@Feliam has an interesting PDF library to create PDF files with an unconventional header (the generated document doesn’t start with %PDF-…, but %PDF appears somewhere in the first 1024 bytes of the document). As this trick is likely to be taken over by malware authors, I updated PDFiD to support this.
The PDF reference document also mentions %!PS-Adobe-N.n PDF-M.m as a valid header, however, the PDF documents I and @Feliam generated with this header are not rendered by Adobe Reader (neither Foxit or Sumatra PDF).
I was told Adobe did support this header in older versions. My tests show Adobe Reader version 3, 4, 5 and 6 will render PDF documents with header %!PS-Adobe-N.n PDF-M.m. Versions 7, 8 and 9 will not. Therefor I decided not to include support for this header to PDFiD.
pdf-parser doesn’t test the header, it analyzes PDF documents regardless of the header.
Didier Stevens 
That’s the bypass I reported to kaspersky,f-secure,ca etc etc
Comment by Thierry Zoller — Friday 22 January 2010 @ 15:31
Addendum: http://blog.zoller.lu/2009/05/advisory-kaspersky-generic-pdf-evasion.html
Comment by Thierry Zoller — Friday 22 January 2010 @ 15:44
@Thierry Zoller Nice!
Comment by Didier Stevens — Friday 22 January 2010 @ 16:25
[…] Quickpost: PDF Header %!PS-Adobe-N.n PDF-M.m – didierstevens.com A curious PDF header is spotted which might be exploited by malware authors. […]
Pingback by | Infosec Events — Monday 25 January 2010 @ 7:14