An email titled Adobe Acrobat – Secure Document is being used as a malware lure, not as a normal Acrobat Sign request. The message says a secure document is waiting for review, pushes a 48-hour expiry, and uses a Review and sign Document button. Related Contract Procurement versions use the same pressure tactic for a fake procurement or e-signature request, then push a fake Adobe Reader page that downloads AdobeAcrobatInstaller.zip from an unrelated domain such as palmerag.co.za. The payload is a trojanized ScreenConnect installer, so it should never be treated as an Adobe Reader or Acrobat Sign update.
If you only opened the email, delete it and report it. If you clicked the link but did not run the ZIP or MSI, remove the download and clear the browser download history. If the fake document page asked for an email password instead of downloading software, compare it with the SecureDocs Document Delivery email scam and focus first on mailbox recovery. If you extracted AdobeAcrobatInstaller.zip or ran ScreenConnect.ClientSetup.msi, disconnect the computer from the network, remove the unexpected ScreenConnect client, scan for persistence, and change passwords from a clean device.
What This Fake Acrobat Sign Email Looks Like
The lure borrows the trust of document-signing workflows. It may use an Adobe Acrobat Sign display name, a secure-document subject, or wording about a contract project, business collaboration, or procurement request. The risky part is not the idea of an e-signature request by itself; it is the chain from the button to a fake viewer, ZIP archive, or software installer.

Example Of The Fake Email Wording
The exact sender and subject can change, but the campaign pattern is recognizable:
- Subject: Adobe Acrobat – Secure Document
- Sender display: Adobe Acrobat Sign
- Sender address example: secure-document [at] notice-documents [dot] example
- Opening line: You have received a secure document for contract-project collaboration.
- Contract variant: You have received a contract procurement request and must view the shared document.
- Pressure line: This request expires in 48 hours.
- Button: Review and sign Document or VIEW DOCUMENT
- Suspicious follow-up:
AdobeAcrobatInstaller.zip,ScreenConnect.ClientSetup.msi, or another Windows installer presented as a required update.

Contract Procurement Variant: AdobeAcrobatInstaller.zip
A Contract Procurement version of this scam may look less like a generic Adobe notice and more like a business request. The page behind the button can imitate an Acrobat Reader document viewer, show a blurred placeholder document, download AdobeAcrobatInstaller.zip, and then display a fake update prompt that tells you to run the download.
Do not run that ZIP or anything extracted from it. Acrobat Sign documents do not require a random reader update from a third-party domain, and a procurement document should not install remote-access software. If the file is already extracted, check the extracted folder for ScreenConnect or ConnectWise installer names, remove the archive and extracted files, and treat any executed installer as a remote-access incident.
Why A ScreenConnect MSI Is Dangerous Here
ScreenConnect, now ConnectWise ScreenConnect, is legitimate remote support software when an organization installs and manages it on purpose. Attackers abuse that trust by delivering a configured client through phishing, fake document pages, and fake software-update prompts. Once the attacker-controlled client runs, it can give someone remote visibility and control over the computer.
That is why the file name matters. ScreenConnect.ClientSetup.msi, AdobeAcrobatInstaller.zip, or a similar installer chain is not an Adobe document, not an Acrobat Reader update, and not a normal requirement for signing a PDF. Treat it as a remote-access incident if it came from an unexpected email, unknown domain, or fake update page.
How To Check If The Adobe Request Is Real
Before clicking a signing link, use checks that do not depend on the button inside the message:
- Expand the sender details and check the real address, not only the display name.
- Hover over the button or long-press it on mobile to inspect the destination. A signing request should not send you to an unrelated domain, ZIP archive, or direct MSI download.
- Ask the supposed sender through a separate channel if they actually sent a document.
- Open Acrobat Sign from a known bookmark or your organization’s normal Adobe workflow instead of trusting the email button.
- If the message claims to be Adobe abuse or a false Adobe request, report it to Adobe through the official phishing or Acrobat Sign abuse channels.
Adobe provides reporting paths for suspicious messages that claim to represent Adobe and for abusive Acrobat Sign agreements. Those reports are useful when a fake request uses Adobe branding or tries to abuse the signing workflow.
What To Do If You Clicked The Button
Your next step depends on how far the chain went:
- You only opened the email: delete it, report it, and do not reply.
- You clicked the button but no file ran: close the page, delete any downloaded ZIP or MSI, and avoid returning to the site.
- You downloaded or extracted the ZIP but did not run the installer: remove the archive and extracted files from Downloads, empty the Recycle Bin, and scan the file only through a trusted scanner if you need confirmation.
