unpatched Adobe Acrobat PDF reader which could allow the attackers to take control of the target’s computer.
More than a decade ago, Adobe Acrobat was the most popular and widely used PDF reader. Threat actors took note of this huge user base and went to work creating a boom in the number of exploits targeting PDFs.
But in recent years, multiple PDF readers are now available for commercial and consumer use, even browsers and operating systems have built-in PDF support. This change has dramatically altered the threat landscape. Even though high-severity vulnerabilities are discovered every year for Adobe Reader/Adobe Acrobat, exploitation of such vulnerabilities in-the-wild is lower than a decade ago, limited and targeted.
Such a decrease in exploits against Adobe Reader can be attributed to security improvements over the years preventing attacks, and developers are more agile in fixing bugs in their software. Considering the variety of PDF readers available, modern web browsers now have built-in PDF viewers, reducing the need for standalone Adobe Reader installations. Threat actors might have also shifted target applications and tactics based on popularity and security measures of software.
While the overall number of exploits may have decreased, it is still crucial to keep all applications, including Adobe Reader, updated to protect against potential threats.
Social Engineering
Threat actors rely on social engineering techniques to trick users into downloading and opening PDF files. They may send an email with a fake PDF file impersonating brands, products, or services to trick users into divulging sensitive information, such as login credentials, personal details, or financial data.
The PDF documents involved in social engineering attacks are not inherently malicious but are purposely crafted for malicious intent. Threat actors take advantage of PDF’s perceived legitimacy to conduct malicious attacks.
Call-back Phishing
In this attack, cybercriminals initially sent an email pretending to be from a service or product provider with an attached invoice in PDF. This email was sent using a free email service where recipients are undisclosed and generically greeted as ‘customer’. The message prompts the target to call the sender to know more information about the subscription update. This creates a sense of urgency and importance while deceiving the target to act accordingly.
Figure 7. Email components including headers, body, and a PDF attachment along with its unpacked components, as observed within the MailMarshal console.
Let’s look at the attached PDF invoice. Attackers spoofed the logo and branding of a known electronics vendor. In addition, the file name is patterned to look like an official invoice that carries the keywords ‘invoice number’ plus random digits and characters. No links were embedded in the PDF to direct users to malicious websites making it less likely to be inspected by security scanners.
The image within the PDF displays the fake purchase details along with a phone number controlled by the attackers. The attackers used the fear of monetary loss to manipulate the user to call the phone number and cancel the subscription.
Figure 8. The image embedded in the PDF depicts fake purchase information from a well-known brand, accompanied by a phone number under the attackers' control.
It is worth noting that the content usually found in plain text was intentionally embedded as an image. This technique leaves very few artifacts for scrutiny and is more likely to evade traditional email gateways.
Callback phishing was first spotted in the wild in the early 2021 where users were prompted through phishing emails to call a number to cancel a subscription, redirecting them to a website where they unwittingly download the malware, dubbed as BazarCall.
Once the target user calls the phone number to cancel the subscription, the scammer will take advantage of the opportunity to acquire sensitive information such as login credentials and financial data or instruct the target to install software and gain access on their system. Worst still, attackers can cash in on the stolen information by threatening the victim and demanding sizable sums of money. Aside from that, attackers can leverage the system access to drop a follow up threat such as ransomware.
Awareness is a strong defense against social engineering as it helps people recognize and resist manipulative tactics, reducing the likelihood of falling victim to such attacks. Being aware enables people to remain cautious, question shady requests, and protect their sensitive information and assets effectively.
Conclusion
By and large, PDF is undeniably a superb choice for threats actors due to its widespread use and cross-platform compatibility, making the file format an effective vehicle for delivering malicious content to a broader audience. Malicious PDF documents are here to stay as its popularity among organizations and users is an opportunity to cybercriminals.
As malicious macro documents lose their appeal due to improved security measures, this shift fosters a new wave of PDF-based threats.
