[poppler] Encrypted malicious PDFs fails

Thu Sep 14 04:22:43 UTC 2017

>podofopdfinfo /var/tmp/Invoice\ -\ NF22394519.pdf

>Error: An error 8 ocurred during uncompressing the pdf file.

This is the list for poppler, not podofo.
poppler's pdfinfo can read the file without a problem, and poppler-based tools and ghostscript can both read the file, so the error might be something wrong with podofo.
podofoinfo 0.9.1 on my Fedora 25 laptop gets the same error (even on the same line numbers).
I don't know if encrypting the pdf that way is legitimate, but if you are using podofopdfinfo or any other tool to scan PDFs and a given PDF crashes the tool, it is probably best to consider the PDF malicious.
The PDF that you sent is editable, and if you search for /URI, the links are not in ascii/iso/utf8. That could be a sign that they are malicious and someone wanted to make them harder to scan.

Regards, William

________________________________
From: poppler <poppler-bounces at lists.freedesktop.org> on behalf of Alex <mysqlstudent at gmail.com>
Sent: Wednesday, September 13, 2017 6:20 PM
To: poppler at lists.freedesktop.org
Subject: [poppler] Encrypted malicious PDFs fails

Hi,

I have a malicious PDF that fails to be detected properly apparently
because it's encrypted in some way:

# podofopdfinfo /var/tmp/Invoice\ -\ NF22394519.pdf
Error: An error 8 ocurred during uncompressing the pdf file.

PoDoFo encounter an error. Error: 8 ePdfError_InternalLogic
        Error Description: An internal error occurred.
        Callstack:
        #0 Error Source:
/builddir/build/BUILD/podofo-0.9.1/src/base/PdfParser.cpp:209
                Information: Unable to load objects from file.
        #1 Error Source:
/builddir/build/BUILD/podofo-0.9.1/src/base/PdfParserObject.cpp:377
                Information: Unable to parse the stream for object 30 0 obj .
        #2 Error Source:
/builddir/build/BUILD/podofo-0.9.1/src/base/PdfEncrypt.cpp:1137
                Information: CreateEncryptionInputStream does not yet
support AES

Would someone be interested in investigating this? Am I missing
something to properly detect and manage these?

https://www.dropbox.com/s/8bqkp5okojma83b/Invoice%20-%20NF22394519.pdf?dl=0

Is there a legitimate reason to encrypt a PDF in this way? In other
words, I can still see the contents and click on the malicious link,
but apparently not view the meta information about it...
_______________________________________________
poppler mailing list
poppler at lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/poppler
poppler Info Page - freedesktop.org<https://lists.freedesktop.org/mailman/listinfo/poppler>
lists.freedesktop.org
Subscribing to poppler: Subscribe to poppler by filling out the following form. Use of all freedesktop.org lists is subject to our Code of ...

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/poppler/attachments/20170914/4aaddf4e/attachment.html>