[RndTbl] Emotet Email = Hijack Email Threads as follow up to Re: Fwd: Can a pdf file itself be maleware

eh at eduardhiebert.com eh at eduardhiebert.com
Tue Feb 22 10:08:04 CST 2022

An ounce of proactive prevention is worth many pounds of cure!

Today is the first time I heard of the term Emotet email which hi-jacks 
email threads and loads them with maleware especially Word and Excel 

I have anticipated and guarded against this potential concept simply by 
not opening attachments even from acquaintances, especially the routine 
type which prefer esthetics over safety.

European sites have stricter safety protocols but are not perfect.   One 
site suggested using haveibeenpwned.com/NotifyMe  to verify if Emotet 
has your email address.  On second thought whether Emotet has ones email 
address is almost irrelevent.  What is important if they have hacked 
ones account. Is this worth checking out by anyone who can do so safely? 
  For reference please see

     Gefährlicher Trojaner: So überprüfen Sie, ob Emotet Ihre ...
     [Search domain t-online.de] https://www.t-online.de › digital › 
internet › id_89956954 › 
     So überprüfen Sie, ob Emotet Ihre Mailadresse hatte Und so können 
Sie überprüfen, ob Ihre Mailadresse in der Liste auftaucht: 1. Gehen Sie 
auf die Webseite "haveibeenpwned.com/NotifyMe". Geben Sie...

More importantly there are reputable software download sites.  In a 
similar vain are there safe practice sites which would help verify if a 
site is clean or not.   As sometimes good sites are simply not up to 
date and Firefox for example makes no further distinctions.


-------- Original Message --------
Subject: Re: [RndTbl] Fwd: Can a pdf file itself be maleware
Date: 2022-01-20 19:26
 From: eh at eduardhiebert.com
To: Continuation of Round Table discussion <roundtable at muug.ca>

Reply-To: Continuation of Round Table discussion <roundtable at muug.ca>

  Hi All,

Bringing this to a conclusion, what a breadth of helpful information!

I can clearly  now more knowingly, be safer and my thanks  to all who 

I will be putting this to more use among my contacts, minus the names

I advance one caveat.  With the ongoing tech and means advancements over 
time, one growing vulnerability may arise that email attachments even 
when expected from known contacts may not always be safe because with 
more smarts, they could be breached and the bad actors then lie in wait 
until the parties bases their collaboration practices once identified 
then become potential risk exposure events.

Oh? And one last thing if someone knows why and how to undo.  I copied 
and pasted several as per below, but Bitters would not copy/paste unless 
I did it paragraph by paragraph.



Bitters wrote:
Seems to have a hyperlink inside the PDF that actually leads you to the 
malicious software. So maybe that's one way it gets past virus 
detection. It relies on the user to grab a secondary file from the 
hyperlink. I might set up a VM later and see where the rabbit hole 
leads. Most likely a keylogger if anything at all.

Checked out the link. It's one of the worst fake logins I have ever seen

On 19/01/2022 12:57 PM, John Lange wrote:
> Ok, so it turns out it is a straight up credential stealing phish 
> attack.It's a link to a website that links to another website with a 
> fake o365 login. Since there is no executable it escapes malware 
> detection. I would still have thought it would get black-listed based 
> on the URL in the PDF but I guess that shows how weak standard 
> filtering is. I suspect the PDF in the URL is uniquely generated for 
> each email attachment so it can't be easily black-listed.
> John
> On 18/01/2022 9:15 PM, Adam Thompson wrote:
>> PDF files can be malicious.
>> , there have been several PDF zero-day flaws in the past: there could 
>> be more to come.
>> No attachment is safe like opening an email... and  if you talk to 
>> security experts, they can come up with examples of how just opening 
>> an email can be a problem, too .
>> General rule of thumb: do not open any attachments, ever.  The 
>> exception is if you know the sender and are expecting an attachment 
>> from them.
>> If you must open an unknown attachment (and do not have a sandboxed 
>> system where you can do so safely), save it first, make sure it gets 
>> or automatically got scanned, then open it.
>> -Adam

On 19/01/2022 6:45 PM, Brian Lowe wrote:
> In addition to rendering flaws, PDFs can have embedded JavaScript. This 
> is from the abstract of a paper published by the IEEE in 2014:

> An emerging threat vector, embedded malware inside popular document 
> formats, has become rampant since 2008.Owed to its wide-spread use and 
> JavaScript support, PDF has been the primary vehicle for delivering 
> embedded exploits   . Unfortunately, existing defenses are limited in 
> effectiveness, vulnerable to evasion, or computationally expensive to 
> be employed as an on-line protection system. In this paper, we propose 
> a context-aware approach for detection and confinement of malicious 
> JavaScript in PDF.


Paper (ironically, a PDF) at 

Roundtable mailing list
Roundtable at muug.ca

More information about the Roundtable mailing list