Didier Stevens

Tuesday 7 June 2016

Recovering A Ransomed PDF

Filed under: PDF — Didier Stevens @ 0:00

I was contacted to help with a PDF file encrypted by ransomware. Just like another case I helped with, the file was not completely encrypted. The file had parts with low entropy, as byte-stats.py shows:

20160606-220414

Searching for endobj, I noticed the file contained PDF objects:

20160606-221145

So I stripped the beginning of the file that was encrypted:

20160606-221331

This file can be parsed by pdf-parser. Now I’m going to try to rebuild this PDF. First I check if it contains an object referencing all pages:

20160606-221658

As you can see, it doesn’t. So I will add the missing objects:

20160606-222040

Object 2 (the missing /Pages object) needs to reference all pages still present in the document (/Kids list). I make a list of all /Page objects with the following command:

20160606-222418

And then I update object 2 /Pages with the 87 /Page objects I found (dictionary entries /Kids and /Count):

20160606-222617

When I open this PDF with a PDF reader, I get 87 pages. All of them are blank, except the last one:

20160606-222854

The pages are blank because of missing fonts definitions:

20160606-223238

I add some generic font definitions:

20160606-223431

This gives me the following PDF:

20160606-223618

AS you can see, not all text is readable, that’s because I did not select the right font. Some trial and error with different fonts would allow me to further recover the document.

This method can also help you with corrupt PDF documents. Of course, this is not a complete recovery. We miss the first pages that were encrypted.

3 Comments »

  1. […] Récupérer un PDF chiffré par un ransomware par Didier Stevens […]

    Pingback by Newsletter Cybersécurité semaine 24 - Adacis — Saturday 11 June 2016 @ 12:02

  2. […] Didier Stevens presented a case study where he was given a partially encrypted PDF file and was able to recover a large majority of it by rebuilding the unencrypted sections. Recovering A Ransomed PDF […]

    Pingback by Week 23 – 2016 – This Week In 4n6 — Sunday 12 June 2016 @ 14:27

  3. […] Recovering A Ransomed PDF […]

    Pingback by Overview of Content Published In June | Didier Stevens — Sunday 17 July 2016 @ 0:00


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: