Spanish
PDFs are simple, widely used files that, in principle, do not raise suspicion. They work on almost any operating system and there is a large amount of free software and websites where you can read and modify them. ESET, a leading company in proactive threat detection, warns that this popularity is one of the reasons why cybercriminals use them as a great tool for deception, and that is why it is essential to be vigilant, verify the origin of the files and adopt good security practices.
A malicious PDF can install or download malware, steal private or sensitive information, or even exploit system or PDF reader vulnerabilities. According to ESET, they are generally distributed as attachments in phishing emails that appeal to urgency, emotion, or concern to induce their opening. According to the latest ESET Threat Report, PDF files are in sixth place in the TOP 10 threat detections, and are one of the trends in attacks through malicious emails.
"Attackers strive to avoid being detected by users and simulate legitimate PDFs. It's easy for them to contain malicious elements that are imperceptible at first glance, especially for users outside of cybersecurity or computer science," comments Fabiana Ramirez Cuenca, Cybersecurity Researcher at ESET Latin America.
Among the most common examples of the different ways they seek to disguise malicious PDFs are:
Purchase or debt invoices, with names like "Invoice.pdf"
Job resumes, mainly in attacks targeting companies
Results of medical studies
Documents linked to financial, banking or governmental entities
One of the most common methods used by attackers is to embed scripts -code snippets- that can be designed to download malware, open remote connections, or execute commands and processes in the background, among other malicious actions. They can also contain hidden links that open when interacting with certain functionalities of the file. In addition, they can exploit some vulnerability or failure of popular readers, such as Adobe Reader, Foxit, among others.
A phishing campaign documented by ESET used PDF files to distribute the Grandoreiro banking trojan. The attack began with a malicious link that led to the download of the infected PDF.
