Hi,
On Wed, Sep 13, 2017 at 7:04 PM, Ross Moore <ross.mo...@mq.edu.au> wrote: > Hello Alex, > > On Sep 14, 2017, at 8:20 AM, Alex <mysqlstud...@gmail.com> wrote: > > Hi, > > I have a malicious PDF that fails to be detected properly apparently > because it's encrypted in some way: > > > Yes. It uses PDF password protection. > You can do this with any PDF, given appropriate software. > (e.g., Adobe’s Acrobat Pro.) > > Without the password, you cannot edit or change the information. > This is a pretty standard thing with PDFs, that you are going to deliver > online > — for whatever reason — and don’t want anyone tampering with them. > I understood that without the password the document would not be visible, not just that it couldn't be changed. > # podofopdfinfo /var/tmp/Invoice\ -\ NF22394519.pdf > Error: An error 8 ocurred during uncompressing the pdf file. > > > Presumably because you didn’t supply the needed password. > I didn't see that there was ever a password required. I was able to view the PDF and click the link enclosed. > https://www.dropbox.com/s/8bqkp5okojma83b/Invoice%20-% 20NF22394519.pdf?dl=0 > > Is there a legitimate reason to encrypt a PDF in this way? > > > Certainly. > It has been a standard thing with PDF, pretty much from the beginning. > > My credit card statements all come this way. > I’d be pretty upset if such PDFs were not password-protected. > Are you sure this one is actually password protected? As I mentioned, I was able to view the entirety of the PDF without any password. > In other > words, I can still see the contents and click on the malicious link, > > > The hyperlinks are to: > > http://2ndflorida.com/2008_Armisteads_Charge_1_files/7_ > 667785300-invoice > > Why do you believe this to be malicious? > How is it any different from a phishing link that might arrive in an email > message? > It first redirects to an unsecured MS Outlook Web Access site where the user is required to enter their OWA credentials. After entering any random information, it redirects to a fake PDF invoice. This is a phishing attack. > > but apparently not view the meta information about it… > > > What meta information are you referring to? > The Document Properties are as in the attached image. > I don't doubt this information is available, but podofopdfinfo was unable to display it. I'm using the poppler utils in scripts to analyze PDFs in my mail stream in an automated manner. > These don’t seem to be serious errors. > > I don’t see any reason to brand the PDF as being malicious. > > But I’m not prepared to say anything about the target website. > Visit there, at your own risk. > I meant it's malicious in that the contents lead to a malicious result. Thanks for your help.