SpiderLabs Research constantly monitors the threat landscape to understand the latest deceptive schemes to warn our customers and end-users. Trustwave MailMarshal provides protection against these threat-loaded PDFs.
We always remind everyone to stay vigilant in this ever-changing digital landscape.
Indicators of Compromise
Qakbot
File Name |
Hash Type |
Hashes |
ProjectFunding-238992265.pdf |
SHA256 |
ce3a18f51cd723a680e6d108a3803dc6d56f25477472042aa63d77f59fa9d5e7 |
SHA1 |
b25bd2589c93bb4cb4378b296cc9fe1a08af14e4 |
|
MD5 |
c9fce8da66737ef10a06982b0abf667b |
|
ProjectFunding_D392.wsf |
SHA256 |
37dc95539b7255458a64617a2e71f84c618053ad02634bbdfa554627c664d6ad |
SHA1 |
02965537fa2e861e4b4c494ac18e21d628d8afc0 |
|
MD5 |
3166b32e8a67f5c232d114c4f8ef576b |
|
aGiEOMg5zFKYNbCw.txt (XMLHTTP) |
SHA256 |
fae5d5b3cc272c4c542f0f2e69e130c68e7ecda9cae57d3ba2361b2756c53f59 |
SHA1 |
e168d0959d3c6ccb1e6431f0bd0f215f665bba5f |
|
MD5 |
8115abad945f7fe4a3368b7e9f576add |
|
asX6RVUBjtpro2bP9.txt (XMLHTTP) |
SHA256 |
295135b99cc246b7877a50f9702c60583ee78ef1dc109a2296e2150c0c3c3cc3 |
SHA1 |
59b53852484300545b25511a25aa2eb6a673db5e |
|
MD5 |
6f461d5d0a7c0fe9de4d21871af29fb6 |
|
URL |
|
hxxp://ncs[.]com[.]pk/pki/64482841d65cc[.]zip |
hxxps://4iptv[.]eu/tsqu/tsqu[.]php |
PDF Dropper
<td style="width:" 83.0469px;="" height:="" 57px;"="" width="72"><td style="width:" 482.469px;="" height:="" 57px;"="" width="443"><td style="width:" 83.0469px;="" height:="" 57px;"="" width="72"><td style="width:" 482.469px;="" height:="" 57px;"="" width="443"><td style="width:" 83.0469px;="" height:="" 57px;"="" width="72"><td style="width:" 482.469px;="" height:="" 57px;"="" width="443"><td style="width:" 83.0469px;="" height:="" 57px;"="" width="72"><td style="width:" 482.469px;="" height:="" 57px;"="" width="443"><td style="width:" 83.0469px;="" height:="" 57px;"="" width="72"><td style="width:" 482.469px;="" height:="" 57px;"="" width="443"><td style="width:" 83.0469px;="" height:="" 57px;"="" width="72"><td style="width:" 482.469px;="" height:="" 57px;"="" width="443">
File Name |
Hash Type |
Hashes |
Pharmaceutical Products Inquiry.pdf |
||
ok.doc (CVE-2017-11882) |
||
Callback Phishing
File Name |
Hash Type |
Hashes |
Invoice Number - _ - 325461236 NJHDGNJN 12451324324.pdf |
SHA256 |
ce3a18f51cd723a680e6d108a3803dc6d56f25477472042aa63d77f59fa9d5e7 |
SHA1 |
a9f86b2ff957484c798d243e6bbc10cac3cbbc1b |
|
MD5 |
d3d73a1810de1ddfffb3d880743959ec |
About the Author
Bernard Bautista is a Security Researcher at Trustwave's SpiderLabs, where he specializes in email and malware analysis. He focuses on improving the security posture of customers by analyzing email-borne threats and developing detection mechanisms to protect against emerging cyber threats. Follow Bernard on LinkedIn.
ABOUT TRUSTWAVE
Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.