Posted on September 27, 2022 in Technology

Can a PDF Attachment Really Compromise my Network?


Basic Email and Anti-Phishing Safety

It’s a message that bears repeating – you shouldn’t click on links or attachments in emails you weren’t expecting, didn’t sign up for, or otherwise don’t entirely trust. For example, say you get an email from Target, but there are several typos in the header. That’s a really easy tell that the email is likely a fake! A real business the size of Target has several sets of eyes on their marketing materials.

A harder tell is checking the email sender each time. Say you open an email from ‘Tagret’, and it’s not loading right. If you don’t normally have that issue, it might be a fake trying to get you to click a ‘view in browser’ link that actually leads to a download page set up for a virus. You might have missed the fraudulent sender if you didn’t double check!

But what about attachments? You should approach attachments with a zero-trust philosophy. Verify the sender, verify the email itself isn’t riddled with typos and easy-to-fix mistakes, and verify that the attachment itself is titled appropriately for what it says it is. While you could easily accidentally open a phishing email, realize it’s a phishing email, and then close it before you click any links or type anything in (you should still report that incident to your IT Department), clicking on an attachment that’s malicious is harder to recover from! PDF attachments, which are normally pretty inert, are a possible highway into your network or computer. Keep these following things in mind when you open attachments.

It Might Not Be A PDF

Not all that glitters is gold! That attachment from someone you don’t remember hiring might be something like an executable file (a .exe file) that’s just named Invoice307.pdf. When you name a file, only certain characters are excluded from possible names, including characters like the percent sign (%) and question marks (?) because they’d interfere with the way the file is stored. Periods are not, and that makes it easy to fake a name! It won’t get everyone (invoice.pdf.exe looks pretty strange, right?) but it might get the kind of person who doesn’t spend that much time on computers, or doesn’t get this kind of scam regularly. If that sounds like you, it only takes a second to double-check the extension name before you download it, and that second can prevent a lot of pain! Most desktops will also show you a file’s full name if you hover your mouse cursor over said file – to hover, you just move your mouse cursor over the file without clicking it, and wait a second or two for your email program to show the full name. This is nice if the name is too long for the thumbnail and you’re not sure if you trust the sender or not.

A similar tactic is hyperlinking some text to open a website which will begin downloading malware instantly. The scammer puts in some ordinary-looking links, like a Shop Now! or Click Here! Button, and then uses the hyperlink feature available in most email applications to hide a viral link inside. If it successfully tricks you into clicking it, you’re in for a bad time. The hover trick from before works here too, and it should show you where the address actually goes in the bottom left corner. Remember – don’t click if you’re using the hover trick! At least until you’re sure it’s safe.

However, there are ways to mess up your computer without overtly malicious software. Consider the ‘.zip bomb’, for example! A .zip bomb is a huge amount of junk files packed into a .zip file, which compresses it. When you, the receiver, download and open the .zip, it slows or even crashes your computer with the huge amount of information it’s trying to decompress. Since the files themselves don’t have to be malicious to achieve this (they can be, but they don’t have to be), many consumer antiviruses will just ask you if you trust the source – and if they’ve done a really good job social engineering by making the sender sound plausible and writing without typos, you might click yes without thinking twice. To recap – if it doesn’t end in .pdf, and someone you don’t know sent it to you, it might cause problems for your computer.

Even If It Is, It Might Have Something Nasty

If you’ve ever struggled to get Word to allow you to open a document and edit it, that’s because some malware can be hidden inside otherwise innocuous-looking documents. It’s rare, but it happens – it’s usually something called a macro virus, or a virus that uses ‘macros’ to download itself. A macro in Microsoft properties is a command that groups several keystrokes into one, and they have many legitimate uses, but can be used maliciously to lead you somewhere you don’t necessarily want to go, or download/unzip another file contained within the file you’re working with. A much simpler version is just using macros combined with the hyperlink trick from before to get you to bring the document out of safe mode by disguising said hyperlink as something innocuous, but other, more complicated ways to get your PC to download something nasty can be hidden too.

Once again, double-checking the file extension might help you determine whether or not you really want to click something. Microsoft Office products save differently if they contain macros or ‘active content’ – for example, instead of a .docx file, a Word document with macros in it will save as a .docm file. If you download one, most recent versions of Office products will ask you to verify you trust the place you downloaded from, adding further security.

Don’t Forward Emails You’re Suspicious of to Anyone but Your IT

If you send this mail to your manager, and your manager is in a rush and doesn’t read what you wrote about the message and clicks the attachment… you’ve just moved the problem! Don’t forward something suspicious to another member of your organization – if the scammer had their info, they’d likely be a target too! Instead, if you get an email you’re not sure about, forwarding it to your IT department is a safe bet. If it’s nothing? Then you sent your IT guys an email with a legit attachment, and you know for sure it’s safe to open. If it’s malicious? IT should be able to handle it in a quarantined computer. They may even be able to tell if it’s malicious without opening it! This could potentially save you and your organization from ransomware or other malware that can completely halt your business.