 Hello, I'm Didier Stevens, a senior handler with the Internet Storm Center. In this video we are going to analyze these encrypted sextortion PDFs submitted by Reader. So we can run PDFID on the encrypted PDF and then you get this output and you can see here the encrypt name appears once and all the rest is zero. So this is an encrypted PDF and it doesn't contain Javascript or anything else because special thing about encrypted PDFs is that the structure of an encrypted PDF is still like the structure of an unencrypted PDF so you still have the names in clear text. It's the strings and the streams that are encrypted. So I can run this again with option N and write everything that is zero and then you just get this output so it has one page and encrypt. Now you have two ways to encrypt PDFs. You can encrypt PDFs for confidentiality and then you need a password to open it and you can also encrypt PDFs for digital write management DRMs and then you don't need a password to open it. And PDFID will not tell you which type it is. You only know that it is encrypted. To determine if it is DRM or confidentiality I use a tool QPDF and what you do you use option show encryption and you provided the PDF and if you get an error in valid password then you know that it is encrypted for confidentiality and you can provide it the password. You can say password equals 4534 that's the password for this PDF and then you get the information and you see that the user password is 4534 so the user has to provide the password to open the PDF. We can look at the text of the PDF because this PDF doesn't contain any JavaScript or anything so we need to look at the text to know what's it about and a popular PDF library as a tool PDF2Text that you can use to display the text inside a PDF document and you have to provide it the user password here 4534 and here the PDF and now it will write this to a text file so I can do more file here, a text file and this text file has the content of the PDF and as you can see it's a sextortion PDF with the Bitcoin address here If you want output to standard out just provide minus and dash and then you get output to standard out instead of writing it to a text file and you can also provide any file name and then it will create that file name and not the file password 4534.txt like this Now if we open this one here you see in Adobe Reader I have to provide the password and then the content of the PDF is displayed here with the QR code I told you there are two types of encryption for confidentiality and for DRM so let's run PDFID and the one for DRM and let me also use option N and you see this one is encrypted and it contains JavaScript and an open action so you see this is not encrypted the keywords, the names I can use PDF parser and search for JavaScript in the DRM here and then you see JavaScript action but what you get here is encrypted string this is extra decimal representation of an encrypted string so it's the strings and the strings that are encrypted same for the confidentiality PDF this one too is encrypted let me use option N minus N like this this one too is encrypted contains JavaScript and an open action I can run PDF parser search for JavaScript in confidentiality this one here and then here you also get an encrypted string but the names themselves are not encrypted now PDFID and PDF parser is not able to do the decryption I use QPDF for that so I run QPDF and let me do a show encryption again under DRM as you can see if you do a show encryption on one that is protected for DRM you don't need to provide a password and user password is empty while if I do this under confidentiality one then I get an error and I need to provide a password password is secret user password is secret also if I open it with Adobe Reader here I have to provide a password secret and then the content is displayed and the JavaScript executes and if I open the one for DRM it immediately executes I don't have to provide a password to do the decryption we can use QPDF say decrypt I'm going to decrypt the PDF for DRM first and I'm going to say DRM decrypted like this and now when I run PDF parser search for JavaScript DRM decrypted you can see here the JavaScript in clear text so I didn't have to provide a password and that's because it is protected for DRM while if I do that with one for confidentiality this one here sorry it's not PDF parser it's QPDF that I want to use first so decrypt confidentiality to confidentiality decrypted.pdf I get an error I need to provide a password so here the password is secret so if it that's the user password and now it is decrypted and I can use PDF parser to search for JavaScript and this one here and then again we have the clear text JavaScript so the takeaway here for PDFs you have two types of encryption reasons to encrypt you have encryption for DRM you have encryption for confidentiality one is with an owner password for DRM it's the owner password and for the confidentiality is the user password a document to open it you need the user password as a user if it is for confidentiality while you don't need a password to open it if it is just encrypted for DRM PDFID cannot tell you the difference can just tell you that it is encrypted you need to use QPDF to determine it and also PDFID and PDF parser cannot do the encryption you also have to do that with QPDF or you can use a popular PDF to text because that also accepts passwords to do the decryption