The PDF That Passed Authentication and Hid an Executable Inside Its Object Streams

Three fillable PDFs, a convincing patent compliance deadline, and a fee schedule totaling INR 30,400. On the surface, it looked like routine legal correspondence from an Indian intellectual property firm. Every email authentication check agreed: SPF passed, DMARC passed, ARC passed. The gateway waved it through.

But one of those PDFs contained 27 MZ byte signatures buried inside compressed object streams. MZ is the magic number that marks the beginning of a Windows PE executable. Static scanners never found them because they never looked that deep.

A Domain One Character Away From Legitimate

The sender address was dpapatents@dpahuja[.]co. The legitimate firm uses dpahuja[.]com and dpahuja[.]in as its primary domains. That single TLD difference (.co instead of .com) is the entire attack.

The attacker (or someone exploiting the firm's lesser-known domain) configured dpahuja[.]co with valid SPF records, and the message transited through Microsoft 365 infrastructure. SPF passed against the sending IP 2a01:111:f403:c408::3. DMARC passed. ARC evaluations at multiple Microsoft gateways confirmed the chain of trust. DKIM showed "none" (the message was not signed), but the passing SPF and DMARC were enough for every filter in the path.

This is the fundamental limitation of domain-based authentication. SPF, DMARC, and DKIM answer one question: "Did this message come from the domain it claims?" They do not answer: "Is this the domain you should trust?" According to the Microsoft Digital Defense Report 2024, business email compromise and impersonation attacks increasingly rely on domains that pass all authentication checks by design.

The PDFs That Scanners Declared Safe

The email carried three PDF attachments, all formatted as Indian Patent Office "Form 27" working reports for different fiscal years. Each file was over 1 MB and contained AcroForm fields (48 interactive form fields in one document alone), consistent with legitimate fillable government forms.

Static analysis on the first attachment (WORKING REPORT FORM 27 FOR FY 2023-2024.pdf, hash: 20476c7258b685f1b302f666e491b122) returned a clean verdict. No JavaScript. No launch actions. No OpenAction triggers. No encryption. By every standard scanner check, the file was safe.

Deeper extraction told a different story. Twenty-seven occurrences of MZ byte signatures were identified inside compressed object streams. MZ (4D 5A) is the header that begins every Windows PE executable. While no adjacent PE\x00\x00 headers were confirmed (the signatures may be fragments within compressed binary data), the presence of 27 MZ occurrences in a document claiming to be a tax compliance form is a significant anomaly. As MITRE ATT&CK documents under T1036.005 (Masquerading: Match Legitimate Name or Location), embedding executable content inside trusted document formats is a well-established evasion technique.

A second attachment could not be opened by the sandbox analysis environment at all, leaving its contents unverified despite a "clean" verdict in metadata. The third PDF showed low risk with standard AcroForm fields and no anomalies.

See Your Risk: Calculate how many threats your SEG is missing

The Social Engineering: Professional, Patient, and Expensive

The email body was structured as professional legal correspondence. It referenced a specific patent number (251264), an application number (1629/KOLNP/2007), and the patentee by corporate name. It cited the Indian Patent Office's e-filing module, the statutory requirement for Form 27 working reports, and exact deadlines (instructions by May 30, 2026; filing by September 30, 2026).

The fee table broke costs across three fiscal years, totaling INR 30,400 (roughly USD 350). The amounts are small enough to process without executive approval at most organizations, a hallmark of advance-fee fraud documented in the FBI IC3 Internet Crime Report 2024.

The message was sent to three recipients in the patent department of a global agricultural company. The targeting was precise: the correct internal contacts for IP compliance work. This level of specificity, combined with the convincing legal formatting, indicates prior reconnaissance (T1566.001, Spearphishing Attachment).

Why Authentication Was Not Enough

The Themis Adaptive AI engine flagged this message on behavioral signals that authentication protocols cannot evaluate. The sender domain dpahuja[.]co was not in the organization's established communication pattern. Despite the passing SPF and DMARC results, the impersonation tag fired: the display name matched a known external contact but the domain did not match the expected TLD.

Across the IRONSCALES community of 35,000+ security professionals, this pattern (lookalike TLD, passing authentication, attachment-heavy legal correspondence) had already been surfacing in similar campaigns targeting multinational companies with Indian patent portfolios. The combination of behavioral anomaly detection and community threat intelligence elevated the confidence score to flag what every gateway had approved. The affected mailboxes were quarantined across the organization within days of initial detection.

The Verizon 2024 DBIR found that the human element was involved in 68% of breaches. In this case, the human element was not the weakness. The three recipients did not click, open, or respond. The weakness was the infrastructure layer that equated authentication with trust.

Indicators of Compromise

MITRE ATT&CK Mapping

What This Case Proves About PDF Inspection

Most organizations treat PDF scanning as a solved problem. If the scanner says clean and the authentication passes, the file reaches the inbox. This case exposes three gaps in that assumption.

First, static PDF analysis that checks for JavaScript, launch actions, and embedded file markers will miss content buried in compressed object streams. Deep extraction of every stream object is computationally expensive, which is exactly why attackers use it.

Second, DMARC is a necessary but insufficient control. It verifies domain alignment, not domain legitimacy. An attacker who registers a lookalike domain and configures DNS records correctly will pass every check. Behavioral analysis that tracks sender relationships over time catches what authentication cannot.

Third, advance-fee fraud does not need malicious links or exploit code to succeed. The fee table in this email was the payload. If the recipients had responded and paid, the attacker would have collected USD 350 per patent per year with no technical exploit required. The MZ signatures may represent a secondary payload path for more aggressive follow-up, or they may be artifacts of the PDF generation tool. Either way, their presence in a "clean" document should concern every security team relying solely on static verdicts.