Didier Stevens

Monday 9 November 2009

Quickpost: “Hiding” a PDF Document

Filed under: Entertainment,My Software,PDF,Quickpost — Didier Stevens @ 15:00

Here’s some Python code (it uses my mPDF module) to append a new PDF document to an existing PDF document to “hide” the original document. Recovering the original is trivial, you open the PDF document with a HEX-editor and delete the appended document (starting after the second %%EOF counting from the end of the file). This trick uses incremental updates.



__description__ = 'make-pdf-hide-original, use it to "hide" the original PDF document'
__author__ = 'Didier Stevens'
__version__ = '0.0.1'
__date__ = '2009/11/07'

Source code put in public domain by Didier Stevens, no Copyright
Use at your own risk

 2009/11/07: start



import mPDF
import time
import zlib
import optparse

def Main():
    oParser = optparse.OptionParser(usage='usage: %prog [options] pdf-file\n' + __description__, version='%prog ' + __version__)
    oParser.add_option('-s', '--line', default='Hello World', help='The line of text to print on the screen (default Hello World')
    (options, args) = oParser.parse_args()

    if len(args) != 1:
        print ''
        print '  %s' % __description__
        print '  Source code put in the public domain by Didier Stevens, no Copyright'
        print '  Use at your own risk'
        print '  https://DidierStevens.com'

        pdffile = args[0]
        oPDF = mPDF.cPDF(pdffile)
        oPDF.stream(5, 0, 'BT /F1 24 Tf 100 700 Td (%s) Tj ET' % options.line)
        oPDF.xrefAndTrailer('1 0 R')

if __name__ == '__main__':

Quickpost info



  1. Really cool and creative but this can be misused by bad guys in hiding the original pdf with dodgy obfuscated javascript with exploits.

    Comment by Jag — Monday 9 November 2009 @ 21:19

  2. […] Quickpost: “Hiding” a PDF Document – didierstevens.com Using incremental updates, you can hide a PDF inside a PDF. Cause we heard you liked PDFs, dawg. […]

    Pingback by Week 46 in Review – 2009 | Infosec Events — Wednesday 13 January 2010 @ 6:02

  3. […] Tags: tiff While analyzing a recent pdf sample exploiting the TIFF vuln it used a known technique to obfuscate it’s content: it appends a pdf to the first one after a bunch of of […]

    Pingback by PDF CVE-2010-0188 « inREVERSE — Saturday 24 April 2010 @ 13:32

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.