Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Phishing PDFs with multiple links - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Phishing PDFs with multiple links

A reader wanted to know why the phishing PDF he received contained multiple and different links, according to my pdf tools, but would only show the same URL when he hovered over the links in Adobe Reader.

Let's search through this PDF to find an answer. We start with the annotations:

There are five:

All containing a link and action:

All with different rectangles:

When you hover over the URL, you see only one link:

Some of the rectangles are very small, and when you hover close to the left and right edge of the URL, you get the other URL:

So that explains, technically, why there are 2 different URLS, but at first sight only one is displayed: move close to the edge, and you'll see the other URL.

But as to the real explanation, why did they do this? I don't know ... Maybe you have an idea: please post a comment!

Didier Stevens
Microsoft MVP Consumer Security


649 Posts
ISC Handler
Mar 31st 2018

Sign Up for Free or Log In to start participating in the conversation!