[poppler] Encrypted malicious PDFs fails

Ross Moore ross.moore at mq.edu.au
Wed Sep 13 23:04:43 UTC 2017 

Hello Alex,

On Sep 14, 2017, at 8:20 AM, Alex <mysqlstudent at gmail.com<mailto:mysqlstudent at gmail.com>> wrote:

Hi,

I have a malicious PDF that fails to be detected properly apparently
because it's encrypted in some way:

Yes. It uses PDF password protection.
You can do this with any PDF, given appropriate software.
(e.g., Adobe’s Acrobat Pro.)

Without the password, you cannot edit or change the information.
This is a pretty standard thing with PDFs, that you are going to deliver online
— for whatever reason — and don’t want anyone tampering with them.



# podofopdfinfo /var/tmp/Invoice\ -\ NF22394519.pdf
Error: An error 8 ocurred during uncompressing the pdf file.

Presumably because you didn’t supply the needed password.



PoDoFo encounter an error. Error: 8 ePdfError_InternalLogic
       Error Description: An internal error occurred.
       Callstack:
       #0 Error Source:
/builddir/build/BUILD/podofo-0.9.1/src/base/PdfParser.cpp:209
               Information: Unable to load objects from file.
       #1 Error Source:
/builddir/build/BUILD/podofo-0.9.1/src/base/PdfParserObject.cpp:377
               Information: Unable to parse the stream for object 30 0 obj .
       #2 Error Source:
/builddir/build/BUILD/podofo-0.9.1/src/base/PdfEncrypt.cpp:1137
               Information: CreateEncryptionInputStream does not yet
support AES

Would someone be interested in investigating this? Am I missing
something to properly detect and manage these?

https://www.dropbox.com/s/8bqkp5okojma83b/Invoice%20-%20NF22394519.pdf?dl=0

Is there a legitimate reason to encrypt a PDF in this way?

Certainly.
It has been a standard thing with PDF, pretty much from the beginning.

My credit card statements all come this way.
I’d be pretty upset if such PDFs were not password-protected.


In other
words, I can still see the contents and click on the malicious link,

The hyperlinks are to:

   http://2ndflorida.com/2008_Armisteads_Charge_1_files/7_667785300-invoice

Why do you believe this to be malicious?
How is it any different from a phishing link that might arrive in an email message?

but apparently not view the meta information about it…

What meta information are you referring to?
The Document Properties are as in the attached image.

[cid:343029F3-2123-4313-97C5-44B1A422A04A at telstra.com.au]


Acrobat Pro lets you explore the inner structure, using “Preflight”,
as in the 2nd image.

[cid:A5BFAE98-98FB-4401-929F-4C0F96D38E42 at telstra.com.au]

Preflight also reports some errors in the PDF syntax.

[cid:E5147F68-F9F0-4E68-80FA-1F7867A55BA5 at telstra.com.au]

These don’t seem to be serious errors.
I don’t see any reason to brand the PDF as being malicious.

But I’m not prepared to say anything about the target website.
Visit there, at your own risk.


_______________________________________________
poppler mailing list
poppler at lists.freedesktop.org<mailto:poppler at lists.freedesktop.org>
https://lists.freedesktop.org/mailman/listinfo/poppler



Hope this helps.

Ross


Dr Ross Moore
Mathematics Dept | 12 Wally’s Walk, 734
Macquarie University, NSW 2109, Australia
T: +61 2 9850 8955  |  F: +61 2 9850 8114
M:+61 407 288 255  |  E: ross.moore at mq.edu.au<mailto:ross.moore at mq.edu.au>

http://www.maths.mq.edu.au


[cid:image001.png at 01D030BE.D37A46F0]<http://mq.edu.au/>


CRICOS Provider Number 00002J. Think before you print.
Please consider the environment before printing this email.

This message is intended for the addressee named and may
contain confidential information. If you are not the intended
recipient, please delete it and notify the sender. Views expressed
in this message are those of the individual sender, and are not
necessarily the views of Macquarie University.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/poppler/attachments/20170913/5b5d5913/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screen Shot 2017-09-14 at 8.38.08 AM.png
Type: image/png
Size: 147289 bytes
Desc: Screen Shot 2017-09-14 at 8.38.08 AM.png
URL: <https://lists.freedesktop.org/archives/poppler/attachments/20170913/5b5d5913/attachment-0004.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screen Shot 2017-09-14 at 8.51.25 AM.png
Type: image/png
Size: 276442 bytes
Desc: Screen Shot 2017-09-14 at 8.51.25 AM.png
URL: <https://lists.freedesktop.org/archives/poppler/attachments/20170913/5b5d5913/attachment-0005.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screen Shot 2017-09-14 at 8.58.47 AM.png
Type: image/png
Size: 248893 bytes
Desc: Screen Shot 2017-09-14 at 8.58.47 AM.png
URL: <https://lists.freedesktop.org/archives/poppler/attachments/20170913/5b5d5913/attachment-0006.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 4605 bytes
Desc: image001.png
URL: <https://lists.freedesktop.org/archives/poppler/attachments/20170913/5b5d5913/attachment-0007.png>

More information about the poppler mailing list