Re: Identifiying PDF phish docs

2017-08-26 Thread Alex
Hi, On Thu, Aug 24, 2017 at 8:00 PM, Alex wrote: > Hi, > > On Wed, Aug 23, 2017 at 3:01 PM, Matus UHLAR - fantomas > wrote: >> On 22.08.17 14:55, Alex wrote: >>> >>> We've been hit a number of times lately by phishing attacks using PDF >>> documents with a link in them. Has anyone had any succes

Re: Identifiying PDF phish docs

2017-08-24 Thread Alex
Hi, On Wed, Aug 23, 2017 at 3:01 PM, Matus UHLAR - fantomas wrote: > On 22.08.17 14:55, Alex wrote: >> >> We've been hit a number of times lately by phishing attacks using PDF >> documents with a link in them. Has anyone had any success in blocking >> these PDFs? >> >> You can download one such e

Re: Identifiying PDF phish docs

2017-08-23 Thread Matus UHLAR - fantomas
On 22.08.17 14:55, Alex wrote: We've been hit a number of times lately by phishing attacks using PDF documents with a link in them. Has anyone had any success in blocking these PDFs? You can download one such example here: https://www.dropbox.com/s/b97pcvl1wm1oocq/pdf-phish.pdf?dl=0 I know ther

Re: Identifiying PDF phish docs

2017-08-23 Thread Kevin Golding
On Wed, 23 Aug 2017 02:02:58 +0100, Alex wrote: John wrote: clamav? It's too slow to react, particularly when the PDFs are written specifically to reach a domain. Sometimes the PDF will never be detected by any of the antivirus scanners because of this. http://blog.adamsweet.org/?p=250

Re: Identifiying PDF phish docs

2017-08-22 Thread Alex
Hi, On Tue, Aug 22, 2017 at 8:46 PM, Dianne Skoll wrote: > On Tue, 22 Aug 2017 20:19:06 -0400 > Alex wrote: > >> > Take a look at podofopdfinfo. It can extract URLs from PDF docs >> > and you can trigger on those. > >> Thank you. It didn't work on this one :-( > > It worked for me: > > $ podofo

Re: Identifiying PDF phish docs

2017-08-22 Thread Dianne Skoll
On Tue, 22 Aug 2017 20:19:06 -0400 Alex wrote: > > Take a look at podofopdfinfo. It can extract URLs from PDF docs > > and you can trigger on those. > Thank you. It didn't work on this one :-( It worked for me: $ podofopdfinfo pdf-phish.pdf Document Info - File: pdf-phi

Re: Identifiying PDF phish docs

2017-08-22 Thread John Hardin
On Tue, 22 Aug 2017, Alex wrote: Are there any current solutions for those of us with spamassassin and amavisd? clamav? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F

Re: Identifiying PDF phish docs

2017-08-22 Thread Alex
Hi, On Tue, Aug 22, 2017 at 3:14 PM, Dianne Skoll wrote: > On Tue, 22 Aug 2017 14:55:01 -0400 > Alex wrote: > >> I know there was a PDF OCR plugin of some sort, but I don't recall it >> being all that effective. Ideas greatly appreciated. > > Take a look at podofopdfinfo. It can extract URLs fr

Re: Identifiying PDF phish docs

2017-08-22 Thread Dianne Skoll
On Tue, 22 Aug 2017 14:55:01 -0400 Alex wrote: > I know there was a PDF OCR plugin of some sort, but I don't recall it > being all that effective. Ideas greatly appreciated. Take a look at podofopdfinfo. It can extract URLs from PDF docs and you can trigger on those. Regards, Dianne.

Identifiying PDF phish docs

2017-08-22 Thread Alex
Hi, We've been hit a number of times lately by phishing attacks using PDF documents with a link in them. Has anyone had any success in blocking these PDFs? You can download one such example here: https://www.dropbox.com/s/b97pcvl1wm1oocq/pdf-phish.pdf?dl=0 I know there was a PDF OCR plugin of so