Incident response Malware

Searching inside a PDF document

I have received a PDF document from a fake Paypal address. The PDF name is Paypal_EmailID_JK… To be sure whether the document is malicious or not I used the tool as in the screenshot below .


It is clear that there are 25 objects and 4 URLs in the document, /JS pointing to 0 meaning there is no javascript in this document. Also /OpenAction is 0 meaning there is no malicious action.But let use the with -e option for more information as in the figure below


We see the nothing apended After last %%EOF and the Total entropy.Finally I use to extract those URLs as in the picture below


The PDF appears to be from Paypal but in fact will redirect the victim to the

Happy Hunting.

By Guy Ngongang on information security

I am an Information security Engineer with a strong background in network and Cloud computing.

I have done work With FTK imager and enjoy improving my know-how in my spare time. My aim is to fight cybercriminal and help end users to enjoy the Internet freely

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s