 I received a PDF file, a malicious PDF file, with a very low detection rate on a virus total. As you can see, it's actually zero. No antivirus detects it. And the reason is simple, because this malicious PDF document, this PDF file, doesn't actually contain any malicious code. It doesn't contain code at all. It is just social engineering. It tries to persuade you to click on the link and then download what is hosted on that web server. So let's take a look. So we've arrived via email as a payment slip. And when you open it, you get to see this. So you see here something that is blurred out. So supposedly your pay slip that is blurred out and here a dialog window that says plug in missing and click here to view the document. Now all of this here is actually an image. And you can see, if I move here, I can see URL. You can see that my cursor is a hand with a small icon that says W. Now if I just click on the any way, for example here, I will get a security warning from Adobe Reader. You always get that unless it is not a default install and Adobe Reader has been configured to behave differently. So this is the security warning you get. And if you allow it, then the file will be downloaded with Internet Explorer, your default browser. It's a zip file, so I have to open it. And when it is opened, you can see that it contains actually an application, an XF file. And then you have to open that one and that is when the infection occurs. I'm not going to do that here. If you look at this PDF file with PDFID, there's nothing special at all, all the indicators are zero. So that's normal, because it doesn't contain anything that would indicate of malicious code like a script or a flash or things like that. You could think that it then, since it doesn't contain JavaScript or things like that, that it actually contains an exploit that is pure binary that doesn't require JavaScript to do Heapspray or things like that. And you could check that with PDF parser and Chara rules to detect malicious code in malicious documents, those rules that I defined and that you can find on my website. But as you can see, nothing triggers. And that is because this PDF file actually just contains an image with an annotation that links to that link, that malicious website. If you want to find what is hidden here inside that PDF file, so the URL, you search for URI. And then here you get the HTTP IP address, username and document 219.zip, sorry. So this is a file that is then downloaded, but it is not done automatically. You need human interaction, but people need to be convinced that they need to do this to read the page slip.