We are now seeing lots of infected malformed PDF attachments to emails. The bad guys are changing the method of malware delivery with these emails and attaching a genuine PDF file to the email instead of a zip. These PDFs are malformed and contain a script virus that will infect you if you open the PDF and very likely when you preview it in your browser.
One of the problems with them is that they frequently crash the pdf reader so a user doesn’t always realise that there is a problem and it can take 24/48 hours before any untowards effects start to show up on an infected computer. We are starting to hear of cases where there are no obvious ill effects on the computer ( no pop ups, no diverts, no unwanted adverts or slow downs when browsing), but the victim’s bank or PayPal account is being compromised and they are receiving emails from various companies saying that XXX product has been sent to the alternative address specified and money debited from PayPal or Bank/Credit card. If you have been unlucky enough to receive one of these emails with an infected PDF attachment and have opened or even previewed the PDF, then it is vital to check all your financial information , Bank accounts, Credit cards, PayPal etc. and get in touch with the company at the first opportunity, if you spot anything.
They are using several well known and hopefully fully fixed exploits in older versions of Adobe reader. These exploits almost certainly also affect EVERY other PDF reader available
They attach what appears to be a genuine PDF file, that is malformed and has a script virus embedded. It depends on which version of Adobe reader you use, but older ones are definitely vulnerable to this exploit and hopefully the most recent one will be safe ( but I won’t guarantee that ) As far as I can tell they are using an exploit from 2013 that was fixed Adobe Security Bulletin and an even older one from 2010. Make sure you are using a version of Adobe reader or any other PDF reader that has been declared free from these vulnerabilities and keep it updated.
We first saw this attack back in February 2014 ATTN: Important notification from HMRC – PDF malware, but it quickly stopped. We started to see this method of attack come back again and really take off over the last couple of days with Amazon Order details – fake document malware and Invoice 951266 – fake PDF malware and today with Barclays – RBS – HSBC- LLoyds outstanding invoice or transaction notification – Important RBS Documents – fake PDF malware
Updated 18 August 2014: Another massive run of these malformed, infected PDF attachments over the last couple of days. Unfortunately a lot of anti-viruses that do scan emails do not routinely scan for or detect PDF or Office documents like Word or Excel files in email attachments. That often has to be configured separately in your anti-virus settings or the attachment saved to your downloads or documents folder and then scanned by the anti-virus.
Updated 24 April 2015: We are seeing the start of a new avenue of attacks via Adobe PDF reader Invoice 519658 Colin Fox – PDF malware which combines the use of the ability to embed word docs and Excel spreadsheets inside a PDF document and embedding malicious macros inside word or Excel docs and spreadsheets. Opening the PDF will drop the word doc that has embedded macros, automatically run it and infect you.
Luckily enough Adobe reader in recent versions has Protected view automatically enabled and unless you press the button to enable all features, you will be safe from this attack
If you do enable all features, then you have a second chance to protect yourself, by pressing either cancel or never allow opening files of this type on the pop up warning. Pressing allow WILL almost certainly automatically open the word doc and run the malicious macro so infecting you. Make sure Adobe reader ( or any other PDF reader software) is updated to the latest version to protect you. Older versions are vulnerable to these attacks. If using Adobe make sure you uncheck any additional offerings of security scans/Google chrome or toolbars that it wants to include in the download
It is vital that you make sure Adobe PDF reader is updated to the latest version and if you use any alternative PDF reader then make sure that is fully updated. The majority of PDF exploits will affect ALL PDF readers, not just Adobe. I keep seeing suggestions on many websites that say use an alternative PDF reader and not use Adobe reader or Acrobat. That might work for some people although many other PDF readers or PDF creation software will have a more limited functionality than Adobe does, but the main problem is that just about EVERY PDF reader will be vulnerable to many of these exploits. In a high percentage of cases, it isn’t an actual exploit in the reader software but an exploit in the PDF specifications. Any PDF reader that follows and adheres to those specs can be and will be affected by many of these exploits.
This video from Sophos explains well how they do this
I would like to tell you to immediately delete any email attachment that comes with a PDF, but in the real world, that just isn’t possible.
I know we always say don’t open any attachment or file sent to you in an email, but with fake PDF files that is quite difficult. Many companies do send PDF files with invoices or reports and it is just about impossible to tell what is real and what isn’t. It is easy to tell the normal fake PDF that is really a .exe or .scr file that has been renamed or had the .exe hidden but it is impossible to know whether a PDF file contains a virus unless you save it to your computer and scan it with your antivirus. Never open it directly from the email.
The bad guys are picking subjects and content for the emails that will persuade or entice an unwary user to open or preview the attachment. Loads of us do order from Amazon or other online companies. At certain times of the year lots of us do get genuine emails from HMRC asking for more details about our online tax returns. Lots of Banks, credit Card companies and other financial institutions do send a PDF statement or a link to a PDF in an email.
If you know you haven’t ordered anything from that company or don’t have a credit card or account with that financial body, then it is quite obvious that it is likely to be a phishing, scam email that will infect you or steal your information or identity. BUT there will always be a user who has ordered from that company or a similarly named company.
The best advice that I can offer is to keep the PDF reader updated to latest version. Make sure your Anti Virus is fully updated. If you get an attachment, then save it to your computer. Do not attempt to open it or read the PDF by clicking on it or previewing it in your email. Scan the saved attachment with your Anti-virus.
Normally these malformed PDFs do not preview and appear as plain blank pages in Windows 7 and Windows 8. The other thing that will help to avoid being unwittingly infected by these is to Set Adobe reader or any other PDF reader to open PDFs in the program and NOT in your browser. I honestly do not know whether the windows 8, Firefox and Chrome’s ( or Iphone/Android) inbuilt PDF viewers are vulnerable to these exploits, but I see no reason to suppose that they are fully immune. But as far as analysis so far can tell, the actual malware that gets downloaded or installed is windows specific. But be prepared for malware that will run on other Operating systems to get downloaded. The exploits in PDF readers do work in other operating systems apart from windows.
The settings vary for this vary according to your browser:
Step1. go to tools/manage addons
Step2. Select all addons in the drop down, look for Adobe PDF reader and then press the disable button.
That way any PDF you receive will only open in Adobe reader itself and not in your browser, so cutting down the risk of any exploit infecting you.
Step 1: Open Chrome and type “about:plugins” into the omnibox at the top.
Step 2: Scroll down and find Chrome PDF Viewer.
Step 3: Click the “Disable” link to prevent PDFs from loading within Chrome
Firefox see HERE and select use Adobe Reader ( default) or the alternative PDF reader you have installed.
Previewing PDFs in a browser is just too dangerous to take a risk with the current exploits and it is much safer to view them in the application itself which should be sand-boxed to prevent exploits slipping out.
Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened.