 Hello, I'm Didier Stavens, a senior handler with the InternetStormCenter. Now in this video we are going to look for the analysis of a PDF document that has been created with OpenOffice or LibreOffice. So I run PDFID. This is a document, helloworld.pdf. And let's use option N to only see everything that is not zero. So and there is nothing special about this document. The only thing that stands out here is the open action. Open action is often used in malicious PDF documents, for example, to start the JavaScript upon opening or to visit the URL upon opening. Now LibreOffice and OpenOffice will also include an open action when you create a PDF using those tools, those word processors. But it's done for another purpose and we will look at this. So you can also run PDFParser, option A for the statistics. And if you suspect that it might contain stream objects, say OBGSTM, you use option O, uppercase O, to look inside those objects. And here helloworld, okay, and indeed here we see open action. And the open action is in object 12. So with PDFParser I select object 12. And here you see the open action. And then you see this reference. So this reference is an explicit destination. This is X, Y, Z, X and I position and the zoom. So we just accept the default positions and a normal zoom for this object. And this should be a page, object one, this should be a page. So let's check object one. And indeed this is the page. So that open action is an explicit destination added by LibreOffice and OpenOffice. So that's when the PDF is opened that the first place is actually displayed first with a zoom so that you can read that page. Now if you want to make sure you can look at the properties. So in the trailer we have an info entry that's object 13. And here we have object 13 where we see the creator and the producer. This is an hexadecimal string. And you see that it starts with F, E, F, F. So that is the byte order mark that you can find in Unicode. And here you have actually the Unicode string and the byte order mark indicates that the zero goes first and then you have the value for a normal ASCII in Unicode. We can decode this with base 64. So I'm going to grab for F, E, F, F. And now I only have those two hexadecimal strings. And I pipe this into base 64 dump. And the encoding is hexadecimal. And then you can see here for the two encodings, this one is writer and this one is LibreOff. If I select four and do an ASCII dump, you can see LibreOffice 6.2. I can also dump this as Unicode, UTF-16. And then here you can see the complete string readable LibreOffice 6.2. So if you get an open action in a PDF document and only that, look at it and check if it is actually an explicit destination. If it is an explicit destination, then that open action itself is not malicious. Its only purpose is to display the first page. And that is something that is done automatically by LibreOffice and OpenOffice when you create a PDF from that write application.