Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: Decrypting malicious PDFs with the key - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Decrypting malicious PDFs with the key

Sometimes malicious documents are encrypted, like PDFs. If you know the user password, you can use a tool like QPDF to decrypt it. If it's encypted for DRM (with an owner password), QPDF can decrypt it without you knowing the owner password.

If you don't know the user password, you can try to crack it. But if it's a long random password, that won't be feasible. But there's still a way to decrypt the PDF, if a 40-bit key was used. With Hashcat, it's possible to crack this 40-bit key (regardless of how long or complex the password is).

Until recently, it was not easy to decrypt a PDF when you just knew the key, and not the password. This has changed with the release of QPDF 7.1.0: with the new option --password-is-hex-key, one can provide the key (in stead of the password).

 

 

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

DidierStevens

210 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!