Rating:

# Don't let it run

## Description

PDF documents can contain unusual objects within.

[dragon.pdf](dragon.pdf)

## Solution

Let's try to analyze it with the kali built-in tool `pdf-parser`

```console
$ pdf-parser dragon.pdf

This program has not been tested with this version of Python (3.9.2)
Should you encounter problems, please use Python version 3.8.7
PDF Comment '%PDF-1.7\n'

PDF Comment '%\xf6\xe4\xfc\xdf\n'

obj 1 0
Type: /Catalog
Referencing: 2 0 R, 3 0 R

<<
/Pages 2 0 R
/Type /Catalog
/OpenAction 3 0 R
>>

obj 4 0
Type:
Referencing:

<<
/Title '(\x00d\x00r\x00a\x00g\x00o\x00n\x00\x00)'
/CreationDate (D:20210512134031)
/ModDate (D:20210512134031)
/Producer (https://imagemagick.org)
>>

obj 2 0
Type: /Pages
Referencing: 5 0 R

<<
/Type /Pages
/Kids [5 0 R]
/Count 1
>>

obj 3 0
Type: /Action
Referencing:

<<
/Type /Action
/S /JavaScript
/JS <766172205F3078346163393D5B2736363361435968594B272C273971776147474F272C276C6F67272C273150744366746D272C27313036387552596D7154272C27646374667B7064665F316E6A33637433647D272C273736383537376A6868736272272C2737313733343268417A4F4F51272C27373232353133504158436268272C2738333339383950514B697469272C27313434373836335256636E546F272C2731323533353356746B585547275D3B2866756E6374696F6E285F30783362316636622C5F3078316164386237297B766172205F30783536366565323D5F3078353334373B7768696C652821215B5D297B7472797B766172205F30783237353061353D7061727365496E74285F307835363665653228307831366529292B2D7061727365496E74285F307835363665653228307831366429292B7061727365496E74285F307835363665653228307831366329292B2D7061727365496E74285F307835363665653228307831373329292A2D7061727365496E74285F307835363665653228307831373129292B7061727365496E74285F307835363665653228307831373229292A2D7061727365496E74285F307835363665653228307831366129292B7061727365496E74285F307835363665653228307831366629292A7061727365496E74285F307835363665653228307831373529292B2D7061727365496E74285F307835363665653228307831373029293B6966285F30783237353061353D3D3D5F307831616438623729627265616B3B656C7365205F30783362316636625B2770757368275D285F30783362316636625B277368696674275D2829293B7D6361746368285F3078353736346134297B5F30783362316636625B2770757368275D285F30783362316636625B277368696674275D2829293B7D7D7D285F3078346163392C3078386439376629293B66756E6374696F6E205F30786128297B766172205F30783363366432303D5F3078353334373B636F6E736F6C655B5F3078336336643230283078313734295D285F307833633664323028307831366229293B7D76617220613D27626B706F646E746A636F7073796D6C78656977686F6E7374796B787372707A79272C623D2765787262737071717573746E7A717269756C697A70656565787771736F666D77273B5F30786228612C62293B66756E6374696F6E205F307835333437285F30783337646533352C5F3078313961633236297B5F30783337646533353D5F30783337646533352D30783136613B766172205F30783461633965613D5F3078346163395B5F30783337646533355D3B72657475726E205F30783461633965613B7D66756E6374696F6E205F307862285F30783339623365652C5F3078666165353433297B766172205F30783235393932333D5F30783339623365652B5F30786661653534333B5F30786128293B7D0A>
>>

obj 5 0
Type: /Page
Referencing: 2 0 R, 6 0 R, 7 0 R, 8 0 R

<<
/Type /Page
/Parent 2 0 R
/Resources
<<
/XObject
<<
/Im0 6 0 R
>>
/ProcSet [/PDF /Text /ImageC]
>>
/MediaBox [0 0 595 842]
/CropBox [0 0 595 842]
/Contents 7 0 R
/Thumb 8 0 R
>>

obj 6 0
Type: /XObject
Referencing: 9 0 R, 10 0 R
Contains stream

<<
/Length 275251
/Type /XObject
/Subtype /Image
/Name /Im0
/Filter [/RunLengthDecode]
/Width 595
/Height 842
/ColorSpace [/ICCBased 9 0 R]
/BitsPerComponent 8
/SMask 10 0 R
>>

obj 7 0
Type:
Referencing:
Contains stream

<<
/Length 31
>>

obj 8 0
Type:
Referencing: 9 0 R
Contains stream

<<
/Length 5400
/Filter [/RunLengthDecode]
/Width 75
/Height 106
/ColorSpace [/ICCBased 9 0 R]
/BitsPerComponent 8
>>

obj 9 0
Type:
Referencing:
Contains stream

<<
/Length 3092
/N 3
/Filter /ASCII85Decode
/Alternate /DeviceRGB
>>

obj 10 0
Type: /XObject
Referencing:
Contains stream

<<
/Length 7891
/Type /XObject
/Subtype /Image
/Name /Ma0
/Filter [/RunLengthDecode]
/Width 595
/Height 842
/ColorSpace /DeviceGray
/BitsPerComponent 8
>>

xref

trailer
<<
/Size 11
/Info 4 0 R
/Root 1 0 R
/ID [<DDED0235A302A1D292E59FE7FCEA4C662B9B88FDEF607858B35F458977BF7AD7><DDED0235A302A1D292E59FE7FCEA4C662B9B88FDEF607858B35F458977BF7AD7>]
>>

startxref 295021

PDF Comment '%%EOF\n'
```
After a carefull inspection we can see a **KINDA SUS** JS encoded in HEX

```
766172205F3078346163393D5B2736363361435968594B272C273971776147474F272C276C6F67272C273150744366746D272C27313036387552596D7154272C27646374667B7064665F316E6A33637433647D272C273736383537376A6868736272272C2737313733343268417A4F4F51272C27373232353133504158436268272C2738333339383950514B697469272C27313434373836335256636E546F272C2731323533353356746B585547275D3B2866756E6374696F6E285F30783362316636622C5F3078316164386237297B766172205F30783536366565323D5F3078353334373B7768696C652821215B5D297B7472797B766172205F30783237353061353D7061727365496E74285F307835363665653228307831366529292B2D7061727365496E74285F307835363665653228307831366429292B7061727365496E74285F307835363665653228307831366329292B2D7061727365496E74285F307835363665653228307831373329292A2D7061727365496E74285F307835363665653228307831373129292B7061727365496E74285F307835363665653228307831373229292A2D7061727365496E74285F307835363665653228307831366129292B7061727365496E74285F307835363665653228307831366629292A7061727365496E74285F307835363665653228307831373529292B2D7061727365496E74285F307835363665653228307831373029293B6966285F30783237353061353D3D3D5F307831616438623729627265616B3B656C7365205F30783362316636625B2770757368275D285F30783362316636625B277368696674275D2829293B7D6361746368285F3078353736346134297B5F30783362316636625B2770757368275D285F30783362316636625B277368696674275D2829293B7D7D7D285F3078346163392C3078386439376629293B66756E6374696F6E205F30786128297B766172205F30783363366432303D5F3078353334373B636F6E736F6C655B5F3078336336643230283078313734295D285F307833633664323028307831366229293B7D76617220613D27626B706F646E746A636F7073796D6C78656977686F6E7374796B787372707A79272C623D2765787262737071717573746E7A717269756C697A70656565787771736F666D77273B5F30786228612C62293B66756E6374696F6E205F307835333437285F30783337646533352C5F3078313961633236297B5F30783337646533353D5F30783337646533352D30783136613B766172205F30783461633965613D5F3078346163395B5F30783337646533355D3B72657475726E205F30783461633965613B7D66756E6374696F6E205F307862285F30783339623365652C5F3078666165353433297B766172205F30783235393932333D5F30783339623365652B5F30786661653534333B5F30786128293B7D0A
```

