A user may receive a PDF file, which contains a malicious link asking for credentials, through email. After scanning the file with Deep Discovery Analyzer (DDAN), the file passed as safe.
Since the URL within the PDF file is trying to harvest credentials, it can be considered as intelligence gathering rather than dropping a malicious content. This is a phishing strategy used by possible attackers.
Unfortunately, we cannot sandbox a URL that displays a login page to enter credentials. This is a not a sandboxing defense. The DDAN AI cannot enter an email address and password to input into a login page. Smart Protection Network won't be able to detect this URL. It is not possible to source every potential phishing URL.
The Web Reputation is not a filter. It is a database in the cloud which is queried by lookup and scores given for URLs. Thus, the undetected phishing link within an attached PDF file in an email is a normal.
For such phishing link, file a threat case to Trend Micro Technical Support. The URL should be uploaded and classified as phishing. The Threat Team can further check the URL and if a file is downloaded, a pattern-based detection will be created for Trend Micro products.
For more information, refer to the Deep Discovery Analyzer 6.5 Online Help page.