Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Phishing PDFs with multiple links

Published: 2018-03-31
Last Updated: 2018-03-31 20:25:05 UTC
by Didier Stevens (Version: 1)
0 comment(s)

A reader wanted to know why the phishing PDF he received contained multiple and different links, according to my pdf tools, but would only show the same URL when he hovered over the links in Adobe Reader.

Let's search through this PDF to find an answer. We start with the annotations:

There are five:

All containing a link and action:

All with different rectangles:

When you hover over the URL, you see only one link:

Some of the rectangles are very small, and when you hover close to the left and right edge of the URL, you get the other URL:

So that explains, technically, why there are 2 different URLS, but at first sight only one is displayed: move close to the edge, and you'll see the other URL.

But as to the real explanation, why did they do this? I don't know ... Maybe you have an idea: please post a comment!

Didier Stevens
Microsoft MVP Consumer Security

0 comment(s)
Diary Archives