Warning from cybersecurity company ESET about the countless PDF files sent daily via emails or other messaging platforms. According to the latest research, some of these files may contain malware or be of a different type archives which are presented as PDFs.
Recent data from ESET confirms that PDFs are among the most used file types for malware. Trapped PDF files often arrive as attachments to emails or as links in phishing emails, prompting victims to take various actions.
Baits are designed to evoke strong emotions, such as urgency (eg “final notification”), fear (“suspended account”) or curiosity (“exam results available”). The ultimate goal is to get recipients to relax and, with prompts like “pay now” or “check out instantly,” open a file or click a link.
The warning signs
According to ESET, users should look out for the following signs:
- The file has misleading name or duplicate extension. This happens with names like invoice.pdf.exe or document.pdf.scr, especially when attackers cast their nets to the general public and try to trap as many users as possible. These files aren’t actually PDFs – they’re just formatted to look like one.
- The email address or name of the sender does not match the items listed in the file. The sender’s email address is different from the organization the document is supposed to come from, or the domain name is misspelled or looks suspicious.
- The PDF is compressed within a file ZIP or RAR. If the PDF file arrives inside a ZIP or RAR, this is usually done in an attempt to bypass detection by email filters.
- The message is unexpected or “out of context”. Ask yourself: Did I ask for this file? Do I know the sender? Does it make sense to send it to me?
If we receive a suspicious PDF file we don’t open it right away and if in doubt, we delete it. We contact the sender by phone or a separate email to make sure they actually sent it and check the file extension and size to make sure the file is really a .pdf (and not something suspicious like an .exe).
Finally, we scan the file with our security software.
If we have opened a suspicious PDF file:
1. We disconnect from the internet to reduce the possibility of leaking data or downloading malware.
2. We perform a full scan of the computer with an updated security program or with ESET’s free scan tool.
3. We check running processes and network connections for any anomalies.
4. We change passwords, especially for bank or other important accounts, if we suspect that credentials have been compromised. We make the change from a different device than the one on which we opened the PDF file.
5. We report the incident to the IT or cyber security team if the file was opened on a company computer.