PDF Malware on the Rise: A Quick Look into the topic, here’s what you should know.

pdf malware

PDF Malware on the Rise: A Quick Look into the topic, here’s what you should know.

In recent times, cybercriminals have been increasingly using PDFs to deliver malware. A new report by HP Wolf Security has found that PDF threats are on the rise, with a 7% increase in Q4 2023 compared to Q1 of the same year. This article aims to provide a detailed understanding of this rising threat, focusing on three specific malwares: WikiLoader, Ursnif, and DarkGate.

Imagine you’re getting more and more spam emails with PDF attachments. These aren’t just annoying, they’re dangerous. They’re being used to spread harmful software.

The Rising Threat of PDF Malware

Previously, PDF lures were used to elicit credentials and financial details from victims through phishing. However, the landscape has changed, and now malware is being spread through these documents. Of the malware analyzed in Q4 2023, 11% used PDFs as a delivery method, compared to just 4% in Q1.
In simpler terms, the bad guys used PDFs to trick people into giving away their personal details. Now, they’re using them to spread harmful software. The number of harmful PDFs is growing, with 11% of harmful software using PDFs to spread in late 2023, compared to just 4% earlier in the year.

WikiLoader and Ursnif

A notable example of this rising threat is a WikiLoader campaign that used a fake parcel delivery PDF to trick users into installing Ursnif malware. WikiLoader has been discovered in at least eight campaigns targeting Italian organizations since December 2022. These campaigns leveraged emails containing either Microsoft Excel attachments, Microsoft OneNote attachments, or PDF attachments, causing the download of Ursnif as a follow-on payload.

DarkGate: A New Level of Sophistication

DarkGate malware presents a new level of sophistication. It uses ad tools to track victims and evade detection. Malicious PDF attachments, posing as OneDrive error messages, direct users to sponsored content hosted on a popular ad network. They prompt the target to click on a link to read the document they’ve been promised. In fact, clicking the link downloads files containing malware that infects the computer with DarkGate.

The Role of Ad Tools in Malware Campaigns

Ad services are used to analyze which lures generate clicks and infect the most users, helping cybercriminals refine campaigns for maximum impact. Dr. Ian Pratt, Global Head of Security for Personal Systems at HP Inc., commented: “Cybercriminals are applying the same tools a business might use to manage a marketing campaign to optimize their malware campaigns, increasing the likelihood the user will take the bait.”

The Need for Zero Trust Principles for threats like PDF Malware

“To protect against well-resourced threat actors, organizations must follow zero trust principles, isolating and containing risky activities like opening email attachments, clicking on links and browser downloads,” Dr. Pratt said. Here is more info on that.

Basically, To stay safe, we need to be very careful about what we click on. We should treat every email attachment, link, and download as potentially dangerous.


Cybercriminals continue to diversify attack methods to bypass security policies and detection tools. The most popular malware delivery type was archives, used in 30% of incidents analyzed by HP. The top three malicious archive formats in Q4 were RAR, ZIP, and GZ. At least 14% of email threats identified by HP Sure Click bypassed one or more email gateway scanners. The top threat vectors in Q3 were email (75%), downloads from browsers (13%) and other means like USB drives (12%).

As the threat landscape continues to evolve, it’s crucial for organizations and individuals to stay informed and take proactive measures to protect against these sophisticated attacks.

You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it

Share this content:

Post Comment