We've written about sextortion emails several times. Reader Jason submitted another variant: password protected PDFs with a sextortion message (including QR code for the BTC address).

This gives me the opportunity to discuss some interesting aspects of encrypted PDFs.

PDFs can be encrypted for 2 main purposes: confidentiality and "Digital Rights Management" (DRM).

When a PDF is encrypted for confidentiality, the user has to provide a password upon opening of the PDF. This is known as the user password.

While opening a DRM PDF does not require the user to provide a password. The user can just read the content of the PDF without a password, but the user might be restricted as to what can be done with the PDF. For example, printing or copying text might be disabled. To change these DRM settings, the user needs a owner password.

An unusual property of encrypted PDFs, is that their internal structure remains unencrypted. When a PDF file is encrypted (for confidentialy or DRM), the whole content of the PDF file is not encrypted. Contrary with other file formats, like Word documents. The internal structure, like objects and names, is not encrypted. What is encrypted, are strings and streams.

So for example, when a PDF document contains a JavaScript script, there will be an object with name /JavaScript in its dictionary (we exclude stream objects /ObjStm in this example). And the script itself will be contained inside a string as a dictionary value (again, in this example).

When this PDF is encrypted, the object with its dictionary keys (like /JavaScript) will remain in cleartext, while the string with the script will be encrypted.

Let's analyze a sample submitted by Jason with pdfid.py. Here is the result:

First of all, the counter for name (keyword) /Encrypt is not zero: this tells us that the PDF is encrypted.

Second, the counter for name /ObjStm is zero: this tells us that the PDF does not contain stream objects (/ObjStm). This is important to check when dealing with encrypted PDFs, as stream objects are objects that contain other objects inside their stream. And since streams are encrypted, the objects contained inside a stream object are completely encrypted, and thus totally opaque to us unless we decrypt the document.

All the other names have counters equal to zero: although this is no guarantee that the PDF is not malicious, it is often a strong indication that this PDF does not contain malicious code, unless this is not your common malware attack (like a targeted attack or a pure binary exploit for a zero-day).

So the next step to take, is to look at the content of this PDF. For this, we need the password (4534 for this sample, it was included in the email message) to open the document. While you can open this document with any PDF reader (best done inside a VM), I'm going to view the content with pdftotext, a free utility that comes with the open source software Poppler.

The user password 4534 is provided via option -upw.

It's clear that this is a sextortion message. It was delivered via an encrypted PDF in an attempt to evade detection.

Encrypted PDFs often pose a problem for anti-spam and anti-virus solutions, when they are not able to decrypt the content. My pdf tools have no decryption capabilities: I first use QPDF to decrypt PDFs for further analysis with my tools.



Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Posted by InfoSec News on Sep 16


By Jeff Stone
September 12, 2019

A vulnerability in smartphone technology has made it possible for
outsiders to conduct targeted surveillance against victims for the past
two years, according to new security findings.

Researchers from AdaptiveMobile Security said Thursday they found an
SMS-based hacking technique that actively is being exploited by a spyware

Posted by InfoSec News on Sep 16


By Colin Packham
September 16, 2019

Australian intelligence determined China was responsible for a
cyber-attack on its national parliament and three largest political
parties before the general election in May, five people with direct
knowledge of the matter told Reuters.

The Australian Signals Directorate (ASD) concluded in March that China’s...

Posted by InfoSec News on Sep 16


By Anna Spoerre
Des Moines Register
September 11, 2019

Two men arrested for breaking into the Dallas County Courthouse told law
enforcement they were hired to do so by the judicial branch.

The men, outfitted with numerous burglary tools, told authorities they...

Posted by InfoSec News on Sep 16


By Aimee Chanthadavong
ZDNet News
September 13, 2019

The New Zealand government has announced it will provide NZ$10 million over five
years to support Pacific countries as they develop national cybersecurity
strategies to secure infrastructure and data, enhance online safety, and
implement new cyber crime laws.

Minister of Foreign Affairs Winston Peters...

Posted by InfoSec News on Sep 16


By Derek B. Johnson
September 13, 2019

The Department of the Treasury hit three North Korean groups with new sanctions
Sept. 13 for conducting cyberattacks against critical infrastructure, including
the infamous WannaCry ransomware attacks.

Treasury's Office of Foreign Asset Control announced that Lazarus Group, an
advanced persistent threat believed to be...
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Internet Storm Center Infocon Status