We have recently been seeing a newer method of infecting you by embedding macro enabled word docs and other macro enabled office files particularly Excel XLS into pdf files. To all intents and purposes these PDF files look quite innocent and will normally be an almost blank page with 1 line of text. These started off delivering Locky Ransomware then switched to Jaff ransomware and Dridex banking Trojan. Over the last week or so, since 6th or 7th June 2017 they have now added delivering Trickbot banking Trojan via this method as well.
These recent posts illustrate this attack method:
If you have Adobe reader or any other PDF reader set to default settings, then there is a high probability of you becoming infected via this method. Luckily it is relatively easy to protect yourself.
First of all go to https://myonlinesecurity.co.uk/infected-malformed-pdf-attachments-emails/ and follow the instructions to set PDF files to open in the Adobe Reader ( or whichever PDF reader you use) NOT to open in the browser which introduces many possible vulnerabilities.
The settings vary for this vary according to your browser:
Step1. go to tools/manage addons
Step2. Select all addons in the drop down, look for Adobe PDF reader and then press the disable button.
That way any PDF you receive will only open in Adobe reader itself and not in your browser, so cutting down the risk of any exploit infecting you.
Step 1: Open Chrome and type “about:plugins” into the omnibox at the top.
Step 2: Scroll down and find Chrome PDF Viewer.
Step 3: Click the “Disable” link to prevent PDFs from loading within Chrome
Firefox see HERE and select use Adobe Reader ( default) or the alternative PDF reader you have installed.
Previewing PDFs in a browser is just too dangerous to take a risk with the current exploits and it is much safer to view them in the application itself which should be sand-boxed to prevent exploits slipping out.
Once you have safer settings set in Adobe reader, you are extremely unlikely to infect yourself with this sort of malware.
Trying to open a PDF with embedded content will give you this
and you can see that you cannot open or save the embedded word document so stopping you from being infected, even though you can see the word doc listed in left hand side bar
First Open Adobe reader, on the top menu bar select Edit then Preferences. This contains all the settings you need to change to make sure that this and other similar types of malware cannot infect you.
Next enable Adobe Protected Mode and Enhanced Security. This blocks most features in Adobe reader to stop anything auto opening or running. It prevents you saving or opening attachments or embedded objects like video or sound ( why anyone would want music or video in a PDF is beyond me though.) Next and the most important in preventing embedded objects from being used maliciously
You can read https://myonlinesecurity.co.uk/malformed-infected-word-docs-embedded-macro-viruses/ to learn how to set word to protect you.