Attachments in Phishing 102

Post hero image

Table of contents

In our previous blog post, Attachments in Phishing 101, we introduced how attackers use attachments in a malicious manner. In this post, we introduce two common email attachments and show how these files are used to deliver malware or redirect you to dangerous websites. If you opened attachments (e.g. PDFs, spreadsheets) in the past and nothing bad happened, you will likely continue opening attachments in the future without much care. Nevertheless, you are likely to be more careful with attachments with an unfamiliar file format.  To keep you safe from attackers, it's important to recognize suspicious behavior in a familiar-looking file attachment. We will show you step by step how malicious Excel and malicious PDF attachments can behave in Windows environment.

Malicious macros in Excel

Using Excel macros is a common way for attackers to run malicious commands on a victim's computer. Macros can be very useful for task automation in Excel, but they also enable other commands to be run with little to no user interaction.  In some companies, macro-enabled files are blocked in an email (this is a good security measure). Sometimes attackers use Excel version 4.0 macros, also known as XLM-macros. This way the file is not interpreted as a macro-enabled document, unlike a modern Visual Basic Application (VBA) -based macro document, and therefore is not blocked. Here’s a clip of one example of malicious macros in Excel:

  1. The victim receives an urgent email with .xls file attachment
  2. Victim previews the file in Outlook
  3. As the preview doesn’t seem to work, the victim opens the file in Excel
  4. The victim follows the instructions and enables editing and content
  5. The hidden script activates and takes the victim to a malicious website

In the video, the victim receives an urgent .xls file that requires immediate attention. Creating a sense of urgency is a social engineering technique with the aim to cause an emotional reaction in the victim. Once the victim previews the file, they see a message about the file being created with an old version of Excel, thus requiring macros to work. This message is a picture with text in it, not a real info message from Excel.

The unsuspecting victim opens the file in Excel and follows the instructions by enabling both editing and macro content. The “Enable editing” and “Enable content” buttons are meant as a security feature, which blocks malicious scripts and dynamic content until the buttons are pressed. These messages are often ignored by victims. You should always critically evaluate before enabling content and macros, especially if the file comes unexpectedly. Once the content is enabled, the macros are executed automatically. In this case, the malicious command script directs the victim to our scary website. The script can just as easily include other malicious purposes, like a way for the attacker to open a connection to the victims' computer.

Malware delivering PDF

PDFs are a popular document format online. It would be safe to say that you have, at least once, received an email with a PDF attachment.  Below you can see what can happen if you open a malicious PDF file. This PDF is designed to deliver malware by the creative use of legitimate features and circumventing a security feature in Adobe Acrobat.

  1. The victim receives an urgent email with .pdf file attachment
  2. The victim opens the malicious PDF attachment
  3. The PDF viewer prompts for an update. The victim clicks through the prompts and opens the “updater”
  4. The “updater” file opens the default web browser
  5. The website asks to run the updater. Victim clicks “run” to download and run the file
  6. Security warning prompts the victim to run a file from an unknown publisher. Victim clicks “run”
  7. Malicious code is active on the victim’s computer and opens a malicious website

An urgent task is received from an attacker impersonating a high-ranking, important person. The victim is asked to take immediate action on the attached PDF file. Opening the attachment, the victim is asked to update their PDF reader before continuing. By approving the update and clicking OK, they let the PDF reader automatically open another file embedded inside the PDF. The HTML file embedded in the PDF bypasses Adobe’s security features and convinces the victim to run a malicious file on their computer. An HTML file is opened in the default web browser, showing Adobe Acrobat’s latest features.

A moment later the victim is asked to run a file called “Adobe-Reader-DC-Updater-v190609.hta” from  Notice the .hta file used instead of .exe. HTA is used in this example, as it can bypass security measures in Windows which usually prevent dangerous .exe files to run. Everything on this website is fabricated by the attacker to look like the real deal, which is why malicious activity can be difficult to detect. Clicking “Run” allows the browser to download and run the malicious file. This time, it only opens another tab on the victim's browser and navigates to our example page. A real attack could install file-encrypting ransomware, steal sensitive files, or spy on the victim.

Knowledge is power

These attachments are just examples of how an attacker could use popular file types to deliver malware or take you to a dangerous website. Both examples misuse real features built into the file formats (XLS or PDF). Keep in mind these examples require multiple actions from the users, but you can never be sure if a file is able to instantly run malicious code when viewed. Always aim to verify the authenticity of files you receive via email. We teach users to recognize dangerous emails with malicious files with gamified phishing training, and we use real-life examples to keep up with the latest phishing trends.  Want to learn more about how we teach about phishing attachments at Hoxhunt? Head out to our Knowledge Base or request a demo to hear more.  Stay safe!

Learn the basics of phishing

Want to learn more?
Be sure to check out these articles recommended by the author:
Get more cybersecurity insights like this