PDF documents & URLs

Published: 2017-11-04
Last Updated: 2017-11-04 22:32:33 UTC
by Didier Stevens (Version: 1)
2 comment(s)

These days, when I receive a suspect PDF document, it's rare that it contains malicious code, but it will rather be a phishing or other social engineering attack. Such PDFs often contain URLs that can be clicked.

URLs can be included in PDF documents using the /URI name. I recently updated my pdfid.py tool to report /URI names too:

In this screenshot, you can also see the use of a plugin (-p plugin_triage). The purpose of this plugin is to help less experienced malware analyst to triage PDF documents, by assigning a score and providing instructions.

With my pdf-parser.py tool, we can extract the URLs like this:


Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

Keywords: maldoc pdf phishing
2 comment(s)


Diary Archives