Didier stevens will familiarize you with pdfid and pdfparser, two essential tools for pdf analysis he authored. Encryption testing encryption methods and programs. Escape from pdf, revealed by didier stevens on march 29 2010. I first use qpdf to decrypt pdfs for further analysis with my tools. Find the latest security analysis and insight from top it security. Using the same steps as for the easy pdf, i confirm the pdf is encrypted with a user password using 40bit encryption, and i extract the hash. When you protect your pdfs with a password, you have to encrypt your pdfs with strong passwords and use long enough keys. Parsing a pdf document completely requires a very complex program, and hence it is bound to contain many security bugs. What is new is that didier stevens has shown that this feature may be used to launch an executable file in the. Didier stevens will familiarize you with pdfid and pdf parser, two essential tools for pdf analysis he authored.
Based on the postscript language, each pdf file encapsulates a complete description of a fixedlayout flat document, including the text, fonts, vector. He is coordinating and leading internally and externally all representation activities in europe for the japanese automotive company with special focus on co2 for passenger cars and light commercial. This is an advance screening of my malicious pdf analysis workshop. This tool is not a pdf parser, but it will scan a file to look for certain pdf keywords. This metasploit module exploits a buffer overflow in adobe reader and adobe acrobat professional 8. Infosec handlers diary blog sans internet storm center. Attackers have started to use encrypted pdfs, so that these. Didier stevens has lead the research in analysing pdfs, you can refer to his. Since the password is a long random password, a bruteforce attack on the password like i did in the first part will take too long.
Didier writes that different pdf files, encrypted with the same user password, will have different encryption keys. These tools are included in popular linux distros like backtrack and remnux. From this i can conclude that the standard encryption filter was used. Comment january 30, 2021 january 31, 2021 didier stevens. Sometimes, malware authors will encrypt their malicious pdfs to try to evade detection. May 31, 2018 using the same steps as for the easy pdf, i confirm the pdf is encrypted with a user password using 40bit encryption, and i extract the hash.
This paper presents an indepth security analysis of the pdf features and. Pdfs protected with 40bit keys can not guarantee confidentiality, even with strong passwords. Malicious pdf file doesnt need a software vulnerability. Didier stevens microsoft mvp consumer security blog. Portable document format pdf, standardized as iso 32000, is a file format developed by adobe in 1993 to present documents, including text formatting and images, in a manner independent of application software, hardware, and operating systems. This tool is not a pdf parser, but it will scan a file to look for certain pdf keywords, allowing you to identify pdf documents that contain for example javascript or execute an action when opened.
Decrypting file on external drive encryption methods and. Didier has released several free open source tools to help with the analysis of malicious pdf files. If you buy one of my products, you get to download the original mp4 files i uploaded to my free youtube channel. Use this to define options you want included with each use of pdf parser. We start with a very simple, poc malicious pdf file you could even analyze this poc file with notepad or vi to lay out the fundamentals, and then work through more complex examples. One of these tools, pdfid, is also running on the number one virus scanning site virustotal. If you dont know the password of the malicious pdf you want to analyze, you can try to crack the password. Qpdf can be used to determine if the pdf is protected with a user password or an owner password.
Lets take a look at the javascript first with pdf parser. How to decrypt encrypted pdf files digital forensics. When a pdf is encrypted for confidentiality, the user has to provide a password upon. Analyzing pdf and office documents delivered via malspam.
Didier stevens labs 2016 training in 2016, i plan to provide 2 new trainings. It was delivered via an encrypted pdf in an attempt to evade detection. Remark that the javascript is not obfuscated this time. We start with a very simple, poc malicious pdf file. Secure with no encryption antivirus, antimalware, and. Foxits updated pdf reader remains vulnerable to attack. It has been known since 2000 from adobe itself that the launch action feature in pdf is a security issue. Clone of pdfid by didier stevens, as a package and with some improvements. Solving a little pdf puzzle, shoulder surfing a malicious pdf author, new tool. By creating a specially crafted pdf that a contains malformed llectemailinfo call, an attacker may be able to execute arbitrary code. I performed a bruteforce attack on the password of an encrypted pdf and a bruteforce attack on the key of another encrypted pdf, both. The third part was published on december 28, in which he executed a brute attack on the encrypted pdf password and bruteforce attack on the key the other encrypted pdf, both pdfs are part of the problem published by john august.
This encryption method uses a 40bit key usually indicated by a dictionary entry. I used the pdfparser another tool developed by didier stevens, this tool will. The script uses aes encryption, with a 256bit key, cbc mode, pkcs7 padding and an initialization vector iv that is stored in the first 16 bytes of the payload 015. The poken is a little usb stick you keep on your keychain. Checking for maliciousness in acroform objects on pdf.
621 519 468 613 1394 516 766 50 1677 1260 438 946 1284 666 1450 356 462 591 670 1205 694 200 932 791 491