Weaponized Documents: It’s Just a Matter of Time Before One is Opened

Protecting the enterprise from today’s increasingly sophisticated threats such as fileless documents and PDF malware is a challenge. Weaponized documents are an example of attacks that can come from a web download, a shared drive or a file attached to a legitimate looking email. PDFs, Excel, Word or other Microsoft Office documents can all be compromised to contain code, links, or even videos that covertly release malware, trojans, ransomware or even remote access software onto a system or network.

Example of weaponized PDF document download from the web

These phishing exploits, like most of today’s phishing efforts, prey on the human element. Emails continue to be the most common attack vector with an attachment or link that appears as if it were sent by a familiar co-worker, relative, or close business associate that the target trusts and communicates with on a regular basis. What the threat actor counts on is the target’s familiarity with the perceived author, their curiosity and haste to view the file, and not being able to spot the nearly unnoticeable minor change in the sender’s email address. Weaponized documents can appear as invoices, resumes, spreadsheets, presentations, or business forms through personalized spear phishing campaigns designed to evade anti-virus and sandbox detection. Most businesses (and employees) exchange hundreds of emails and attached documents every day never giving a recognized senders email address a second thought, meaning it’s just a matter of time before a weaponized document gets downloaded and opened.


Example of weaponized document download from a storage site disguised as invoice & remittance advice

Some of these downloads may have legitimate functionality, but they can also have a side business. The files can be weaponized to mask the simultaneous install of remote access software like TeamViewer or LogMeIn. Both are applications normally used legally by organizations for remote and sharing purposes. But in this case the software is being used by the bad guys to gain illegal access to systems or a network. During the download users are asked to enable macros as part of the process which allows attackers to gain access to the target’s system. Once it’s installed and access has been gained, the credentials and license are sold on the dark web. Now, whoever wants to attack an organization doesn’t have to send a phishing email; they can go to the dark web and buy the stolen credentials to gain access.


Enabling macros during document download gives attackers system access

Weaponized documents have also become the phishing scheme of choice for nation states that target rival embassies, governmental offices, and agencies. Some hacker gangs use spear phishing to attack various institutions and organizations including banks, businesses, and restaurants specifically targeting HR departments for employee data or a CFO for corporate financial information. While others manipulate people’s interest and emotions when significant events are dominating the news. Regardless of their motivation or target, security vendors are reporting that the use of weaponized documents by bad actors is on the rise. Zero-day and zero-hour attacks are evolving and designed to elude traditional security techniques.

A much more comprehensive approach is needed to combat weaponized documents and the other phishing types. SlashNext’s Real-Time Phishing Threat Intelligence detects all six major phishing threats that can sometimes evade URL inspection and domain reputation analysis methods. It offers intelligence that helps security teams better understand and protect their organization from sophisticated, zero-hour phishing attacks. Find out if weaponized documents are eluding your security. Try SlashNext Real-Time Phishing Threat Intelligence free for 15 days.

Blog Subscription

It’s Time to Get Started with SlashNext

Experience the difference with broad phishing threat coverage and automated delivery.