This post is about hiding an evil PDF into a saint PDF. The objective is to embed a pdf into another pdf, and make the reader parse the embedded one without user intervention. If we manage to do this we’ll be able to ‘filter’ the embedded file and hide it through some pdf encoding filters (flatedecode, crypt, etc), that way making it invisible from the outside. And at last, as we’ll be using miniPDF.py, we’ll pass everything through the (unfinished) obfuscated version of the miniPDF.py lib, here.

Read the rest of this entry »

OK! Let’s reinvent the wheel and make a minimal pdf file containing javascript.

As stated in the PDF3200:12.6 specification we can put ACTIONS into pdf files. There are many type of actions like an action to jump to some part of the document(PDF3200:12.6.4.2, “Go-To Actions”) or to play a sound (PDF3200:12.6.4.8, “Sound Actions”) but also and maybe more interesting from the insecurity point of view… to execute javascript. That is PDF3200:12.6.4.16, “JavaScript Actions”.  (For a complete list of actions check 12.6.4 Action Types in the PDF3200)

Actions may be triggered by several ways (PDF3200:12.6.3 Trigger Events). Most of the visible objects of a pdf could be related to a trigger dictionary and execute actions when the mouse passes the area, on clicks, onload… etc.

The catalog dictionary also has a way to add this kind of trigger dictionaries. Basically we can use the /AA tag or the /Openaction tag in the root catalog to describe an action that will be executed when the doc is opened.

We can also put an /AA triggering dictionary to the 1st page or something alike, but lets got step by step in the most common (and detectable) way, the catalog OpenAction.
Read the rest of this entry »