Mailing List Archive

Plugin to extract Links from PDF
Hi Gang

In the last couple of weeks, I have seen a lot of spam mails containing
just one single PDF, hardly any other text. That PDF again contains a
clickable picture leading to some phishing site or similar.

Of course the URL in the PDF is not being checked against URI
Blacklists.

Also creating a rule to match PDF attachment and little text would
create way too many false positives, as sending 'PDF Emails' seems to
be something quite common.

So I wonder if someone already came up with a AS plugin to extract
links from a PDF and check them against URI blacklists.

--
Mit freundlichen Grüssen

-Benoît Panizzon- @ HomeOffice und normal erreichbar
--
I m p r o W a r e A G - Leiter Commerce Kunden
______________________________________________________

Zurlindenstrasse 29 Tel +41 61 826 93 00
CH-4133 Pratteln Fax +41 61 826 93 01
Schweiz Web http://www.imp.ch
______________________________________________________
Re: Plugin to extract Links from PDF [ In reply to ]
A clickable picture should trigger a web client only if the pdf contains a script for this action, which you can detect using clamav.

-------- Original Message --------
On Jun 4, 2021, 08:19, Benoît Panizzon < benoit.panizzon@imp.ch> wrote:
Hi Gang
In the last couple of weeks, I have seen a lot of spam mails containing
just one single PDF, hardly any other text. That PDF again contains a
clickable picture leading to some phishing site or similar.
Of course the URL in the PDF is not being checked against URI
Blacklists.
Also creating a rule to match PDF attachment and little text would
create way too many false positives, as sending 'PDF Emails' seems to
be something quite common.
So I wonder if someone already came up with a AS plugin to extract
links from a PDF and check them against URI blacklists.
--
Mit freundlichen Grüssen
-Benoît Panizzon- @ HomeOffice und normal erreichbar
--
I m p r o W a r e A G - Leiter Commerce Kunden
______________________________________________________
Zurlindenstrasse 29 Tel +41 61 826 93 00
CH-4133 Pratteln Fax +41 61 826 93 01
Schweiz Web http://www.imp.ch
______________________________________________________
Re: Plugin to extract Links from PDF [ In reply to ]
Hi Rupert

> A clickable picture should trigger a web client only if the pdf
> contains a script for this action, which you can detect using clamav.

Interesting, we use clamav. Is this some special setting? A quick
google search did not reveal how to do this.

But I suspect, PDF containing clickable elements are nothing suspicious
per se and just blocking them would cause a lot of false positives.

So extracing the link URI from a PDF and checking this against URI
blacklists would probably be more clever.

--
Mit freundlichen Grüssen

-Benoît Panizzon- @ HomeOffice und normal erreichbar
--
I m p r o W a r e A G - Leiter Commerce Kunden
______________________________________________________

Zurlindenstrasse 29 Tel +41 61 826 93 00
CH-4133 Pratteln Fax +41 61 826 93 01
Schweiz Web http://www.imp.ch
______________________________________________________
Re: Plugin to extract Links from PDF [ In reply to ]
On 2021-06-07 13:58, Benoît Panizzon wrote:

> So extracing the link URI from a PDF and checking this against URI
> blacklists would probably be more clever.

its not url, its if pdf excute javascripts or contains macros that
autoload malware, so url is irrelevant

google yara, and foxhole

i use all foxhole, no surprise anymore