Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: PDF documents & URLs: update - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
PDF documents & URLs: update

I've written before about PDFs with URLs used in social engineering attacks (TL;DR: nowadays, it's more likely you'll receive a malicious PDF that just contains a malicious URL, than a PDF with malicious code).

Since then, I've had a couple of questions about such PDFs where the URL is stored indirectly. Let me give you an example.

I'm using to do a first check of the pdf (I'm using option -n to suppress counters that are equal to 0):

You can see that name /URI appears twice: this is a strong indication that the PDF contains a URL.

Let's extract the values for name /URI with

Instead of extracting the URL, we see that value "18 0 R" was extracted. 18 0 R is a reference to an object with id 18 and version 0.

pdf-parser's option -o can be used to look at this object:

By default, pdf-parser displays the dictionary of an object, but not the data. To view this data, use option -w:

Now we can see that object 18 is just a string: the URL we wanted to extract.



Didier Stevens
Microsoft MVP Consumer Security


652 Posts
ISC Handler
Dec 24th 2017

Sign Up for Free or Log In to start participating in the conversation!