Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Security Research

Increase In Use Of PDFs For Spam

May 18, 2011 - 2 min read
In recently weeks, I have noticed an increase in the use of PDF files for spam. Instead of uploading an HTML page using a compromised account, as seen shown in a previous post "Hundreds of College and Government websites still redirecting to fake stores", spammers are instead uploading PDF files. My guess for their motivation, is that PDF files are less likely to be checked for spam than plain HTML pages.

Most of the spam PDF files contain text only.

Example of spam PDF
The goal of the spammer is to redirect users to a malicious website. This is done using a piece of JavaScript embedded into the PDF file.

JavaScript snippet from the PDF file

In this example, the user is redirected to hxxp://searchglobalsite.com/in.cgi?23 (the URL is obfuscated in the PDF file) which then redirects to hxxp://www.results-today.com/.


The list of websites hosting spam PDF files is very similar to what I have reported earlier. It includes college web sites, governmental sites, and wiki pages, such as the following:
  • hxxp://forum.wiki.usfca.edu/file/view/file10.pdf
  • hxxp://www.lapspecs.com/wiki/_media/http:cr43.pdf 
  • hxxp://www.dublincore.biz/accessibilitywiki/ImplementersNews?action=AttachFile&do=get&target=dub14.pdf
  • hxxp://wikiglobe.org/en/images/c/c9/Texas-veterans-home-loan.pdf
  • hxxp://wiki.solusvm.com/images/c/c6/Uk-cash-loans.pdf
  • hxxp://nspcommunity.net/wiki/images/e/e8/Small-loan-business.pdf
  • hxxp://wiki.fossasia.org/images/6/67/Ship-loans.pdf
  • hxxp://vuas.net/~dpmccann/mw/images/Real-estate-mortgage-loans.pdf
A Google search for "cialis viagra canadian pharmacy filetype:pdf site:.edu" for example, provides plenty of other examples.

-- Julien

Explore more Zscaler blogs

A cyber criminal shopping for malware
Agniane Stealer: Dark Web’s Crypto Threat
Read Post
Business people walking through a city
The Impact of the SEC’s New Cybersecurity Policies
Read Post
Digital cloud illuminated in blue
Security Advisory: Remote Code Execution Vulnerability (CVE-2023-3519)
Read Post
The TOITOIN Trojan: Analyzing a New Multi-Stage Attack Targeting LATAM Region
Read Post
01 / 02
dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.