- You ran the MSI: disconnect from Wi-Fi or Ethernet, remove the unexpected ScreenConnect client, scan the system, and rotate passwords from a different trusted device.
Remove Unexpected ScreenConnect Access
After an unexpected ScreenConnect install, focus on stopping access first, then cleanup:
- Disconnect the computer from the network if you suspect the client is active.
- Open Settings > Apps or Control Panel > Programs and Features and look for ScreenConnect Client or ConnectWise Control.
- Check Services for ScreenConnect-related services if the app entry is unclear.
- Reboot, then confirm the client did not return.
- Review browser sessions, email rules, startup entries, scheduled tasks, and recently created administrator accounts if the installer ran with elevated permissions.
- Change email, banking, work, and password-manager credentials from a clean device if the remote session may have been active.
If the installer ran, the visible ScreenConnect entry may be only part of the problem. A phishing download can also leave a loader, scheduled task, browser change, startup entry, or second payload behind, especially when the file arrived through a fake update prompt or ZIP archive. Run a full Gridinsoft Anti-Malware scan after removing the visible client, remove detections, reboot, and scan again if alerts or remote-access symptoms return.
If the page or email made you download an invoice, coupon, tracking app, browser extension, or support tool, scan the PC before opening it again or logging into sensitive accounts.
Scan after running the fake document installerHow This Differs From Other ScreenConnect Scams
If your message opened a fake PDF viewer and asked for a corporate mailbox password rather than downloading ScreenConnect.ClientSetup.msi, use the Revised Invoice phishing checklist because the immediate response is mailbox credential recovery.
This page is about the Adobe Acrobat – Secure Document and Contract Procurement document-lure chain. If your email mentioned Social Security documents, use our Social Security Statement ScreenConnect scam guide instead. If you found ScreenConnect installed but do not know which email or fake page caused it, start with our broader ScreenConnect Client scam cleanup guide. For background on why remote access tools are dangerous when installed by an attacker, see our remote access trojan explainer.
How To Avoid This Lure Next Time
- Do not install software because a document-signing email says a viewer or reader is outdated.
- Verify unexpected contract, invoice, legal, HR, or procurement requests through a separate channel.
- Block or investigate direct MSI downloads from email links.
- Use browser and email security controls that show the real sender and target URL.
- Monitor for unexpected remote-access tools such as ScreenConnect, AnyDesk, TeamViewer, or similar clients.
FAQ
Is the Adobe Acrobat – Secure Document email real?
Treat it as fake if it came unexpectedly, uses a non-Adobe sender domain, pushes a 48-hour deadline, or leads to a software download. A normal signing request should not require AdobeAcrobatInstaller.zip or ScreenConnect.ClientSetup.msi.
What is the Contract Procurement email virus?
It is a malspam variant that pretends to be a procurement or e-signature request. The dangerous version sends the user to a fake Adobe-style document page and pushes AdobeAcrobatInstaller.zip or a ScreenConnect installer instead of a real document.
Is ScreenConnect always malware?
No. ScreenConnect is legitimate remote support software. It becomes dangerous in this situation because an attacker is trying to make you install a remote-access client from a fake document page.
Am I infected if I only read the email?
No. Reading the message is not enough to install the remote-access client. The risk starts when you click through, download the MSI, and run it.
What if I ran ScreenConnect.ClientSetup.msi?
Disconnect the computer, remove the unexpected client, scan for persistence and other malware, then change important passwords from a clean device. If this happened on a work computer or after a procurement email, notify IT immediately because the sender mailbox or vendor thread may also be compromised.
Should I report the email to Adobe?
Yes, especially if it uses Adobe branding or appears to abuse Acrobat Sign. Reporting helps Adobe review phishing and service-abuse patterns.
References
- Adobe. “Notifying Adobe of Security Issues.” Adobe Help Center, accessed June 18, 2026. https://helpx.adobe.com/security/alertus.html
- Adobe. “Report Abuse Links.” Adobe Acrobat Sign Help, updated August 2025, accessed June 18, 2026. https://helpx.adobe.com/sign/admin/report-abuse-links.html
- Microsoft Threat Intelligence. “Signed Malware Impersonating Workplace Apps Deploys RMM Backdoors.” Microsoft Security Blog, March 3, 2026, accessed June 18, 2026. https://www.microsoft.com/en-us/security/blog/2026/03/03/signed-malware-impersonating-workplace-apps-deploys-rmm-backdoors/

