Embedded URL Analysis

The embedded URL analysis feature allows the Malware Analysis appliance to extract suspicious URLs that are embedded in a PDF file or a Microsoft Office file. When the Malware Analysis appliance extracts a suspicious URL from the PDF file or the Microsoft Office file, it sends the URL to the URL analysis service for analysis. With Guest Images release 16.0901, the Malware Analysis appliance can extract the suspicious URLs from a Microsoft Office file during dynamic analysis. Before the Malware Analysis appliance submits the PDF file or the Microsoft Office file for analysis, a verdict is determined for the embedded URL based on custom whitelists, custom blacklists, typosquatting, and so forth.

NOTE: Before the Malware Analysis appliance submits a Microsoft Office file for analysis, a verdict cannot be determined for the embedded URL based on URL Dynamic Analysis.

If the embedded URL that is extracted from the PDF file or the Microsoft Office file is detected as malicious, the Malware Analysis appliance immediately blocks the file.

NOTE: The embedded URL analysis feature is enabled by default.

Usage Guidelines

FireEye recommends that you follow these usage guidelines when you are managing embedded URL analysis:

• You can verify that the appliance is enabled to extract suspicious URLs that are embedded in PDF and Microsoft Office files. Use the show static-analysis config command.
• You can configure the maximum number of embedded URLs extracted from PDF and Microsoft Office files. For details about how to configure the maximum number of embedded URLs, see Configuring the Number of Embedded URLs to Extract from Files .