{"id":1595,"date":"2020-06-18T12:25:20","date_gmt":"2020-06-18T10:25:20","guid":{"rendered":"https:\/\/andreas-klingler.de\/infosec\/?p=1595"},"modified":"2025-03-19T13:00:45","modified_gmt":"2025-03-19T12:00:45","slug":"pdf","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=1595","title":{"rendered":"<span class=\"caps\">PDF<\/span>"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">This is how a <span class=\"caps\">PDF<\/span> doc\u00adu\u00adment looks \u2014 with a JavaScript exe\u00adcu\u00adtion. Note that with Ope\u00adn\u00adAc\u00adtion 6 (object block 6) this block is exe\u00adcut\u00aded when the doc\u00adu\u00adment is opened.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme data-enlighter-highlight data-enlighter-linenumbers data-enlighter-lineoffset data-enlighter-title data-enlighter-group>%PDF-1.6\n1 0 obj\n&lt;&lt; \/Type \/Catalog\n   \/Pages 2 0 R\n   \/OpenAction 6 0 R\n&gt;&gt;\nendobj\n2 0 obj\n&lt;&lt; \/Type \/Pages\n   \/Kids [3 0 R]\n   \/Count 1\n&gt;&gt;\nendobj\n3 0 obj\n&lt;&lt; \/Type \/Page\n   \/Parent 2 0 R\n   \/MediaBox [0 0 595 842]\n   \/Contents 4 0 R\n   \/Resources &lt;&lt; \/Font &lt;&lt; \/F1 5 0 R &gt;&gt; &gt;&gt;\n&gt;&gt;\nendobj\n4 0 obj\n&lt;&lt; \/Length 44 &gt;&gt;\nstream\nBT\n\/F1 20 Tf\n100 700 Td\n(Hello World) Tj\nET\nendstream\nendobj\n5 0 obj\n&lt;&lt; \/Type \/Font\n   \/Subtype \/Type1\n   \/BaseFont \/Helvetica\n&gt;&gt;\nendobj\n6 0 obj\n&lt;&lt; \/S \/JavaScript\n   \/JS (app.alert(\"Hello\");)\n&gt;&gt;\nendobj\n7 0 obj\n&lt;&lt; \/Type \/Action\n   \/S \/JavaScript\n   \/JS 6 0 R\n&gt;&gt;\nendobj\nxref\n0 8\n0000000000 65535 f \n0000000010 00000 n \n0000000060 00000 n \n0000000110 00000 n \n0000000210 00000 n \n0000000266 00000 n \n0000000322 00000 n \n0000000381 00000 n \ntrailer\n&lt;&lt; \/Size 8\n   \/Root 1 0 R\n&gt;&gt;\nstartxref\n450\n%%EOF\n<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Oth\u00ader way to cre\u00adate a mali\u00adcious&nbsp;<span class=\"caps\">PDF<\/span>:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Pre\u00adpare \/ down\u00adload a trust\u00adwor\u00adthy look\u00ading&nbsp;<span class=\"caps\">PDF<\/span>.<\/li>\n\n\n\n<li>Use exploit\/windows\/fileformat\/adobe_utilprintf to cre\u00adate a <span class=\"caps\">PDF<\/span> with a shell listener.<\/li>\n\n\n\n<li>Open a listener<\/li>\n\n\n\n<li>Bring the vic\u00adtim to open the&nbsp;file.<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">Analyse a <span class=\"caps\">PDF<\/span>&nbsp;file<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">If a <span class=\"caps\">PDF<\/span> file is com\u00adpressed, decom\u00adpress it&nbsp;first.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">pdftk input.pdf output output.pdf uncompress<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Get details with <a href=\"http:\/\/forensicswiki.org\/wiki\/Pdfinfo\">Pdfin\u00adfo<\/a><\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">pdfinfo file.pdf<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Get infos with Pdf-parser.py<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Get gen\u00ader\u00adal infos<br><code>pdf-parser.py file.pdf<\/code><br><code>pdf-parser 2020-12-15-upload.pdf | grep \/Creator<\/code><\/li>\n\n\n\n<li>At a object (obj 10 0) there could be bina\u00adry files attached, which are not in the out\u00adput. If you see some\u00adthing like a check\u00adsum or an indi\u00adca\u00adtion that a file could be includ\u00aded at this object, try the fol\u00adlow\u00ading:<br><code>pdf-parser.py -o 10 -d out file.pdf<\/code><\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">Check for inte\u00adgrat\u00aded streams, vari\u00adant with pdfde\u00adtach. (If the file is com\u00adpressed, try it with both&nbsp;ones!)<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Use <code>pdfdetach -list $file<\/code> to get the includ\u00aded streams.<\/li>\n\n\n\n<li>Extract a stream with <code>pdfdetach -save $streamId $file<\/code><\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">Check for inte\u00adgrat\u00aded streams, vari\u00adant with <a href=\"https:\/\/github.com\/DidierStevens\/DidierStevensSuite\/tree\/master\">base64dump<\/a>.: (If the file is com\u00adpressed, try it with both&nbsp;ones!)<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Check streams:<br><code>base64dump.py -e bc file.pdf<\/code><\/li>\n\n\n\n<li>Extract stream 1 in a file:<br><code>base64dump.py -e bx -s 1 -d file.pdf &gt; stream1.exe_<\/code><\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">Check for inte\u00adgrat\u00aded\u2026 files with bin\u00adwalk; it could be, that files are inte\u00adgrat\u00aded which are not stored as a stream: (If the file is com\u00adpressed, try it with both&nbsp;ones!)<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Check for inte\u00adgrat\u00aded files:<br><code>binwalk file.pdf<\/code><\/li>\n\n\n\n<li>Extract files:<br><code>binwalk --dd '.*' file.pdf<\/code><br>Now, the cur\u00adrent direc\u00adto\u00adry has sub\u00addi\u00adrec\u00adto\u00adries with the extract\u00aded&nbsp;files.<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">Get the pdf source<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">pdftosrc file.pdf<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Injection in <span class=\"caps\">PDF<\/span>&nbsp;files<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Include oth\u00ader files via anno\u00adta\u00adtion: See https:\/\/github.com\/mpdf\/mpdf\/issues\/356 <\/p>\n","protected":false},"excerpt":{"rendered":"<p>This is how a <span class=\"caps\">PDF<\/span> doc\u00adu\u00adment looks \u2014 with a JavaScript exe\u00adcu\u00adtion. Note that with Ope\u00adn\u00adAc\u00adtion 6 (object block 6) this block is exe\u00adcut\u00aded when the doc\u00adu\u00adment is opened. Oth\u00ader way to cre\u00adate a mali\u00adcious&nbsp;<span class=\"caps\">PDF<\/span>: Analyse a <span class=\"caps\">PDF<\/span>&nbsp;file If a <span class=\"caps\">PDF<\/span> file is com\u00adpressed, decom\u00adpress it&nbsp;first. pdftk input.pdf out\u00adput output.pdf uncom\u00adpress Get details with Pdfinfo&nbsp;[\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[468],"tags":[9],"class_list":["post-1595","post","type-post","status-publish","format-standard","hentry","category-general","tag-pdf"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/1595","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1595"}],"version-history":[{"count":18,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/1595\/revisions"}],"predecessor-version":[{"id":4689,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/1595\/revisions\/4689"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1595"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1595"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1595"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}