The Hidden Danger of PDF Files with Embedded QR Codes


The SonicWall Capture Labs threat research team has been observing PDF files with QR codes being abused by malware authors to deceive users for a long time.

QR codes are increasingly popular due to their versatility and ease of use. Beyond payments and feedback, QR codes have a wide range of applications across various industries such as marketing, retail, education, healthcare, hospitality, transportation, real estate, public services, entertainment, business operations, personal use etc.

Malware authors are efficiently taking advantage of its popularity. We observed that a lot of PDF files are coming from emails (fax) containing QR Codes asking users to scan with smart phone camera. Some claim to be security updates, while others contain SharePoint links for signing documents.

Fig 1: Malicious PDF files with QR code(blurred)

After scanning the QR code a phishing URL where the host in this case is to evade security detections then it redirects to the actual phishing page “hxxps://r[.]g[.]bing[.]com/bam/ac?!&&u=a1aHR0cHM6Ly9ocmVmLmxpLz9odHRwczovL20zYWZzZWN1ci51cy9hdXRoLmh0bWw=#GeXVrYWt1cmVjaGlAbWJrLmNvbQ==”

It opens a web page that closely resembles the official Microsoft login page.

Fig 2: Fiddler screenshot of phishing URL redirecting from

Users are prompted to enter their Microsoft account credentials such as user Id and password.

Fig 3: Fiddler screenshot of phishing URL

The intent is to harvest these credentials for malicious purposes such as unauthorized access to the user’s email, personal information, and potentially sensitive corporate data.

Fig 4: Microsoft Phishing Page with prefilled username

Scanning a QR Code can lead to a wide range of severe consequences in these cases users are asked to scan via smartphone.

Fig 5: Screenshot of scanning QR code on a smartphone

The QR code scanning feature on mobile devices can be exploited to perform actions without the user’s explicit consent. Following are the possible harms caused by this:

  • Automatic download and installation of malicious apps.
  • Users might be subscribed to premium SMS services, leading to unexpected charges.
  • Initiating calls to premium-rate numbers, incurring high costs.
  • Credential Theft
  • Exploit Attacks
  • Network Compromise
  • Reputation Damage


SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this malware, the following signatures have been released:

MalAgent.A_1998 (Trojan)

MalAgent.A_1999 (Trojan)








Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.