Purchase Order PDF With Embedded Image Bypasses Static Analysis From Authenticated Sender

Written by Audian Paxson | Aug 26, 2025 11:00:00 AM

TL;DR An email from an Indian manufacturing group's domain passes SPF, DKIM, DMARC, and ARC through Microsoft infrastructure. The attached PDF claims to be a purchase order generated by SAP NetWeaver, and static analysis confirms no JavaScript, no form objects, and no embedded URLs. However, the PDF contains a single embedded image (3.6 KB) that static scanners cannot decode for QR codes or visual URLs. The sender cannot be verified by name, this is a first contact, and multiple mailboxes are quarantined over an 11-day window.

Severity: High Malware-Delivery Qr-Code-Phishing MITRE: T1566.001 MITRE: T1204.002

A three-page PDF attachment passes every automated scan. No JavaScript. No AcroForm objects. No embedded URLs. No OpenAction triggers. Antivirus returns clean. The static risk score comes back at 0.08 out of 1.0. By every measurable technical indicator, the file is safe. Then a security analyst notices the single embedded image, 3.6 kilobytes, that no scanner bothered to decode.

The email arrived from tirupatigroup.co[.]in, the domain of a real Indian manufacturing company with an established web presence and a domain registration dating to the company's founding. SPF passed, DKIM verified, DMARC passed, and ARC seals were intact across the Microsoft relay chain. The sender claimed to be a procurement executive, but automated person-search returned no matching public profile. This was a first-time sender to the recipient organization, and the incident metadata flagged the sender's risk level as high.

Over the next 11 days, multiple mailboxes across the organization were quarantined for this message, indicating either a multi-recipient campaign or retroactive detection triggering organizational sweep.

The PDF Under Static Analysis

The attachment, named after a purchase order number, carried metadata consistent with legitimate enterprise software: produced by "SAP NetWeaver 758," created by the form template "ZMM_PUR_SF_ODR_PRINT EN," authored by an SAP user ID. The creation timestamp was plausible. The PDF version was 1.3, a standard output for SAP document generation.

Static analysis was thorough:

Embedded files: None (pdfdetach returned 0)
JavaScript: None detected
AcroForm: No form objects
URL/URI strings: Binary search found no http, https, or mailto tokens
SubmitForm/OpenAction: None

The PDF was, by every structural measure, a static document. The only finding was a single embedded image, img-000.png, approximately 3.6 KB. At that file size, the image could contain a QR code, a shortened URL rendered as text, or a small graphic that prompts the recipient to scan with a mobile device.

Static scanners do not decode image content. They look for structural indicators: JavaScript execution hooks, form submission actions, embedded file streams. An image-only payload sits in the gap between what static analysis can evaluate and what dynamic sandboxing would catch, but only if the sandbox includes QR/OCR decoding in its pipeline.

The Authentication Paradox

The email's relay chain was clean. It transited through outbound.protection.outlook[.]com and arrived via mail.protection.outlook[.]com. Return-Path aligned with the From header. The domain's DMARC policy was set to p=quarantine, which is stricter than most phishing sender domains manage.

This is the paradox that makes vendor impersonation attacks effective: the more legitimate the sending infrastructure, the harder the detection. If the sending account was compromised, the attacker inherited every authentication credential the domain had configured. If the sender was a real employee acting maliciously, the same applies. Authentication tells you where the email came from. It cannot tell you why it was sent.

See Your Risk: Calculate how many threats your SEG is missing

MITRE ATT&CK

Phishing: Spearphishing Attachment (T1566.001): PDF attachment with embedded image payload
User Execution: Malicious File (T1204.002): Recipient must open PDF and potentially scan embedded QR code

How Adaptive AI Detects This

When static analysis returns clean, detection must rely on behavioral context. The Adaptive AI on the IRONSCALES platform flags the combination of first-time sender, high sender risk score, procurement language, and an attachment that resists full automated analysis. Rather than trusting the static scan result in isolation, the platform evaluates whether the communication pattern matches established vendor relationships. Community intelligence identifies when similar PDF structures from the same sender domain appear across multiple protected organizations, catching coordinated campaigns that individual scans miss. Research shows that 67.5 phishing emails per 100 mailboxes per month bypass traditional secure email gateways.

Hardening Recommendations

Add QR/OCR decoding to your PDF analysis pipeline. Static analysis that skips embedded images misses a growing class of attacks.
Quarantine first-time sender attachments by default. When a sender has no communication history with your organization, PDF attachments should land in quarantine for review.
Verify purchase orders through procurement systems. Do not act on PO instructions from email alone. Cross-reference PO numbers against your ERP or procurement platform.
Contact vendors through known channels. If the email claims to be from a procurement executive, call the vendor's published main number to confirm.
Monitor for multi-mailbox quarantine patterns. When the same attachment triggers quarantine across multiple recipients over days, investigate as a potential campaign rather than isolated incidents.

Indicators of Compromise

Indicator	Type	Context
`tirupatigroup.co[.]in`	Domain	Sending domain, fully authenticated
`sushant.rana@Tirupatigroup.co[.]in`	Email	Sender, unverified identity
`4500050217.pdf`	Filename	PDF attachment with embedded image
`img-000.png`	Filename	Embedded image, possible QR code
`outbound.protection.outlook[.]com`	Hostname	Microsoft relay chain

Email Attack of the Day is a daily series from IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.

Related attacks

Attack	What happened
Malicious PDF Proposal Hides Behind Authenticated Vendor Infrastructure and Four Words	Four words and a malicious PDF.
A .docx With a Secret: How Attackers Hid an Executable Inside an Image to Bypass Every Scanner	A spoofed HR bonus announcement carried a .docx attachment with an executable embedded inside a PNG image resource.
A Municipal Payment Request With Perfect Authentication, Real Permit Details, and Zero Red Flags for Scanners	A municipal permit payment request passed SPF, DKIM, and DMARC with a perfect compauth score of 100.
SPF and DMARC Passed, DKIM Failed: How a One-Word Email Body and a Clean PDF Almost Delivered a BEC Payday	A purchase order email passed SPF and DMARC but failed DKIM, a mixed authentication signal that suggests in-transit message modification.
The $47,320 Invoice That Came With a W-9 and a Personal Bank Account	A payment diversion attack bundled a $47,320 invoice with ACH/wire remittance instructions pointing to a personal bank account.

View full post