I've written before about PDFs with URLs used in social engineering attacks (TL;DR: nowadays, it's more likely you'll receive a malicious PDF that just contains a malicious URL, than a PDF with malicious code). Since then, I've had a couple of questions about such PDFs where the URL is stored indirectly. Let me give you an example. I'm using pdfid.py to do a first check of the pdf (I'm using option -n to suppress counters that are equal to 0): You can see that name /URI appears twice: this is a strong indication that the PDF contains a URL. Let's extract the values for name /URI with pdf-parser.py: Instead of extracting the URL, we see that value "18 0 R" was extracted. 18 0 R is a reference to an object with id 18 and version 0. pdf-parser's option -o can be used to look at this object: By default, pdf-parser displays the dictionary of an object, but not the data. To view this data, use option -w: Now we can see that object 18 is just a string: the URL we wanted to extract.
Didier Stevens |
DidierStevens 652 Posts ISC Handler Dec 24th 2017 |
Thread locked Subscribe |
Dec 24th 2017 4 years ago |
Sign Up for Free or Log In to start participating in the conversation!