PDF that is not password-protected judged Heuristics.Encrypted.PDF

[tommam2]

Dear

Attached PDF file is judged the "Heuristics.Encrypted.PDF" when clam scan. This PDF file is not password-protected for viewer. And, only password-protected permissions. I scanned the attached file using the latest ClamAv engine(104.4), but it was blocked.

I checked using the gdb, fail the following line. P is 0.

   3146         P = pdf_readint(q, len, "/P");
   3147         if (R < 6) { // P field doesn't seem to be required for R6.
   3148             if (P == ~0u) {
   3149                 cli_dbgmsg("pdf_handle_enc: invalid P\n");
   3150                 noisy_warnmsg("pdf_handle_enc: invalid P\n");
   3151                 break;
   3152             }
   3153         }

It seems if the encoded owner pasword(/O) is including the "/P", check the "/P" in the wrong point. And, after "/P" doesn't have integer values. Therefore P of line 3148 is zero.

I confirm the password is "acia". (128 bit AES) Also, password of attached PDF file is "acia".

It's including the following data.

000b5a0: 31 36 3e 3e 3e 3e 2f 46 69 6c 74 65 72 2f 53 74  16>>>>/Filter/St
000b5b0: 61 6e 64 61 72 64 2f 4c 65 6e 67 74 68 20 31 32  andard/Length 12
000b5c0: 38 2f 4f 20 28 ad 69 b5 59 59 53 dd 92 a3 38 cc  8/O (.i.YYS...8.
000b5d0: ad b6 5c 30 32 34 54 5c 30 30 30 2e 73 b6 a5 ae  ..\024T\000.s...
000b5e0: 8f 7d 24 75 ab b1 5c 29 eb 82 2f 50 29 2f 50 20  .}$u..\)../P)/P
000b5f0: 2d 31 38 35 32 2f 52 20 34 2f 53 74 6d 46 2f 53  -1852/R 4/StmF/S
000b600: 74 64 43 46 2f 53 74 72 46 2f 53 74 64 43 46 2f  tdCF/StrF/StdCF/
000b610: 55 20 28 81 5c 30 33 31 5d 99 2e f1 93 82 b5 76  U (.\031]......v

Please, check this issue. sample_acia.pdf

[val-ms]

I think I see what you mean regarding reading the /P value. It looks like the actual /P value (P·-1852) appears after the parenthesis in object 30 0:

30·0·obj␊
<</CF<</StdCF<</AuthEvent/DocOpen/CFM/AESV2/Length·16>>>>/Filter/Standard/Length·128/O·(\xADi\xB5YYS\u{752}\xA38\u{32d}\xB6\024T\000.s\xB6\xA5\xAE\x8F}$u\xAB\xB1\)\xEB\x82/P)/P·-1852/R·4/StmF/StdCF/StrF/StdCF/U·(\x81\031]\x99.\u{530b5}v\022\013\x8E\xBC\xED\x93\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000)/V·4>>␊
endobj␊
31·0·obj␊
<</Encrypt·30·0·R/Filter/FlateDecode/ID·[<f68acb5781c8d3a26b395bf9e7f7beea><f68acb5781c8d3a26b395bf9e7f7beea>]/Index[0·32]/Info·3·0·R/Length·101/Root·1·0·R/Size·32/Type/XRef/W[1·2·2]>>stream␊
x\x9C%\xCD\xC1␍\x82␀\u{10}D\xD1\u{19}@T\u{14}P\u{14}.\x9Cm\xC8\u{1a}\u{c0a2}␈␇h\xC0␊
\xBC\xDB\u{b}\u{335d7}\xD9d&+i]\xED\xB7\x94\xA8Wa\u{7f}#\x9DAV\u{1d}\xE7\u{5}\xAEPB\u{5}5\xDC\xE0\xEE\xF4\u{1f}\xBD\xC6\xE3/\xD2\u{3}\x9E\xD0\xC2├┤\u{e}\x90@␊
\u{19}\u{1c}!\xF7\u{10a661}\xF3\xFC\u{65f}/\x83\xB4\u{1}\u{7cf}\u{c}D␊
endstream␊
endobj␊

Outside of the above issue, I'm a little confused about this bug.

But are you saying that the document should not be detected as encrypted because only a small portion of the document is encrypted?

[tommam2]

Thank you for your reply.

But are you saying that the document should not be detected as encrypted because only a small portion of the document is encrypted?

I think this PDF document shoud not be detected as encrypted. Because this PDF file is not password-protected to prevent the file from being viewed (only password-protected permissions).

[val-ms]

Okay thanks @tommam2 I'll talk about it with the team.

[andreaswittig]

@micahsnyder Any news on this issue?

[val-ms]

No work on this yet. I can appreciate the desire for this change.

From a technical perspective, we'd need to find a way to prove that the encrypted portion is in fact only permissions content and does not contain any other/active content. Without that, I can't imagine resolving this.

In any case, our team is focused on other issues and don't have a plan to work on this.

[garrettlondon1]

Any update on this issue?