spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex <mysqlstud...@gmail.com>
Subject Re: [poppler] Encrypted malicious PDFs fails
Date Thu, 14 Sep 2017 00:36:07 GMT
Hi,


On Wed, Sep 13, 2017 at 7:04 PM, Ross Moore <ross.moore@mq.edu.au> wrote:

> Hello Alex,
>
> On Sep 14, 2017, at 8:20 AM, Alex <mysqlstudent@gmail.com> wrote:
>
> Hi,
>
> I have a malicious PDF that fails to be detected properly apparently
> because it's encrypted in some way:
>
>
> Yes. It uses PDF password protection.
> You can do this with any PDF, given appropriate software.
> (e.g., Adobe’s Acrobat Pro.)
>
> Without the password, you cannot edit or change the information.
> This is a pretty standard thing with PDFs, that you are going to deliver
> online
> — for whatever reason — and don’t want anyone tampering with them.
>

I understood that without the password the document would not be visible,
not just that it couldn't be changed.



> # podofopdfinfo /var/tmp/Invoice\ -\ NF22394519.pdf
> Error: An error 8 ocurred during uncompressing the pdf file.
>
>
> Presumably because you didn’t supply the needed password.
>

I didn't see that there was ever a password required. I was able to view
the PDF and click the link enclosed.

> https://www.dropbox.com/s/8bqkp5okojma83b/Invoice%20-%
20NF22394519.pdf?dl=0

>
> Is there a legitimate reason to encrypt a PDF in this way?
>
>
> Certainly.
> It has been a standard thing with PDF, pretty much from the beginning.
>
> My credit card statements all come this way.
> I’d be pretty upset if such PDFs were not password-protected.
>

Are you sure this one is actually password protected? As I mentioned, I was
able to view the entirety of the PDF without any password.


> In other
> words, I can still see the contents and click on the malicious link,
>
>
> The hyperlinks are to:
>
>    http://2ndflorida.com/2008_Armisteads_Charge_1_files/7_
> 667785300-invoice
>
> Why do you believe this to be malicious?
> How is it any different from a phishing link that might arrive in an email
> message?
>

It first redirects to an unsecured MS Outlook Web Access site where the
user is required to enter their OWA credentials. After entering any random
information, it redirects to a fake PDF invoice. This is a phishing attack.




>
> but apparently not view the meta information about it…
>
>
> What meta information are you referring to?
> The Document Properties are as in the attached image.
>


I don't doubt this information is available, but podofopdfinfo was unable
to display it. I'm using the poppler utils in scripts to analyze PDFs in my
mail stream in an automated manner.

> These don’t seem to be serious errors.
>
> I don’t see any reason to brand the PDF as being malicious.
>
> But I’m not prepared to say anything about the target website.
> Visit there, at your own risk.
>

I meant it's malicious in that the contents lead to a malicious result.

Thanks for your help.

Mime
View raw message