 This morning I got a heads up from Steve Bessford over at Sain Security that he had seen a PDF file that contained an embedded document file, so a Word doc file and of course that doc file is like the ones we've been seeing for several months now It contains malicious VBA code so this is the file here sales invoice and like usual I Add the extension dot vir and it is in a password protected zip file So let's have a look with PDF ID and Indeed it contains an embedded file and then also JavaScript so with PDF parser Let's have a look Let's search for embedded file Okay, and when we have two objects object one and Object 10 object 10 actually contains embedded files at the plural So that's actually a false positive because we are looking for file singular And so the actual embedded file is here in object one and you can see that it contains a stream That is compressed or fleet decode so that is most probably our Word document So let's have a look inside that stream so for that we Apply the filter and then we will see the content of the stream, but because it's Probably very long. I'm going to pipe this in more like this Okay, so and this is the content of the stream the beginning actually So we recognize here the zero CF one one is zero and that is the magic signature for an only file Okay So now we are going to extract this and pass it to a holy dump So we can dump it to disk with option Minus D So the content of the stream the filter content of the stream can be dumped to disk with minus D And then we type a file name and like a mall doc Vir for example But I'm not going to do this here because this is the latest version of my PDF parser where I added one small option if you type minus as the filename then the Data and the stream will be directed to standard out and this way you can pipe it into another command So we are directly going to pipe it in only dump. So we extract it from PDF parser We don't write it to disk, but we pipe it directly into only dump like this and indeed Only dump recognizes this as an only file and there are macros in there So let's run our plugins The one I always uses the plugin for drydex and The plugin for HTTP heuristics that you can specify several plugins to be run at the same time like this okay, and Let's scroll up a bit Yeah, and here the drydex decoder was actually able to decode the obfuscated URL here Okay Now if this is too much output for you Here Then you can also use option quiet So minus Q quiet and this will only output data from the plugins and nothing else So you see that's the results already smaller and here you have the URL and Of course this output you can grab that For HTTP like this and here you have in one single line the URL