"Your Binance statement has been generated, please download the attachment to view." — The attachment is a malicious PDF. This article teaches you how to identify it. Download access: Binance website, mobile Binance official app, if you don't have the App on iOS, see the iOS installation guide.
I. Iron Rule
Binance official emails never send attachments.
All real statements, KYC forms, and confirmation slips are viewed within the binance.com platform, not transmitted via email attachments.
II. Types of Attachment Phishing
| File | Risk |
|---|---|
| Contains JavaScript / exploits | |
| Word / Excel (.docm / .xlsm) | Malicious macros |
| ZIP / RAR | Contains .exe / .scr after extraction |
| HTML | Phishing page opened locally |
| ISO / IMG | Contains malicious executables after mounting |
III. Attack Surface of PDFs
PDFs are not just documents, they can also:
- Embed JavaScript (executed by the PDF reader)
- Link to external resources (tracking + redirection phishing)
- Exploit vulnerabilities in the PDF reader (0day)
Consequences of opening a malicious PDF:
- Trojan horse implantation
- Browser history leakage
- Automatic redirect to phishing sites
IV. Word / Excel Macros
Old classics:
- Open the document
- Office pops up an "Enable Content/Macros" prompt
- Once enabled, the malicious macro runs
- Downloads the full Trojan
Defense:
- Do not enable macros for any unknown documents
- Use Group Policy in corporate environments to disable macros by default
V. ZIP / RAR
The package often contains an .exe or .scr file. What looks like a PDF icon is actually an executable:
binance_invoice.pdf .exe(Multiple spaces hide the .exe)binance_kyc.scr(Screensaver extension is actually an executable)
Defense:
- Turn on "File name extensions" in Windows File Explorer
- Do not double-click files inside a ZIP
VI. Identifying Malicious Attachments
Filename Features
- Named very officially: "Binance_Invoice_2026.pdf"
- But the sender is not binance.com
- Extremely small size (a few dozen KB) or abnormally large
Email Features
- Urgent tone
- No anti-phishing code
- Asking you to open it immediately
VII. When You Must Open It
If you absolutely need to open an uncertain file:
1. Online Preview with Google Drive
Upload it to Google Drive and preview it in your browser. Drive will sandbox it, and malicious code cannot reach your computer.
2. Open in Sandbox
Open it in Windows Sandbox / Sandboxie. The file is isolated.
3. Virtual Machine
Open it in VMware / VirtualBox. Even if infected, you can just delete the virtual machine.
4. Public Scanning
Upload to VirusTotal to scan for viruses. But do not upload files containing sensitive information.
VIII. Long-Term Defense
1. Do Not Download Attachments by Default in Email
Turn off "Ask before displaying external images" in Gmail settings, do not preview attachments.
2. Use Browser Instead of Local Viewer
Opening PDFs in the browser (Chrome / Edge built-in PDF reader) is safer than Adobe (smaller attack surface).
3. Disable Macros in Office
File → Options → Trust Center → Macro Settings → Disable all macros without notification.
4. Backup Files Categorization
Separate work files from downloaded files into different directories. Do not put files of unknown origin in your work directory.
FAQ
Q1: Can I open PDFs on my phone? Yes. But the built-in PDF rendering in iOS Safari and Android Chrome is relatively safer. It is still recommended to scan it first.
Q2: Is it safe to open a PDF with macOS Preview? Safer than Adobe, but there are still theoretical risks. Use a sandbox for important environments.
Q3: Can scanning engines catch it 100% of the time? No. New 0days usually enter the signature database after 1-2 weeks. Fundamentally not opening unknown attachments is the safest.
Q4: What if I opened it by mistake? Disconnect from the internet immediately, run a full disk scan, and change important passwords.