Follow Marin Events

Malicious PDF attacks

bullet How can a compressed file containing both a pdf and a .dll result in running the dll?
bullet What if there is no "trusted program" in the compressed file?
bullet how to identify if a file is a real PDF versus a malicious shortcut before you click it?
bullet how to safely open a suspicious document if you absolutely must see its contents?

I have setup Windows 11 to open a PDF in a browser.

A PDF file itself cannot directly "open" a .dll (Dynamic Link Library) file.
 However, a PDF viewer (like Adobe Acrobat) can use a .dll as a plugin to extend its functionality.

In a Browser --

a PDF file cannot directly "open" a .dll file to execute its code .
Browsers treat them as downloads rather than browser-loadable content.
While a PDF can link to a .dll file, browsers typically prompt for a download or block it for security.
Browsers prohibit directly running or opening a .dll.

How can a compressed file containing both a pdf and a .dll result in running the dll?

A compressed file containing both a PDF and a .dll typically results in the execution of the DLL through a technique called DLL Side-Loading or DLL Hijacking. This method exploits how Windows applications search for and load the libraries they need to function. [1, 2, 3, 4, 5]

How the Execution Occurs

When you receive a ZIP archive with these files, the "PDF" is often not a simple document but a legitimate, digitally signed executable (.exe) that has been renamed or given a PDF icon to trick you. [1]
  1. The Decoy Executable: The attacker includes a real, trusted program (like an old version of a PDF reader or antivirus updater) in the folder.
  2. Windows Search Order: When you run this "PDF" (actually an .exe), the program looks for a specific DLL file it needs to run. Windows search logic prioritizes the local directory (the same folder as the .exe) over system folders like C:\Windows\System32.
  3. The Malicious DLL: The attacker places a malicious DLL in that same folder, naming it exactly what the legitimate program expects (e.g., cryptbase.dll or avk.dll).
  4. Automatic Execution: The trusted program unknowingly loads the malicious DLL instead of the real system version, executing the attacker's code with the same privileges as the trusted application. [1, 2, 3, 4, 5, 6, 7, 8]

Common Delivery Methods

bullet

Spear-Phishing: Attackers send ZIP files themed as "Invoice," "Passport Scan," or "Payment Records" to build trust.

bullet

LNK Files: Sometimes the ZIP contains a Windows Shortcut (.lnk) that, when clicked, triggers a command-line utility to load the DLL.

bullet

Social Engineering: Attackers may use tools like QuickAssist or impersonate tech support to convince you to extract and run the contents. [1, 2, 3]

For more detailed technical analysis of these threats, researchers at Unit 42 and Microsoft Learn provide in-depth documentation on securing library loading. [1, 2]

 

What if there is no "trusted program" in the compressed file?
the attacker relies on manual execution or Living-off-the-Land Binaries (LOLBins)—built-in Windows tools that can run the DLL for them. [1, 2]
The infection typically follows one of these paths:

1. The Malicious Shortcut (.LNK)

Instead of a "trusted .exe," the ZIP contains a Windows Shortcut (.lnk) disguised as the PDF. [1, 2]
bullet The Deception: You see a file named Invoice.pdf with a PDF icon, but it’s actually a shortcut.
bullet The Command: When you double-click it, the shortcut executes a hidden command that calls a built-in Windows utility to load the DLL also found in that folder. [1, 2, 3]

2. Abuse of Built-in Windows Tools (LOLBins)

Attackers use legitimate system files that are already on your computer to run the malicious code. Common tools used for this include: [1, 2, 3]
bullet rundll32.exe: A standard Windows utility designed to load and run DLL functions. A shortcut might run a command like rundll32.exe malware.dll,Start.
bullet odbcconf.exe: A tool for configuring database connections that can also be used to load a DLL and bypass security scanners.
bullet regsvr32.exe: Typically used to register DLLs, it can be abused to execute malicious libraries from a local folder. [1, 2, 3, 4, 5, 6, 7]

3. Masking as an Executable

In some cases, the "DLL" itself might just be a renamed executable. [1]
bullet While Windows usually won't run a .dll if you double-click it directly, an attacker can configure a shortcut or a script to force the OS to treat it as an executable.
bullet Alternatively, they may use a hidden PowerShell script within the ZIP to extract the library and trigger its execution through one of the system tools mentioned above. [1, 2, 3, 4]

Why this works

These methods are effective because they use signed, trusted Microsoft binaries (like rundll32.exe) to do the work. Since the utility itself is safe, some basic antivirus programs may not flag the activity, allowing the malicious code inside the .dll to run under the guise of a legitimate system process. [1, 2, 3, 4]
Would you like to know how to identify if a file is a real PDF versus a malicious shortcut before you click it?
To identify if a "PDF" is actually a malicious shortcut or another fake file, you should use visual inspection and security tools without double-clicking it. [1, 2, 3]

1. Show File Extensions (Critical) [1]

Windows hides file extensions by default, allowing a file named Invoice.pdf.lnk to appear as just Invoice.pdf. [1, 2]
bullet How to fix: In File Explorer, go to the View tab and check the box for File name extensions. This reveals if the file actually ends in .lnk, .exe, or .bat. [1, 2, 3, 4, 5]

