Deceptive PDF Disguised as RingCentral Leads to Phishing Attacks



The SonicWall Capture Labs threat research team has observed PDF files masquerading as Ring Central, which is a communication and collaboration platform. This is achieved by incorporating malicious URLs with the intention of executing social engineering attacks for credential theft.

Infection Cycle

The PDF document bears the message, "You have a new voice message." alongside the Ring Central logo. It prompts the user to take action with the instruction, "Click here to listen." However, upon clicking the provided link, the user is redirected to an adobe privileged host URL. Malware authors are abusing sites (or hosts) that identify privileged locations that host trusted content (in this case, an Adobe URL).

Figure 1: PDF document

Upon accessing the Adobe URL, the user is initially presented with a progress bar, cleverly designed to simulate the loading process of a voice message.

Figure 2: Fake voice message loading

Subsequently, a webpage unfolds, adorned with the Ring Central logo and featuring a conspicuous button labelled, "Listen to Voice Message." This orchestrated sequence is deliberately crafted to mislead individuals, creating a false sense of legitimacy by leveraging familiar branding elements. The user, encountering the seemingly authentic environment, may be enticed to click on the provided button, unknowingly falling victim to the deceptive tactics employed by the malicious actors. It underscores the sophistication of the social engineering technique, as it exploits trust in recognizable visuals to enhance the effectiveness of the fraudulent scheme.

Figure 3: Fake Ring Central on Adobe domain

Following the user’s click on the provided link in the PDF file, a redirection occurs, leading them to another malicious URL. At this destination, the user is presented with a phishing page cleverly designed to imitate the Microsoft sign-in interface. The deceptive page is crafted to closely resemble the legitimate Microsoft sign-in page, tricking users into believing they are interacting with an authentic platform.

Figure 4: Microsoft phishing page

On this fraudulent Microsoft sign-in page, unsuspecting users may be prompted to enter their login credentials — such as usernames and passwords — under the false pretense of accessing the supposed voice message or related content. However, the entered information is captured by malicious actors for unauthorized access and potential misuse.
Non-existence of this malicious file (at the time of writing this blog) on popular malware search portals like the Virus Total and the Reversing Labs indicates its spreading potential:

Figure 5: Virus Total

This multi-stage attack involves the initial lure of a fake voice message in the PDF, the redirection to a malicious URL, and the presentation of a deceptive Microsoft sign-in page. It highlights the need for users to exercise caution and verify the authenticity of online interactions, especially when prompted to provide sensitive information, to prevent falling victim to phishing attempts and safeguard personal security.

SonicWall Protections

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: MalAgent.A_1994

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.


  • 85a38010b20ce02fd0387b1e36e0ab68a2d87d39d754434e6929dca67e9bc962

Relevant Links

  • hxxps://new[.]express[.]adobe[.]com/webpage/jWVSJkpCewb2X
  • hxxps://zqpfl[.]ipisecti[.]ru/97c9zhbt/
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.