Purchase Order PDF With Embedded Image Bypasses Static Analysis From Authenticated Sender

A three-page PDF attachment passes every automated scan. No JavaScript. No AcroForm objects. No embedded URLs. No OpenAction triggers. Antivirus returns clean. The static risk score comes back at 0.08 out of 1.0. By every measurable technical indicator, the file is safe. Then a security analyst notices the single embedded image, 3.6 kilobytes, that no scanner bothered to decode.

The email arrived from tirupatigroup.co[.]in, the domain of a real Indian manufacturing company with an established web presence and a domain registration dating to the company's founding. SPF passed, DKIM verified, DMARC passed, and ARC seals were intact across the Microsoft relay chain. The sender claimed to be a procurement executive, but automated person-search returned no matching public profile. This was a first-time sender to the recipient organization, and the incident metadata flagged the sender's risk level as high.

Over the next 11 days, multiple mailboxes across the organization were quarantined for this message, indicating either a multi-recipient campaign or retroactive detection triggering organizational sweep.

The PDF Under Static Analysis

The attachment, named after a purchase order number, carried metadata consistent with legitimate enterprise software: produced by "SAP NetWeaver 758," created by the form template "ZMM_PUR_SF_ODR_PRINT EN," authored by an SAP user ID. The creation timestamp was plausible. The PDF version was 1.3, a standard output for SAP document generation.

Static analysis was thorough:

• Embedded files: None (pdfdetach returned 0)
• JavaScript: None detected
• AcroForm: No form objects
• URL/URI strings: Binary search found no http, https, or mailto tokens
• SubmitForm/OpenAction: None

The PDF was, by every structural measure, a static document. The only finding was a single embedded image, img-000.png, approximately 3.6 KB. At that file size, the image could contain a QR code, a shortened URL rendered as text, or a small graphic that prompts the recipient to scan with a mobile device.

Static scanners do not decode image content. They look for structural indicators: JavaScript execution hooks, form submission actions, embedded file streams. An image-only payload sits in the gap between what static analysis can evaluate and what dynamic sandboxing would catch, but only if the sandbox includes QR/OCR decoding in its pipeline.

The Authentication Paradox

The email's relay chain was clean. It transited through outbound.protection.outlook[.]com and arrived via mail.protection.outlook[.]com. Return-Path aligned with the From header. The domain's DMARC policy was set to p=quarantine, which is stricter than most phishing sender domains manage.

This is the paradox that makes vendor impersonation attacks effective: the more legitimate the sending infrastructure, the harder the detection. If the sending account was compromised, the attacker inherited every authentication credential the domain had configured. If the sender was a real employee acting maliciously, the same applies. Authentication tells you where the email came from. It cannot tell you why it was sent.

See Your Risk: Calculate how many threats your SEG is missing

MITRE ATT&CK

• Phishing: Spearphishing Attachment (T1566.001): PDF attachment with embedded image payload
• User Execution: Malicious File (T1204.002): Recipient must open PDF and potentially scan embedded QR code

How Adaptive AI Detects This

When static analysis returns clean, detection must rely on behavioral context. The Adaptive AI on the IRONSCALES platform flags the combination of first-time sender, high sender risk score, procurement language, and an attachment that resists full automated analysis. Rather than trusting the static scan result in isolation, the platform evaluates whether the communication pattern matches established vendor relationships. Community intelligence identifies when similar PDF structures from the same sender domain appear across multiple protected organizations, catching coordinated campaigns that individual scans miss. Research shows that 67.5 phishing emails per 100 mailboxes per month bypass traditional secure email gateways.

Hardening Recommendations

1. Add QR/OCR decoding to your PDF analysis pipeline. Static analysis that skips embedded images misses a growing class of attacks.
2. Quarantine first-time sender attachments by default. When a sender has no communication history with your organization, PDF attachments should land in quarantine for review.
3. Verify purchase orders through procurement systems. Do not act on PO instructions from email alone. Cross-reference PO numbers against your ERP or procurement platform.
4. Contact vendors through known channels. If the email claims to be from a procurement executive, call the vendor's published main number to confirm.
5. Monitor for multi-mailbox quarantine patterns. When the same attachment triggers quarantine across multiple recipients over days, investigate as a potential campaign rather than isolated incidents.

Indicators of Compromise