Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: PDF documents & URLs - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
PDF documents & URLs

These days, when I receive a suspect PDF document, it's rare that it contains malicious code, but it will rather be a phishing or other social engineering attack. Such PDFs often contain URLs that can be clicked.

URLs can be included in PDF documents using the /URI name. I recently updated my tool to report /URI names too:

In this screenshot, you can also see the use of a plugin (-p plugin_triage). The purpose of this plugin is to help less experienced malware analyst to triage PDF documents, by assigning a score and providing instructions.

With my tool, we can extract the URLs like this:


Didier Stevens
Microsoft MVP Consumer Security


649 Posts
ISC Handler
Nov 4th 2017
Nice addition to the tool Didier!

Most of the time this works for me - but I have one PDF with a URL and running the tool shows the following

/URI 18 0 R

Any ideas?
This refers to object 18 0.

You can select this object with the following command: -o 18 sample.pdf.vir

649 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!