Comments on World's Smallest PDFAcrobat will parse some very badly formed PDF files. It's possible to remove almost everything from a PDF file, and still launch Javascript. A minimum of 58 bytes are all that is required to execute Javascript within Acrobat.TypePad2010-06-15T21:35:25ZFireEye, Inc.http://blog.fireeye.com/research/tag:typepad.com,2003:http://blog.fireeye.com/research/2010/06/that-pdf-thing/comments/atom.xml/Julia Wolf commented on 'World's Smallest PDF'tag:typepad.com,2003:6a00d835018afd53ef0134852789df970c2010-07-02T09:33:44Z2010-07-02T09:33:44ZJulia Wolfhttp://blog.fireeye.com/> Do you want to make a post / analysis about this http://seclists.org/fulldisclosure/2010/Jul/7 case? I suppose I could, though it's...<p>> Do you want to make a post / analysis about this <a href="http://seclists.org/fulldisclosure/2010/Jul/7" rel="nofollow">http://seclists.org/fulldisclosure/2010/Jul/7</a> case?</p>
<p>I suppose I could, though it's not terribly new or interesting. There is a ton of this sort of activity every day, and has been for years. This particular spam campaign was also pretending to be from wordpress.com, also saying that you'd just signed up for an account, with all links leading to that infectious PDF. (Which used one of three possible exploits, all at least a year old.) </p>
<p>Using the message attached to that FD post, this particular article of spam was send from 202.13.62.5. Observe:<br />
[...]<br />
> Received: from TUHWJATY (unknown [202.133.62.5])<br />
> by stg.iki.fi (Postfix) with ESMTP id 26EC819D5C<br />
> for ; Thu, 1 Jul 2010 13:25:28 +0300 (EEST)<br />
> Received: from 202.133.62.5 (port=0267 helo=[swaraj])<br />
> by mail.ragoarts.com with asmtp <br />
> id 981EFE-000841-91<br />
> for ______hack.fi; Thu, 1 Jul 2010 15:56:02 +0530</p>
<p>> Someone from the IP address 202.133.62.5 has registered the account "fgeek" with [...]</p>
<p> The IP address of the spam drone is included in the body text, as well as the recipient username. Every single message is like this, just with the corresponding values filled in.</p>
<p> If it wasn't 2:30am, and I didn't have something else to be finishing right now, I'd probably lookup the name of whichever particular spam bot this is.</p>
<p>(I've redacted the email address of the recipient, just to avoid that much more spam sent to them.)</p>
<p>I think you'll find this illuminating:<br />
<a href="http://www.google.com/search?q=http%3A%2F%2Fchipsnchils.com%2Fwordpress.html" rel="nofollow">http://www.google.com/search?q=http%3A%2F%2Fchipsnchils.com%2Fwordpress.html</a></p>Henri Salo commented on 'World's Smallest PDF'tag:typepad.com,2003:6a00d835018afd53ef0133f1fe467e970b2010-07-01T17:19:54Z2010-07-01T17:19:54ZHenri SaloDo you want to make a post / analysis about this http://seclists.org/fulldisclosure/2010/Jul/7 case?<p>Do you want to make a post / analysis about this <a href="http://seclists.org/fulldisclosure/2010/Jul/7" rel="nofollow">http://seclists.org/fulldisclosure/2010/Jul/7</a> case?</p>Comment commented on 'World's Smallest PDF'tag:typepad.com,2003:6a00d835018afd53ef013484e44102970c2010-06-24T22:17:09Z2010-06-24T22:17:09ZCommentePDFViewer on Ubuntu show "encrypted document. Enter password" popup.<p>ePDFViewer on Ubuntu show "encrypted document. Enter password" popup.</p>
<p><br />
</p>Julia Wolf commented on 'World's Smallest PDF'tag:typepad.com,2003:6a00d835018afd53ef0133f18e1101970b2010-06-22T01:15:25Z2010-06-22T01:15:25ZJulia Wolfhttp://blog.fireeye.com/Yeah, I expect that *everything* except for Adobe Acrobat 9.1.3 is going to error out. This PDF file is way-way-way...<p>Yeah, I expect that *everything* except for Adobe Acrobat 9.1.3 is going to error out. This PDF file is way-way-way out of spec. Older versions of Acrobat won't even read this.</p>joe blow commented on 'World's Smallest PDF'tag:typepad.com,2003:6a00d835018afd53ef0133f18ddfe1970b2010-06-22T00:50:04Z2010-06-22T00:50:04Zjoe blowSame for okular on gentoo. Error: PDF file is damaged - attempting to reconstruct xref table... Error: Couldn't find trailer...<p>Same for okular on gentoo.</p>
<p>Error: PDF file is damaged - attempting to reconstruct xref table...<br />
Error: Couldn't find trailer dictionary<br />
Error: Couldn't read xref table<br />
</p>Robin commented on 'World's Smallest PDF'tag:typepad.com,2003:6a00d835018afd53ef0133f18b397f970b2010-06-21T21:20:31Z2010-06-21T21:20:31ZRobinhttp://www.digininja.orgevince in Debian fails to read the 71 byte version: Error: PDF file is damaged - attempting to reconstruct xref...<p>evince in Debian fails to read the 71 byte version:</p>
<p>Error: PDF file is damaged - attempting to reconstruct xref table...<br />
Error: Couldn't find trailer dictionary<br />
Error: Couldn't read xref table<br />
Error: PDF file is damaged - attempting to reconstruct xref table...<br />
Error: Couldn't find trailer dictionary<br />
Error: Couldn't read xref table<br />
</p>