Decrypting a PDF With a User Password, (Sat, Nov 23rd)

[Decrypting a PDF With a User Password](/forums/diary/Decrypting+a+PDF+With+a+User+Password/31466/)===================================================================================================* * [](http://www.facebook.com/sharer.php?u=https%3A%2F%2Fisc.sans.edu%2Fforums%2Fdiary%2F31466 ‘Share on Facebook’)* [](http://twitter.com/share?text=Decrypting%20a%20PDF%20With%20a%20User%20Password&url=https%3A%2F%2Fisc.sans.edu%2Fforums%2Fdiary%2F31466&via=SANS_ISC ‘Share on Twitter’) **Published** : 2024-11-23. **Last Updated** : 2024-11-23 17:06:46 UTC **by** [Didier Stevens](/handler_list.html#didier-stevens) (Version: 1) [0 comment(s)](/diary/Decrypting+a+PDF+With+a+User+Password/31466/#comments) In diary entry ‘[Analyzing an Encrypted Phishing PDF](https://isc.sans.edu/diary/Analyzing+an+Encrypted+Phishing+PDF/31404)’, I decrypted a phishing PDF document. Because the PDF was encrypted for DRM (owner password), I didn’t have to provide a password.What happens if you try this with a PDF encrypted for confidentiality (user password), where a password is needed to open the document?The PDF is encrypted, according to [pdfid.py](https://blog.didierstevens.com/programs/pdf-tools/):![](https://isc.sans.edu/diaryimages/images/20241123-174151.png)[qpdf](https://github.com/qpdf/qpdf) –show–encryption tells us that we supplied an incorrect password:![](https://isc.sans.edu/diaryimages/images/20241123-173902.png)We did not provide a password to qpdf: this means that the user password is set (not empty), and that we have to provide it to be able to decrypt the document. We can verify the password as follows (if you don’t know the password, you can try to [crack it](https://blog.didierstevens.com/2017/12/29/cracking-encrypted-pdfs-conclusion/)):![](https://isc.sans.edu/diaryimages/images/20241123-174009.png)And then decrypt the PDF like this:![](https://isc.sans.edu/diaryimages/images/20241123-174054.png)And you can verify with pdfid.py that the PDF is no longer encrypted, and suitable for further analysis:![](https://isc.sans.edu/diaryimages/images/20241123-174130.png)Didier Stevens Senior handler [blog.DidierStevens.com](http://blog.DidierStevens.com) Keywords:[0 comment(s)](/diary/Decrypting+a+PDF+With+a+User+Password/31466/#comments)

Related Tags:
NAICS: 54 – Professional

Scientific

Technical Services

NAICS: 541 – Professional

Scientific

Technical Services

Blog: SANS Internet Storm Center

Phishing

Deobfuscate/Decode Files or Information

Obfuscated Files or Information

Associated Indicators: