A Norton phishing PDF I sent in the end of July looks to have been missed

[Chas4 8]

I forwarded the email with it to ESET at the end of July so ESET should have it

Norton-pdf-invoice-0526642.pdf

MD5    
68f06e5ce4f9c821e05193331f98237e
SHA-1    
b65e2c39b070111f6a67b85cd9e62643fdbb9c5a
SHA-256    
cf04b7f85952861ed00e5141c3595d48992f5b5f38bb11abfd33e67747064a2c

https://www.virustotal.com/gui/file/cf04b7f85952861ed00e5141c3595d48992f5b5f38bb11abfd33e67747064a2c/detection

The same scammer is using that actively and other PDFs for phishing and maybe malware also

[Marcos 4,935]

It may be scam, however, there's no hyperlink nor instructions to pay for the service. The only suspicious and possibly scam thing about it is the phone number ("If you need to halt the transaction or modify it, please reach out to our client support team at ..."). No vendor detects it and probably we won't detect it either.

[Chas4 8]

11 minutes ago, Marcos said:

It may be scam, however, there's no hyperlink nor instructions to pay for the service. The only suspicious and possibly scam thing about it is the phone number ("If you need to halt the transaction or modify it, please reach out to our client support team at ..."). No vendor detects it and probably we won't detect it either.

False the url is in the PDF which they may have put other malware into, and is part of an active phishing attack

[Marcos 4,935]

Where in the pdf is a clickable hyperlink?

[Chas4 8]

Last I knew it was in there (I noticed many scammers don't always make it into a hyperlink).

Are phishing PDFs not blocked, which is different from the ones I have reported in the past and ESET is blocking? 

[Marcos 4,935]

Unfortunately I don't know what PDFs you sent in the past and a detection was added.

[Chas4 8]

 

From: unique plan key -6188776 <matinezmaletze4al@gmail.com>  (maybe spoofed)
Date: Wednesday, July 26, 2023 at 1:55 PM
To: target email 
Subject: Order Detail-052664885/pdf summary -INVOICE.

target email

 
The transaction has been finalized and your services have been successfully enhanced.
Your Norton services has been successfully upgraded.

We have forwarded an improved version of the PDF receipt to your email.
The text refers to an attached PDF file.


For immediate assistance, get in touch with the Helpdesk by dialing +1 815 564 2372

We highly appreciate your decision.

I sent that to ESET on July 26, 2023

[Marcos 4,935]

I see only one ticket with subj. "Fw: Your payment                           dqmiownhi" sent from your forum email address on January 22, 2023.

[Chas4 8]

27 minutes ago, Marcos said:

I see only one ticket with subj. "Fw: Your payment                           dqmiownhi" sent from your forum email address on January 22, 2023.

The forum one rarely gets spam, I fwd from a different account which was added to a spammers list from a leak at MLB that they never acknowledged over 10 years ago.

[Marcos 4,935]

It is the very same PDF that you sent on July 26.

[itman 1,630]

2 hours ago, Marcos said:

Where in the pdf is a clickable hyperlink?

Another important detail is no data exists on where to make the payment to. This leads me to believe the e-mail itself contained this info along with possibly a malicious link. I assume the .pdf was an attachment to the e-mail.

Bottom line - there is nothing malicious about the .pdf per se other than to support the attempted scam attempt.

-EDIT- Duh ..... Just realized the .pdf was a receipt. So the whole purpose was to get the e-mail recipient to open the .pdf. Was the attachment a .pdf or something else? I suspect the later. Let's say the attachment was an archive. When Eset scanned it, it removed any malware leaving the benign .pdf file.

Edited September 27 by itman