Palo Alto detects more than 5 million malicious PDF files
Mita Srinivasan
10X Technology

Palo Alto detects more than 5 million malicious PDF files

Data collected from the Palo Alto Networks WildFire platform has identified the top five schemes used by attackers in 2020 to carry out phishing attacks, grouped as Fake Captcha, Coupon, Play Button, File Sharing and E-commerce

Between 2019 and 2020, Palo Alto noticed a dramatic increase (1,160 percent) in malicious PDF files from 411,800 malicious files to 5,224,056. PDF files are cross-platform and allow attackers to engage with users, making their schemes more believable as opposed to a text-based email with just a plain link.

Palo Alto identified the top five phishing schemes from its dataset used by attackers in 2020 to carry out phishing attacks, grouped as Fake Captcha, Coupon, Play Button, File Sharing and E-commerce. In a statement, the company pointed out that phishing PDF files often act as a secondary step and work in conjunction with their carrier (e.g., an email or a web post that contains them).


CAPTCHAs are challenge-response tests that help determine whether or not a user is human. However, the phishing Fake CAPTCHA PDF files do not use a real CAPTCHA, but instead an embedded image of a CAPTCHA test. As soon as users try to “verify” themselves by clicking on the continue button, they are taken to an attacker-controlled website.


The second category identified by Palo Alto were phishing PDF files that were coupon-themed and often used a logo of a prominent oil company. A considerable amount of these files were in Russian with notes such as “ПОЛУЧИТЬ 50% СКИДКУ” and “ЖМИТЕ НА КАРТИНКУ” which translate to “get 50 percent discount” and “click on picture” respectively.

Similar to other campaigns we observed, these phishing files also leveraged traffic redirection.

Play Button

These phishing files do not necessarily carry a specific message, as they are mostly static images with a picture of a play button ingrained in them. Although Palo Alto observed several categories of images, a significant portion of them either used nudity or followed specific monetary themes such as Bitcoin, stock charts and the like to lure users into clicking the play button. Figure 6 shows a PDF file with a Bitcoin logo and a clickable play button. Upon clicking the play button, users were redirected to another website.

File Sharing

This category of phishing PDF files utilizes popular online file sharing services to grab the user’s attention. They often inform the user that someone has shared a document with them. However, due to reasons which can vary from one PDF file to another, the user cannot see the content and apparently needs to click on an embedded button or a link. As the number of cloud-based file sharing services increases, it would not be surprising to see this theme surge and continue to be among the most popular approaches. Clicking on the “Access Document” button took users to a login page with an Atlassian logo. Atlassian Stack is geared towards enterprises.


Incorporating e-commerce themes into phishing emails and documents is not a new trend. However, Palo Alto observed an upward trend in the number of fraudulent PDF files that used common e-commerce brands to trick users into clicking on embedded links.

According to Palo Alto, Data from recent years demonstrates that the amount of phishing attacks continues to increase and social engineering is the main vector for attackers to take advantage of users. Prior research has shown that large-scale phishing can have a click-through rate of up to 8 percent.

Check out the details of this deep delve into PDF phishing here.