<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">
Hello Alex,
<div class=""><br class="">
<blockquote type="cite" class="">On Sep 14, 2017, at 8:20 AM, Alex <<a href="mailto:mysqlstudent@gmail.com" class="">mysqlstudent@gmail.com</a>> wrote:<br class="">
<br class="">
Hi,<br class="">
<br class="">
I have a malicious PDF that fails to be detected properly apparently<br class="">
because it's encrypted in some way:<br class="">
</blockquote>
<div class=""><br class="">
</div>
<div class="">Yes. It uses PDF password protection.</div>
<div class="">You can do this with any PDF, given appropriate software.</div>
<div class="">(e.g., Adobe’s Acrobat Pro.)</div>
<div class=""><br class="">
</div>
<div class="">Without the password, you cannot edit or change the information.</div>
<div class="">This is a pretty standard thing with PDFs, that you are going to deliver online</div>
<div class="">— for whatever reason — and don’t want anyone tampering with them.</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<blockquote type="cite" class=""><br class="">
# podofopdfinfo /var/tmp/Invoice\ -\ NF22394519.pdf<br class="">
Error: An error 8 ocurred during uncompressing the pdf file.<br class="">
</blockquote>
<div class=""><br class="">
</div>
<div class="">Presumably because you didn’t supply the needed password.</div>
<br class="">
<blockquote type="cite" class=""><br class="">
<br class="">
PoDoFo encounter an error. Error: 8 ePdfError_InternalLogic<br class="">
       Error Description: An internal error occurred.<br class="">
       Callstack:<br class="">
       #0 Error Source:<br class="">
/builddir/build/BUILD/podofo-0.9.1/src/base/PdfParser.cpp:209<br class="">
               Information: Unable to load objects from file.<br class="">
       #1 Error Source:<br class="">
/builddir/build/BUILD/podofo-0.9.1/src/base/PdfParserObject.cpp:377<br class="">
               Information: Unable to parse the stream for object 30 0 obj .<br class="">
       #2 Error Source:<br class="">
/builddir/build/BUILD/podofo-0.9.1/src/base/PdfEncrypt.cpp:1137<br class="">
               Information: CreateEncryptionInputStream does not yet<br class="">
support AES<br class="">
<br class="">
Would someone be interested in investigating this? Am I missing<br class="">
something to properly detect and manage these?<br class="">
<br class="">
<a href="https://www.dropbox.com/s/8bqkp5okojma83b/Invoice%20-%20NF22394519.pdf?dl=0" class="">https://www.dropbox.com/s/8bqkp5okojma83b/Invoice%20-%20NF22394519.pdf?dl=0</a><br class="">
<br class="">
Is there a legitimate reason to encrypt a PDF in this way? </blockquote>
<div class=""><br class="">
</div>
<div class="">Certainly.</div>
<div class="">It has been a standard thing with PDF, pretty much from the beginning.</div>
<div class=""><br class="">
</div>
<div class="">My credit card statements all come this way.<br class="">
I’d be pretty upset if such PDFs were not password-protected.<br class="">
<br class="">
</div>
<br class="">
<blockquote type="cite" class="">In other<br class="">
words, I can still see the contents and click on the malicious link,<br class="">
</blockquote>
<div class=""><br class="">
</div>
The hyperlinks are to:<br class="">
<br class="">
   <a href="http://2ndflorida.com/2008_Armisteads_Charge_1_files/7_667785300-invoice" class="">http://2ndflorida.com/2008_Armisteads_Charge_1_files/7_667785300-invoice</a><br class="">
<br class="">
Why do you believe this to be malicious?</div>
<div class="">How is it any different from a phishing link that might arrive in an email message?</div>
<div class=""><br class="">
<blockquote type="cite" class="">but apparently not view the meta information about it…</blockquote>
<div class=""><br class="">
</div>
<div class="">What meta information are you referring to?</div>
<div class="">The Document Properties are as in the attached image.</div>
<div class=""><br class="">
</div>
<div class=""><img height="470" width="508" apple-width="yes" apple-height="yes" apple-inline="yes" id="2B2EFC23-7978-483E-8907-47BA7201EA37" src="cid:343029F3-2123-4313-97C5-44B1A422A04A@telstra.com.au" class=""></div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class="">Acrobat Pro lets you explore the inner structure, using “Preflight”,</div>
<div class="">as in the 2nd image.</div>
<div class=""><br class="">
</div>
<div class=""><img height="594" width="480" apple-width="yes" apple-height="yes" apple-inline="yes" id="A26E12D1-6F10-48CF-9976-3A9BB23D35AB" src="cid:A5BFAE98-98FB-4401-929F-4C0F96D38E42@telstra.com.au" class=""></div>
<div class=""><br class="">
</div>
<div class="">Preflight also reports some errors in the PDF syntax.</div>
<div class=""><br class="">
</div>
<div class=""><img height="557" width="480" apple-width="yes" apple-height="yes" apple-inline="yes" id="9E5905E4-00A9-4DCD-9ACE-25817C873533" src="cid:E5147F68-F9F0-4E68-80FA-1F7867A55BA5@telstra.com.au" class=""></div>
<div class=""><br class="">
</div>
<div class="">These don’t seem to be serious errors.</div>
<div class="">I don’t see any reason to brand the PDF as being malicious.</div>
<div class=""><br class="">
</div>
<div class="">But I’m not prepared to say anything about the target website.</div>
<div class="">Visit there, at your own risk.</div>
<div class=""><br class="">
</div>
<br class="">
<blockquote type="cite" class="">_______________________________________________<br class="">
poppler mailing list<br class="">
<a href="mailto:poppler@lists.freedesktop.org" class="">poppler@lists.freedesktop.org</a><br class="">
https://lists.freedesktop.org/mailman/listinfo/poppler<br class="">
</blockquote>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
Hope this helps.</div>
<div class=""><br class="">
</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>Ross</div>
<div class=""><br class="">
<div class=""><br class="">
Dr Ross Moore<br class="">
Mathematics Dept | 12 Wally’s Walk, 734<br class="">
Macquarie University, NSW 2109, Australia<br class="">
T: +61 2 9850 8955  |  F: +61 2 9850 8114<br class="">
M:+61 407 288 255  |  E: <a href="mailto:ross.moore@mq.edu.au" class="">ross.moore@mq.edu.au</a><br class="">
<br class="">
http://www.maths.mq.edu.au<br class="">
<br class="">
<span style="font-size: 12px; line-height: normal;"><a href="http://mq.edu.au/" target="_blank" style="font-size: 12px; line-height: normal;" class=""><span><br class="Apple-interchange-newline">
<span><img height="58" width="260" apple-inline="yes" id="B74792F5-0A3D-4EDE-8762-C685A818F998" apple-width="yes" apple-height="yes" src="cid:image001.png@01D030BE.D37A46F0" class=""></span></span></a></span><br class="">
<br class="">
<br class="">
CRICOS Provider Number 00002J. Think before you print. <br class="">
Please consider the environment before printing this email.<br class="">
<br class="">
This message is intended for the addressee named and may <br class="">
contain confidential information. If you are not the intended <br class="">
recipient, please delete it and notify the sender. Views expressed <br class="">
in this message are those of the individual sender, and are not <br class="">
necessarily the views of Macquarie University.<br class="">
</div>
<br class="">
</div>
</body>
</html>