2. Inspect File Properties

Do not double-click the file. Instead, right-click it and select Properties. [1]
bullet The "Shortcut" Tab: If you see a "Shortcut" tab, the file is a .lnk file, not a document.
bullet The Target Field: Check what is written in the "Target" box. A real PDF won't have a target field. If the target includes commands like powershell.exe, cmd.exe, or rundll32.exe, it is malicious and intended to run code. [1, 2, 3]

3. Check for "Double Extensions"

Attackers often use names like Report.pdf.exe. Even if you have extensions hidden, you might see "Report.pdf," but the icon might look slightly "off" or blurry because it's an icon embedded in an executable rather than a system-standard PDF icon. [1, 2, 3]

4. Use Online Scanners []

If you are unsure, upload the file to a multi-engine scanner like VirusTotal. [1]
bullet These services scan the file against dozens of antivirus databases.
bullet Caution: Only do this if the file doesn't contain sensitive or private information, as uploaded files may be shared with the security community. [1, 2]

5. Visual Red Flags

bullet Small File Size: A "PDF" that is only 1KB to 10KB is likely just a shortcut or a script rather than a real document.
bullet Unexpected Origin: Be extremely wary of any compressed file (.zip, .iso) containing a PDF that you weren't expecting, especially from an external email. [1, 2]
For a deeper dive into the technical structure of a file, you can use specialized forensic tools like ExifTool to view metadata or PDFiD to scan for embedded scripts without opening the document. [1, 2]
Would you like to know how to safely open a suspicious document if you absolutely must see its contents?
Opening a suspicious file on your primary device is never recommended, but if you must view its contents, you should do so in an isolated environment that prevents any code from reaching your actual operating system. [1, 2, 3, 4]

1. Use an Online Sandbox (Safest/Easiest)

Online sandboxes allow you to "detonate" and view a file on a remote server. The file is never truly opened on your computer. [1]
bullet Browserling: Provides a secure, isolated cloud environment to open and interact with suspicious documents.
bullet CyberCheck360: Offers a free online sandbox where you can upload and preview PDFs, Word, or Excel files without them ever touching your local device.
bullet VirusTotal: Before opening, always upload the file here to see if any of the ~70 antivirus engines flag it as malicious. [1, 2, 3, 4, 5]

2. Built-in Windows Sandbox

If you have Windows 10/11 Pro or Enterprise, you can use the built-in Windows Sandbox. This creates a lightweight, temporary desktop environment that is completely wiped when closed. [1, 2, 3]
bullet How to use: Enable it via "Turn Windows features on or off," launch "Windows Sandbox," and then copy and paste the suspicious file into that window to open it. [1]

3. Use Cloud Document Viewers

Uploading the file to a major cloud provider can sometimes "strip" the malicious code by converting the PDF into a safe web-preview format. [1, 2]
bullet Google Drive: Upload the file and use the built-in previewer. Google often parses the PDF and displays it as HTML, which can render many standard exploits (like malicious JavaScript) ineffective.
bullet Caution: Be aware that uploading sensitive documents to these services means you are sharing that data with the provider. [1, 2, 3]

4. Specialized "Hardened" Viewers

Standard PDF readers like Adobe Acrobat are frequent targets for exploits. Using a simpler, "dumb" reader can sometimes bypass malware designed for more complex software.
bullet SumatraPDF: This lightweight reader does not support JavaScript or interactive forms, which effectively neutralizes most PDF-based malware.
bullet Dangerzone: This tool takes a suspicious document, opens it in an isolated container, converts it into a "safe" PDF (essentially a series of images), and gives you back a clean version. [1]
These video guides provide practical walk-throughs for setting up secure environments like Windows Sandbox and using tools like Dangerzone to handle dangerous files:
 
Would you like help checking if your Windows version supports the built-in sandbox feature?
To determine if your computer supports the built-in Windows Sandbox, you need to check two things: your Windows Edition and your Hardware Virtualization status.

1. Check your Windows Edition

Windows Sandbox is not available on Windows Home edition. You must have one of the following:
bullet Windows 10/11 Pro
bullet Windows 10/11 Enterprise
bullet Windows 10/11 Education
To check:
  1. Press the Windows Key + R on your keyboard.
  2. Type winver and press Enter.
  3. A window will pop up. Look for the line that says "Windows [10/11] Pro" or "Home."

2. Verify Hardware Virtualization

Even if you have the Pro edition, your computer's processor must have "Virtualization" enabled in the BIOS/UEFI.
To check:
  1. Press Ctrl + Shift + Esc to open the Task Manager.
  2. Go to the Performance tab and select CPU.
  3. Look at the bottom right of the window for Virtualization. It should say Enabled.

3. How to Enable the Sandbox

If you meet the requirements above, you can turn the feature on:
  1. Click the Start menu and type "Turn Windows features on or off".
  2. Scroll down the list until you find Windows Sandbox.
  3. Check the box and click OK.
  4. Restart your computer.
After restarting, you can simply type "Windows Sandbox" in your Start menu to launch a safe, disposable desktop for testing suspicious files.
For more detailed troubleshooting, Microsoft's official Sandbox documentation provides a full list of system requirements and setup steps.

 
& &
Questions or problems regarding this web site should be directed to Info@marincounty.info& &
Last modified: Tuesday December 16, 2025.