Insights

Cyber Trends: Malicious PDF Link Obfuscation

The latest cyber-attack trend that our Chorus Cyber CSOC is seeing: Malicious PDF Link Obfuscation

Cyber attackers are always looking for new ways to trick users into granting access into their accounts and when a method is successful, it often becomes more widespread in the hopes of being repeatedly successful. Over the past few weeks, our Chorus Cyber CSOC has see a growing trend involving the use of PDF links to obfuscate malicious links sent to targeted users.

What does the attack look like?

  • A user receives an email containing a link to a document that has been shared with them, typically asking for approval or review. This has recently been observed as both DocuSign and Adobe PDF links.
  • The link leads the user to a PDF, viewable on the web. As this is a PDF hosted on adobe[.]com, it will appear as a normal document, including the usual Adobe PDF functionality options, and can contain any design or branding elements required (image below).
  • This PDF will often contain a button, link, or other hyperlinked item designed to attract the user’s attention and look official.
  • Upon interacting, the user will open a secondary link – and the attacker has avoided any email protection in place.
  • This secondary link may download malicious content, access a phishing page, or perform other malicious activities.
  • Observed malicious content has so far involved unknown executables which immediately run in the background, and phishing pages.

Alternative Attack methods

An alternative attack method has also been observed method which uses a download link initially, giving the user a ‘pdf.url’ file. This may be within a ZIP folder, or other form of archive to prevent AV detection. The ‘pdf.url’ file will then link to a PDF page as above.

Why is this successful?

  • The malicious link may not be detected properly by normal email protection measures, as it is embedded within another page entirely.
  • These emails have been observed originating from compromised client accounts, letting a hostile actor use a trusted contact to send the emails, potentially bypassing filters if they have been marked as an explicitly allowed sender, or trusted partner. This also tricks the targeted user, as they may have previous legitimate contact with this client or sender.
  • The entire chain of events takes only a few clicks, and blends in with normal day-to-day activities.
  • If a document is compressed into an archive, it is difficult for traditional Antivirus to scan and pick up malicious content.

Recommendations

  • Chorus Cyber recommend user training and encouraging increased vigilance against these types of schemes that take you away from email. Similar schemes have been observed through LinkedIn mail, and businesses web chat.
  • Chorus Cyber recommend the use of Application Whitelisting, which would not permit an unknown executable to run.

Looking for SOCaaS?

Our Microsoft native MDR and MXDR services enable MSPs to deliver effective managed cybersecurity to their customers through a channel partner model. With industry-leading response times and built on Microsoft Sentinel and Microsoft Defender XDR, we help to detect and respond to evolving cyber threats – managing and reducing cyber risk.