Experts have discovered a phishing campaign targeting users with a phony PDF attachment that leads to the vawtrak malware.
Researchers at PhishMe took notice of the ruse after several of the messages were submitted through the company's filtering solution, according to a recent blog post.
The emails, purporting to be billing messages sent by payroll service ADP, included a fake invoice attachment in the form of a PDF. According to the experts, the attackers “used a few tricks” to make analyzing the message more difficult. After decoding a section of the document, they were able to discover the shellcode that injects into a vulnerable version of “Adobe Reader, if successfully exploited.”
A test on a vulnerable version of Adobe Reader revealed the malware's domain. A VirusTotal search indicated that the URL was previously submitted and that the malware was vawtrak.