Malware Alert - PDF Email Attachment Executes Word Macro

We spotted a new PDF-based invoice email malware campaign this morning. The attachment opens a dangerous hidden Word document in a somewhat ingenious way. As of this morning, almost none of the antivirus companies were detecting this new method of infecting your system. We blocked it immediately for our global customers.

Get instantaneous updates on the latest email spam. Follow us on Twitter @SpamStopsHere

PDF Invoice Attachment Spam

The email in this campaign appears to be intentionally vague and seemingly safe yet somewhat urgent, to induce the recipient into opening the attached PDF file. The message body is short and non-specific, such as:

Please find Invoice 123456     attached

The attached PDF files we've seen follow a simple naming convention. The one attached to the above message would be named "Sales Invoice 123456.pdf". You should never open such an attachment, even a PDF file that passes a virus scan, unless you are expecting it and are absolutely sure it is OK.

As it turns out, the attached PDF file here is very dangerous. It contains some javascript code and an embedded Word document with macros. Upon opening the PDF file, the javascript executes, saves the embedded Word document to a temporary file and then instructs Windows to open it. The macros in the Word file use various techniques to hide what they are actually doing, which is probably downloading and executing a virus, trojan, Cryptolocker, Cryptowall or other malware.

PDF Malware Details

The email headers look something like this:

From: <redacted>@<redacted>
To: "<redacted>@<redacted>"
Date: Fri, 24 Apr 2015 11:08:36 +0530
Subject: Invoice 123456
Thread-Topic: Invoice 123456
Message-ID: <87xxxxxxxxxxxxxxxxxxxxxxxxxx@xxxxxx.xxxx.local>:
Accept-Language: en-US, en-GB
Content-Language: en-US
X-MS-Has-Attach: yes
acceptlanguage: en-US, en-GB
Content-Type: multipart/mixed;
MIME-Version: 1.0

Actually, this campaign is not entirely new. we've had filters in place for weeks blocking the macros contained in the Word doc. What's new is embedding the Word doc in a PDF file and trying to open it automatically with embedded javascript. So, the obfuscation is several levels deep.

To get instantaneous updates on the latest email spam, follow us on Twitter @SpamStopsHere

Slips Past Antivirus

Antivirus vendors are having more and more difficulty detecting zero-day threats. Antivirus typically only scans the downloaded files, which mutate faster than a/v vendors can push out new definitions. As of more than 5 hours ago, only 2 out of 57 antivirus vendors were detecting the PDF file as a threat. And only 7 were doing so about 5 hours later.

Your best defense against this type of threat is a robust Cloud-based spam filter. Cloud antispam can analyze entire delivery mechanisms and global traffic patterns for spammy behavior, which we have learned how to detect almost instantly. We blocked this campaign within moments and still have it locked down with several independent filter rules designed to detect variants.

We've discussed this issue before, that antivirus programs can't keep up with today's quickly changing email threats.


SpamStopsHere is updated every two minutes, 24/7/365. Because it works in the Cloud, spam filtering updates take effect immediately without the user downloading or installing anything.

If you're having trouble keeping up with these threats, consider trying SpamStopsHere FREE for 30 days. It blocks 99.5% of spam with a false positive rate of less than 0.001%. That means we block fewer that 1 out of 100,000 good emails, which is why businesses and professionals love our service.

Click here for more about SpamStopsHere and our 24/7/365 live support

Marks used in this article are the properties of their respective owners. This article is for informational purposes. No endorsement by third parties is implied and none should be inferred.