In June, 43% of all malicious files were PDFs, indicating a significant rise in their use for malicious purposes.

'Deep PDF', integrated into ThreatCloud AI, protects against various vectors including email, web downloads, HTML smuggling, SMS messages, and more, keeping Check Point Quantum and Harmony customers safe and secure against global-scale phishing campaigns. 

The integration of 'Deep PDF' into ThreatCloud AI is a game-changer in the fight against global phishing campaigns. It conducts a thorough examination of PDF structures, URLs, and images to pinpoint phishing layouts.

By deciphering abstract features and differentiating between malicious and safe files, it can detect a vast array of campaigns that may have been missed by other vendors. 

Attack in Action

The malicious PDF file masquerades as a legitimate 'DocuSign' document, luring unsuspecting users to a fraudulent webpage where they are asked to enter their login credentials, including the recipient's email address.

Within DocuSign, 'Deep PDF' easily detects that the phishing URL is readily accessible, and the URL itself contains unsafe characteristics, such as an '@' symbol: (https://ipfs[.]io/ipfs/QmTLKnENpVmWBA579ME8hVU6KQxPShAxNtDTnsFZYRL5UW?

After clicking on the “VIEW COMPLETED DOCUMENT” button, a web page opens and requests the user to input their login credentials.

Thanks to 'Deep PDF', the user was protected from opening the malicious webpage as it was blocked after scanning the PDF.

Further analysis of the webpage's source code revealed that it was created with the help of '', a website that enables quick and easy creation of web pages.

Upon conducting a more in-depth analysis of the traffic, it was discovered that the HTML file had embedded JavaScript code, functioning as a universal template for stealing information. The JavaScript code was particularly noteworthy, as it contained a comment reading "//new injection//," indicating that the attacker had altered the URL to redirect the user to their own domain.

After the user submits the password request, the credentials are sent to this webpage:


Once the user submits their password request, they are redirected to a fake DocuSign login page that mimics a timeout to deceive the user into believing they need to verify their identity. 

Final Thoughts

Check Point's  Harmony customers with activated Threat Emulation are safeguarded against these types of attacks. This is just one example of how our Threat Emulation 'Deep PDF' can detect and prevent phishing campaigns through structural analysis, URLs, and other metadata, without relying on static signatures or manual assistance. By integrating 'Deep PDF' into our Threat Emulation product suite, we provide an additional layer of digital protection against cyber threats.