Uniform resource locators (URLs) can be found embedded in myriad file formats. These links often go unnoticed during standard file validation checks at the point of upload to a web server – and that’s a major oversight. URLs can be just as dangerous as executables if left uninspected; they can lead to drive-by downloads, phishing page redirects for credential harvesting, and many browser-based exploits.

In this article, we’ll learn about the different file types URLs can hide within during a file upload process, and we’ll explore the different threats those URLs can pose if left unchecked. We’ll learn how weakly configured antivirus (AV) solutions can easily miss URL threats in a standard file scanning workflow, and we’ll briefly review how Cloudmersive’s Advanced Virus Scan API extracts and inspects embedded URLs from within complex file structures.

Where malicious URLs hide in uploaded files

URLs are ubiquitous in the modern digital landscape, and many file types offer robust features for URL linking. That means malicious URLs can be embedded in a wide range of unique file types at the point of upload, and from there, they can point to an even wider range of dangerous sites and objects. Some of these file types are exceedingly complex, and some are surprisingly straightforward. Below, we’ll cover some of the most common file types malicious URLs are embedded within.

Common Document Formats

Many enterprise file upload workflows revolve around accepting popular file formats like Word (.docx) or PDF (.pdf). These formats might appear familiar and simple on the outside – when on the inside they’re complex multimedia containers designed with a variety of powerful object storage and linking capabilities. Each can carry user-accessible hyperlinks with deceptive hyperlink text (e.g., pretending to lead to a necessary report or form of some kind), and each can hide links from users by burying the URLs deep in the document metadata.

Web-Related Files

It should be no surprise to anyone that web-related file formats can carry dynamic URLs. As such, it’s relatively rare for file upload workflows to accept web-native formats at all – but web content can still be obfuscated within complex documents (like those described above) or embedded in message formats like .msg or .eml. HTML, for example, can quickly load scripts, images, and iframes from malicious domains directly in a web browser. An .html page that passes through an upload entry point undetected might reference external JavaScript hosting malware; opening that page might execute a malicious script or trigger some web browser-based exploit in the victim’s environment.

Data and Text Files

Excel (.xlsx) spreadsheets are structured similarly to .docx and .pdf files – but they deserve to live in a broader “data” category in this case. Insecure URLs in .xlsx uploads can pull data from suspicious web queries or scripts with hidden command & control (C2) server links.

CSV (.csv) files – which are inert text-based containers on their own – can carry hyperlink formulas designed to become clickable when opened within the MS Excel application. JSON and XML files are used for structured data, but they can carry URLs linking to malicious API endpoints, external resources (like images), or dangerous external scripts. It’s worth noting that text-based script files like JavaScript (.js), Python (.py), and PowerShell (.ps1) can also point to remote payloads via URLs – but external links are low on the list of immediate concerns when script formats pass through file uploads undetected.

Images and Metadata

Image files are a sneaky inclusion in this list. From a security point of view, image files are more well-known for their potential to carry malware obfuscated in pixels via steganographic techniques – but many image formats can carry malicious URLs, too. Some images can embed malicious URLs in their EXIF metadata – or even behind QR codes included in the image. Specially crafted JPG (.jpg or .jpeg) files, for example, might redirect to malicious site when scanned or previewed in certain vulnerable applications.

Understanding the threats malicious URLs can pose

Threat actors can leverage URLs to achieve a variety of different attack outcomes. We’ll cover some of the most common URL threats below.

Phishing

Nowadays, phishing scams are a routine part of daily life for users on personal and enterprise networks alike. Most potential phishing scam victims are now trained to avoid suspicious links based on discrepancies in the URL text or suspicious language in the accompanying social engineering message, and most enterprise environment successfully screen phishing emails away from potential victims.

However, URLs embedded within files uploaded to an enterprise server can still catch even the most well-trained users off guard. When files appear to have survived a thorough screening at the point of upload, it’s far more likely that their contents will be trusted implicitly – and internal file links can just as easily point to credential harvesting sites as email links can.

Drive-By Downloads

URL links which trigger automatic malware downloads are among the most dangerous URL threats we can expect to find embedded in file uploads. Failing to identify them at the point of upload is a serious problem. Drive-by download links can lead to instant compromise of the endpoint, often without any visible user interaction or consent. One stray click is all it takes.

Command and Control (C2) Connection

Sophisticated threat actors sometimes attempt to establish a connection between a target enterprise server and an external server which they control. These external servers are referred to as command and control (C2) servers, and they’re used to remotely issue commands to compromised systems. They can also receive exfiltrated data or status updates from compromised systems – often without setting off any alarms in the enterprise network.

Browser-Based Exploits

As we alluded to earlier, web-based files like HTML can carry JavaScript or ifames which load content from a malicious domain via URL when opened in a vulnerable web browser. This can lead to malicious code automatically executing within the user’s environment, or even direct malware installation.

Why some AV solutions might miss URL threats

AV solutions occasionally focus too rigidly on identifying malware signatures and other known, established threats in a file upload workflow. Identifying malicious URLs requires an AV solution to resolve and follow URLs (i.e., analyze where they point to in real time). If an AV solution only focuses on malicious content hosted within the file upload itself, it won’t catch the fact that malicious content might be hosted externally instead.

How Cloudmersive detects and neutralizes URL-based threats

Cloudmersive’s Advanced Virus Scan API extracts and inspects all URLs embedded within file content at the point of upload, and it performs real-time threat analysis on each individual link. This detects malware-hosting domains, phishing sites, potential botnet indicators, and a wide range of additional threats. Even when URLs are nested extremely deep within a given file – such as within compressed archive file types like ZIP (.zip) or RAR (``.rar```), the Advanced Virus Scan API employs recursive scanning to identify each potential threat layer.

The Advanced Virus Scan API also supports the option to block files with object linking and embedding (OLE) features directly. This categorically removes files which contain any external links to external objects or domains from an upload process.

The Advanced Virus Scan API can be deployed in defense of individual web applications (with minor code changes) or as a zero-code solution in forward proxies, reverse proxies, ICAP servers, and proxies adjacent to AWS, Azure, and GCP object storage instances for in-storage scanning.

Final Thoughts

URLs are significant attack vector in modern file uploads. Enterprise AV solutions should treat embedded links just as seriously as more eye-catching threats like executables or macros because of their ability to download malware or establish insecure external connections.

To learn more about scanning files for embedded URL threats with Cloudmersive, please feel free to contact a member of our team.