Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: Phishing PDFs with multiple links SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Phishing PDFs with multiple links

A reader wanted to know why the phishing PDF he received contained multiple and different links, according to my pdf tools, but would only show the same URL when he hovered over the links in Adobe Reader.

Let's search through this PDF to find an answer. We start with the annotations:

There are five:

All containing a link and action:

All with different rectangles:

When you hover over the URL, you see only one link:

Some of the rectangles are very small, and when you hover close to the left and right edge of the URL, you get the other URL:

So that explains, technically, why there are 2 different URLS, but at first sight only one is displayed: move close to the edge, and you'll see the other URL.

But as to the real explanation, why did they do this? I don't know ... Maybe you have an idea: please post a comment!

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

DidierStevens

492 Posts
ISC Handler
Mar 31st 2018

Sign Up for Free or Log In to start participating in the conversation!