Threat Level: green Handler on Duty: Jim Clausing

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Decrypting malicious PDFs with the key

Published: 2018-01-15
Last Updated: 2018-01-15 23:12:33 UTC
by Didier Stevens (Version: 1)
0 comment(s)

Sometimes malicious documents are encrypted, like PDFs. If you know the user password, you can use a tool like QPDF to decrypt it. If it's encypted for DRM (with an owner password), QPDF can decrypt it without you knowing the owner password.

If you don't know the user password, you can try to crack it. But if it's a long random password, that won't be feasible. But there's still a way to decrypt the PDF, if a 40-bit key was used. With Hashcat, it's possible to crack this 40-bit key (regardless of how long or complex the password is).

Until recently, it was not easy to decrypt a PDF when you just knew the key, and not the password. This has changed with the release of QPDF 7.1.0: with the new option --password-is-hex-key, one can provide the key (in stead of the password).

 

 

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

Keywords: encryption maldoc pdf
0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Peeking into Excel files
Jan 14th 2018
1 day ago by DidierStevens (0 comments)

Flaw in Intel's Active Management Technology (AMT)
Jan 13th 2018
3 days ago by Rick (0 comments)

Those pesky registry keys required by critical security patches
Jan 12th 2018
3 days ago by Bojan (4 comments)

Mining or Nothing!
Jan 11th 2018
5 days ago by Xme (1 comment)

GitHub InfoSec Threepeat: HELK, ptf, and VulnWhisperer
Jan 10th 2018
6 days ago by Russ McRee (1 comment)

Microsoft January 2018 Patch Tuesday
Jan 10th 2018
6 days ago by Johannes (0 comments)

What is going on with port 3333?
Jan 10th 2018
6 days ago by Jim (6 comments)

View All Diaries →

Latest Discussions

What is airbnb doing?
created Jan 9th 2018
6 days ago by Mike (0 replies)

Convert OST Emails to PST Files
created Jan 4th 2018
1 week ago by Anonymous (0 replies)

Windows Client what the hell is this?
created Jan 2nd 2018
1 week ago by Anonymous (0 replies)

My log Reports not displaying reported entries
created Dec 22nd 2017
3 weeks ago by Tony (0 replies)

StormCast RSS feed not supporting older SSL?
created Dec 15th 2017
1 month ago by Anonymous (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
6 months ago by Brad (6 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
5 months ago by Johannes (12 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
1 month ago by Russ McRee (2 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
4 months ago by Renato (0 comments)

Maldoc with auto-updated link
Aug 17th 2017
4 months ago by Xme (2 comments)