Hardly detected malware hides as PDF in ZIP, executes through shortcut

A new kind of malware tries to infect users through an executable hidden as a PDF file, executed through shortcuts, so far the malware is hardly picked up by anti-virus software. The files comes as an attachment with e-mails, in our case an e-mail claiming to be a bank invoice. The mail comes from the mail address Lila.Pittman@adp.com someone claiming to work at Automatic Data Processing Inc. in Roseland.

The attachment is a ZIP file that contains, what it appears, a PDF file and some shortcuts. The malware was detected and diagnosed by our forum administrator Seán.

myce-shortcut infection

The PDF file won’t work because it’s actually an executable (.exe) file which probably makes an user click one of the shortcuts. If the shortcut is clicked, the malware will open a command prompt that tries to run the PDF as an executable.


When we uploaded the ZIP file to VirusTotal just 4 of 51 virus checkers showed it infected – K7AntiVirus, K7GW, Qihoo-360 and Sophos. Others such as McAfee, Symantec, AVG, etc. all showed it as clean. The malware seems to try to evade mail filters and scanners by hidden an unreadable PDF in a ZIP file and using shortcuts to infect the system.

The PDF itself was recognized by 7 of the 51 anti-virus engines of VirusTotal including McAfee and Sophos. This number will increase over time as anti-virus software companies start to recognize the files as malware.