Phishing PDFs with multiple links

Published: 2018-03-31
Last Updated: 2018-03-31 20:25:05 UTC
by Didier Stevens (Version: 1)
0 comment(s)

A reader wanted to know why the phishing PDF he received contained multiple and different links, according to my pdf tools, but would only show the same URL when he hovered over the links in Adobe Reader.

Let's search through this PDF to find an answer. We start with the annotations:

There are five:

All containing a link and action:

All with different rectangles:

When you hover over the URL, you see only one link:

Some of the rectangles are very small, and when you hover close to the left and right edge of the URL, you get the other URL:

So that explains, technically, why there are 2 different URLS, but at first sight only one is displayed: move close to the edge, and you'll see the other URL.

But as to the real explanation, why did they do this? I don't know ... Maybe you have an idea: please post a comment!

Didier Stevens
Microsoft MVP Consumer Security

0 comment(s)


Diary Archives