We live in an era where virtually all of our vital information is on a computer or mobile device. For this reason, computer security has gained enormous weight in recent years, since it is absolutely essential that our computers are as well protected as possible to deal with attacks of all kinds. The problem is that cybercriminals take advantage of any loophole to attack us, and this PDF file is a pretty obvious proof of that.
We are all more than used to constantly checking our email, especially now that it is a fundamental tool for work. If we are not careful and open the wrong file, we could be installing malware on our computer that can be very expensive.
A PDF file with a dangerous keylogger
The first thing to note is that it is quite curious that the cybercriminals responsible for this “wave” of infected PDFs have opted for this type of file. As a general rule, these types of attempts are usually related to Microsoft Office files, such as Word and Excel. In this case, what the fraudulent PDF is looking for is to install on our computer a type of malware called Snake.
This is actually un keylogger. What this type of malicious software does is record all the keystrokes that a user makes on their keyboard, so in this way it is capable of recording passwords and credentials of all kinds to transmit them to a server controlled by a cybercriminal. This was first detected back in 2020and since then there are several waves that have been recorded.
The way this attack proceeds is really curious. The PDF that reaches the trays has the name “REMMITANCE INVOICE.pdf” and has a Word embedded with a very strange name. This, translated into Spanish, would be something like “has been verified. However PDF, jpeg, xlsx, .docs». The reason for this name is why we say that it is a rather curious attempt, since precisely with it what it is looking for is to catch people off guard who open the mail quickly and without paying attention, since when Adobe opens the file will appear to indicate that it is verified and that opening it is safe.
Be careful when opening unknown files
When analyzing the interior of the Word file that we have mentioned above, it was possible to verify that there was an embedded URL inside that downloads an Object Linking and Embedding (OLE) object to the computer. This would contain inside a shellcode that exploits the registered vulnerability CVE-2017-11882and thanks to it, an executable called fresh.exe, which is actually the Snake malware, would be downloaded to our computer.
The fact that this malware has been active for several years now, and continues to be used to exploit vulnerabilities like this, indicates that although the security of our computers is improving, we can never say that we are 100% covered. As we always tell you around here, avoid downloading or opening any type of file if you do not know its origin or ask the sender if it is indeed a legitimate file.