|
These days, when I receive a suspect PDF document, it's rare that it contains malicious code, but it will rather be a phishing or other social engineering attack. Such PDFs often contain URLs that can be clicked. URLs can be included in PDF documents using the /URI name. I recently updated my pdfid.py tool to report /URI names too:
In this screenshot, you can also see the use of a plugin (-p plugin_triage). The purpose of this plugin is to help less experienced malware analyst to triage PDF documents, by assigning a score and providing instructions. With my pdf-parser.py tool, we can extract the URLs like this:
Didier Stevens |
DidierStevens 647 Posts ISC Handler Nov 4th 2017 |
| Thread locked Subscribe |
Nov 4th 2017 4 years ago |
|
Nice addition to the tool Didier!
Most of the time this works for me - but I have one PDF with a URL and running the tool shows the following /URI 18 0 R Any ideas? |
Anonymous |
| Quote |
Nov 7th 2017 4 years ago |
|
This refers to object 18 0.
You can select this object with the following command: pdf-parser.py -o 18 sample.pdf.vir |
DidierStevens 647 Posts ISC Handler |
| Quote |
Nov 7th 2017 4 years ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
