The Hidden Danger of PDF Files with Embedded QR Codes

The SonicWall Capture Labs threat research team has been observing PDF files with QR codes being abused by malware authors to deceive users for a long time.

QR codes are increasingly popular due to their versatility and ease of use. Beyond payments and feedback, QR codes have a wide range of applications across various industries such as marketing, retail, education, healthcare, hospitality, transportation, real estate, public services, entertainment, business operations, personal use etc.

Malware authors are efficiently taking advantage of its popularity. We observed that a lot of PDF files are coming from emails (fax) containing QR Codes asking users to scan with smart phone camera. Some claim to be security updates, while others contain SharePoint links for signing documents.

Fig 1: Malicious PDF files with QR code(blurred)

After scanning the QR code a phishing URL where the host in this case is bing.com to evade security detections then it redirects to the actual phishing page "hxxps://r[.]g[.]bing[.]com/bam/ac?!&&u=a1aHR0cHM6Ly9ocmVmLmxpLz9odHRwczovL20zYWZzZWN1ci51cy9hdXRoLmh0bWw=#GeXVrYWt1cmVjaGlAbWJrLmNvbQ=="

It opens a web page that closely resembles the official Microsoft login page.

Fig 2: Fiddler screenshot of phishing URL redirecting from bing.com

Users are prompted to enter their Microsoft account credentials such as user Id and password.

Fig 3: Fiddler screenshot of phishing URL

The intent is to harvest these credentials for malicious purposes such as unauthorized access to the user's email, personal information, and potentially sensitive corporate data.

Fig 4: Microsoft Phishing Page with prefilled username

Scanning a QR Code can lead to a wide range of severe consequences in these cases users are asked to scan via smartphone.

Fig 5: Screenshot of scanning QR code on a smartphone

The QR code scanning feature on mobile devices can be exploited to perform actions without the user's explicit consent. Following are the possible harms caused by this:

• Automatic download and installation of malicious apps.
• Users might be subscribed to premium SMS services, leading to unexpected charges.
• Initiating calls to premium-rate numbers, incurring high costs.
• Credential Theft
• Exploit Attacks
• Network Compromise
• Reputation Damage

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this malware, the following signatures have been released:

MalAgent.A_1998 (Trojan)

MalAgent.A_1999 (Trojan)

IOCs

68d72745079d00909989c92141255ba530490cd361a26ee1f4083acf35168c45

21bb86d48cf2cfaa3fab305b54b936304a4cdbd60bb84024a3cd8a3eed99abc4

URLs

hxxps://r[.]g[.]bing[.]com/bam/ac?!&&u=a1aHR0cHM6Ly9ocmVmLmxpLz9odHRwczovL20zYWZzZWN1ci51cy9hdXRoLmh0bWw=#GeXVrYWt1cmVjaGlAbWJrLmNvbQ==

hxxps://geszvihbb[.]cc[.]rs6[.]net/tn[.]jsp?f=001Ditptef7aGWV9JfIQAYkZmCN-wQcHMy3e4wzwbv3vnsaliwycylagGK80Yt9uHp_YVVukara24hbeA_lURHoJmu1Scc_CBtL1Gctc_C9mjtpTa4efbpuN0PD2cc1NoggcgogpAVDLdR-weTmdl8QR4ErgtgM9NX_0e-GLM1eb4IkOGmV3qUSnw==&c=&ch==&__=/p[.]olds@dummenorange[.]com

hxxps://pub-8c469686ecb34304864e58edf5ab4597[.]r2[.]dev/gystdn[.]html#YXByaWxAcmVzZXRpdGxlLmNvbQ==