PDF URIs

I was handed an interesting PDF document. It doesn’t contain malicious code, yet it generates network traffic. Let me explain how this is achieved.

Creating a PDF that makes a HTTP(S) connection to a website is easy. There’s no need to use an exploit, not even JavaScript. You just have to use a URI object:

20161128-103231

On its own, this object will do nothing. An action is needed to have this URI requested. If you want this URI to be requested when the PDF document is opened, you could add an /OpenAction:

20161128-103504

Adobe Reader will not let this connection happen silently. The user will be prompted before the TCP connection (to subdomain.nviso.be in our example) is established:

screen-shot-2016-11-28-at-10-44-35

But even before the user clicks one of the buttons, Adobe Reader will do a DNS request for this domain (nviso.be):

screen-shot-2016-11-28-at-10-43-43

If the domain does not resolve to an IP address, Adobe Reader will do another DNS request for the subdomain (subdomain.nxdomains.be in this example, where nxdomains.be does not resolve to an IP address):

screen-shot-2016-11-28-at-10-46-50

In this case, the warning presented to the user is slightly different:

screen-shot-2016-11-28-at-10-47-05

This type of PDF document can be used to track users: when the document is opened, a DNS request is performed. If the request is a FQDN unique to the PDF document, then such a DNS request logged by the DNS server is a sure indicator that the PDF document has been opened. Remark that this DNS request will have a source IP address from a DNS server, not from the user’s machine.

If the user allows a connection to be made, then a TCP connection will be established between the user’s machine and the web server.

In a corporate environment with HTTP(S) proxies, the DNS requests can be prevented from going to the Internet.

One thought on “PDF URIs

  1. Pingback: Overview of Content Published In November | Didier Stevens

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s