Skip to main content


Showing posts from August, 2010

PDF Revision 3 Encryption

I just wanted to give a quick shout out to i♥cabbages for their very useful post on PDF Revision 3 encryption and the mysterious unpublished algorithm. I'm currently working on bringing more of the PDF encryption methods into the PDF Examiner.

Currently Revision 4 AES V2 is working pretty well, just in the process of adding Revision 2 40-128 bit RC4 support and researching Revision 1 (40 bit RC4) and 3 (RC4+some XORing).

Thanks to those that provided samples, please flag any failures to me and I'll do my best to add them as well.

encrypted pdf part 2 - with the online pdf examiner and object dissector

A couple posts ago I talked about do-it-yourself AESV2 PDF decryption, now it's time to get into the analysis of the PDF Javascript payload. The free online PDF Examiner 1.0 is very helpful to handle the parsing of the PDF and locating the objects that have weird obfuscated Javascript (you can use our PDF analysis tool here.)

After uploading the PDF at, we get the following page which highlights that object 47 generation 0 has some javascript obfuscation going on:

In the left column you can see objects which have something bad detected in them, show up as red, objects with streams of any sort of content show up as green, and the smaller xref and document info objects are grey and of minimal value to finding the exploits. As you can see below when you click on the suspected bad object, we are presented with a hex view which clearly shows we've found a Javascript block (remember this would also normally have been tricky to t…

PDF dissector tool online

Check out our new PDF analysis platform Malware Tracker PDF Examiner 1.0 at Our new PDF dissector will process normal compressed or encrypted (AESV2) PDFs into objects for viewing, scan for known exploit CVE's or obfuscated javascript, and export decoded data to file. Upload and analyze PDFs on the go for free.