pdf decoding issue

[Sanesecurity]

Describe the bug

received lots of pdf spam with a naked lady in it and inside the pdf is an embedded link to click on, which points to:

h t t p s: / /dating2 dot xloveme dot me/?cid=

engine doesn't seem to extract the above url or decode properly (even with --leave-temps), so can't really create a useful sig to block the link.

Attachments

Added attachment example pdf. xxx spam.pdf

[micahsnyder]

@Sanesecurity It looks like this is related to https://github.com/Cisco-Talos/clamav/pull/1079

I tested with 1.2.0 versus the latest in main (after this PR merged), and found that with 1.2.0, I see this in the debug log:

LibClamAV debug: check_user_password: UE length is not 32: 2
LibClamAV debug: check_user_password: user/owner password would be required for decryption
LibClamAV debug: pdf_find_and_extract_objs: encrypted pdf found, not decryptable, stream will probably fail to decompress!

But with the latest from main, the debug log has:

LibClamAV debug: aes_256cbc_decrypt: length is 32
LibClamAV debug: cli_pdf: check_user_password: Candidate encryption key: e1f38d2df5e217d2194971d54a971f0ea24bd55b30a4a2d1018729cb7b607374
LibClamAV debug: check_user_password: user password is empty

In addition, the --leave-temps from the latter resulted in a file containing 3 0 7 122 6 283 <</rect[0 0 580 800]/subtype/link/a<</s/uri/uri(https://dating2.xloveme.me/?cid=7smzqq&img=33&s6=7smzqq#ppins6kflgbh)>>>> <</type/page/mediabox[0 0 595 842]/resources<</procset [/pdf /text /imageb /imagec /imagei]/xobject<</img0 2 0 r>>>>/annots[3 0 r]/contents 5 0 r/parent 6 0 r>> <</type/pages/count 1/kids[7 0 r]/itxt(3.4.12.0)>>

[micahsnyder]

Going to close this as fixed, since it's working in main. The fix will be available in 1.3.0. The release candidate should be out next week-ish, and stable release out in early January.