Use of PDF files in phishing scams unpacked

Read time 4min 50sec

Phishing attacks using PDF files have skyrocketed more than 1 000%, according to Palo Alto Networks.

The cyber security company's global threat intelligence team, Unit 42, noted a dramatic 1 160% increase in malicious PDF files between 2019 and 2020, from 411 800 malicious files to 5 224 056.

"PDF files are a compelling phishing vector as they are cross-platform and enable bad actors to engage more effectively with users, making their schemes appear more legitimate than a text-based email containing a plain link," the researchers write.

The most common lures used to tempt victims into clicking on embedded links and buttons in phishing PDF files are fake captcha, coupons, play buttons, file sharing and e-commerce.

To analyse the trends observed in 2020, researchers used data collected from the Palo Alto Networks WildFire platform. They collected a subset of phishing PDF samples on a weekly basis throughout the year, then employed a range of heuristic-based processing and manual analysis to identify top themes in the collected dataset.

Traffic redirection

After studying the various malicious PDF campaigns, Unit 42 found a common technique that was used among the majority of them, the use of traffic redirection.

“The links embedded in phishing PDF files often take the user to a gating Web site, from where they are either redirected to a malicious Web site, or to several of them in a sequential manner. Instead of embedding a final phishing Web site – which can be subject to frequent takedowns – the hacker can extend the shelf life of the phishing PDF lure and also evade detection.”


Of the over 5 million malicious PDF files observed, the largest number belonged to the fake “CAPTCHA” category. This method insists that users verify themselves through a fake CAPTCHA, or challenge-response tests that help determine whether or not a user is human.

However, the phishing PDF files the researchers observed did not use a real CAPTCHA but rather an embedded image of a CAPTCHA test. Once users tried to “verify” themselves by clicking on the continue button, they were taken to a Web site controlled by the bad actor.


The next category that the researchers noted were phishing PDF files that were coupon-themed and often used the logo of a prominent oil company.

A significant number of these files were in Russian with notes such as “ПОЛУЧИТЬ 50% СКИДКУ” and “ЖМИТЕ НА КАРТИНКУ” which translate to “get 50% discount” and “click on picture” respectively, and aim to lure users into clicking on the picture.

The attack chain for a phishing attack of this nature flows from a PDF through several redirects until arriving at the attacker's intended destination – a gating Web site which took them through to another Web site which was a redirector itself. Eventually, researchers were routed to an adult dating Web site through a GET request with certain parameters which could be used for monetisation.

Play button

When it came to using a static image with a play button, researchers said these particular phishing files do not necessarily carry a specific message, as they are mostly static images with a picture of a play button ingrained in them.

Although a variety of categories of images were used, a considerable number of them either used nudity or followed specific monetary themes such as Bitcoin, stock charts and the like to lure users into clicking the play button.

Once they had clicked the play button, they were again, redirected to another Web site, also within the realm of online dating.

File sharing

This category of phishing PDF files employs popular online file sharing services to attract the user’s attention. Often, they tell the user that someone has shared a document with them.

However, for reasons which can vary from one PDF file to another, the user cannot see the content and is told they need to click on an embedded “Access Document” button or another link. Once they clicked on the link, they were directed to a phishing Web site that asked for login details.

According to Palo Alto, As the number of cloud-based file sharing services increases, it would not be surprising to see this theme surge and remain among the most popular tactics.


Using e-commerce themes for phishing emails and documents is nothing new.However, researchers said they noted an upward trend in the number of fraudulent PDF files that used common e-commerce brands to fool users into clicking on embedded links.

One example, claiming to be from Amazon Prime, told the customer their Amazon Prime membership needed to be renewed, but claimed the card associated with the Prime membership was no longer valid.

From there, it attempted to get the user to "update payment information," opening up credential stealing phishing page.

It’s popular, because it works

“Data from recent years demonstrates that the amount of phishing attacks continues to increase and social engineering is the main vector for attackers to take advantage of users,” the researchers concluded.

“Prior research has shown that large-scale phishing can have a click-through rate of up to 8%. Thus, it is important to verify and double check the files you receive unexpectedly, even if they are from an entity that you know and trust."

See also