PIF Trojans spread by pretending to be PDF documents

In the last few hours, fake emails have been circulating that simulate being sent by Google from the address order@play.google.com. They include an attachment that at first glance appears to be a purchase receipt, but is actually a Trojan.

The following is a screenshot of the fake email, received in an Outlook account:

The attachment is a compressed file details_item_5402217401_2014.09.03.pdf.zip that inside it comes with a .pif Trojan, a file format for Windows that can include executable code (VirusTotal 27/53). These types of files are not widely used today to spread malware, in this sense they are rather associated with old viruses such as the one published in this report from the year 2000 on vsantivirus.com.

The filesimulates being a document or PDF receipt with the name (note the double extension .pdf.pif) details_item_9740993888_2014.09.03.pdf.pif.

Windows users can easily fall for the trick since by default the file extensions are hidden, but in this case, even with the display enabled, the .pif extension cannot be seen, it remains hidden.

This is how the compressed file looks on the Windows desktop, the display of extensions is activated and therefore you can see the double extension .pdf .zip (the latter is the actual extension):

However, in the case of the PIF file the extension is not visible and the file looks like a PDF:

So if you received the message and, out of curiosity, you opened it, it is advisable to carry out a computer scan with an updated antivirus … if you already have one and did not receive a security alert, I would recommend you seek a second opinion with an online antivirus or an antivirus portable CD or pendrive (on the blog I have commented several).

It is worth mentioning that if the received file was a real PDF document, you still have to be very careful when opening it. Because real PDF files can be used to infect computers simply by opening them, you can see an example explained in video in this article that I published a few years ago.

This PIF file spam campaign is not really new, Websense published an article last month about these PIF file attacks. The variants they analyzed also pretended to be PDF files and infected computers with the Zeus banking Trojan, and also commented that the spam was of good quality in the sense of not having misspellings and a wording that became quite credible.