In diary entry “Analyzing an Encrypted Phishing PDF“, I decrypted a phishing PDF document. Because the PDF was encrypted for DRM (owner password), I didn’t have to provide a password.

What happens if you try this with a PDF encrypted for confidentiality (user password), where a password is needed to open the document?

The PDF is encrypted, according to pdfid.py:

qpdf –show–encryption tells us that we supplied an incorrect password:

We did not provide a password to qpdf: this means that the user password is set (not empty), and that we have to provide it to be able to decrypt the document. We can verify the password as follows (if you don’t know the password, you can try to crack it):

And then decrypt the PDF like this:

And you can verify with pdfid.py that the PDF is no longer encrypted, and suitable for further analysis:

 

Didier Stevens
Senior handler
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.