Let's [decode](https://gchq.github.io/CyberChef/#recipe=From_Hex('None')&input=NzY2MTcyMjA1RjMwNzgzNDYxNjMzOTNENUIyNzM2MzYzMzYxNDM1OTY4NTk0QjI3MkMyNzM5NzE3NzYxNDc0NzRGMjcyQzI3NkM2RjY3MjcyQzI3MzE1MDc0NDM2Njc0NkQyNzJDMjczMTMwMzYzODc1NTI1OTZENzE1NDI3MkMyNzY0NjM3NDY2N0I3MDY0NjY1RjMxNkU2QTMzNjM3NDMzNjQ3RDI3MkMyNzM3MzYzODM1MzczNzZBNjg2ODczNjI3MjI3MkMyNzM3MzEzNzMzMzQzMjY4NDE3QTRGNEY1MTI3MkMyNzM3MzIzMjM1MzEzMzUwNDE1ODQzNjI2ODI3MkMyNzM4MzMzMzM5MzgzOTUwNTE0QjY5NzQ2OTI3MkMyNzMxMzQzNDM3MzgzNjMzNTI1NjYzNkU1NDZGMjcyQzI3MzEzMjM1MzMzNTMzNTY3NDZCNTg1NTQ3Mjc1RDNCMjg2Njc1NkU2Mzc0Njk2RjZFMjg1RjMwNzgzMzYyMzE2NjM2NjIyQzVGMzA3ODMxNjE2NDM4NjIzNzI5N0I3NjYxNzIyMDVGMzA3ODM1MzYzNjY1NjUzMjNENUYzMDc4MzUzMzM0MzczQjc3Njg2OTZDNjUyODIxMjE1QjVEMjk3Qjc0NzI3OTdCNzY2MTcyMjA1RjMwNzgzMjM3MzUzMDYxMzUzRDcwNjE3MjczNjU0OTZFNzQyODVGMzA3ODM1MzYzNjY1NjUzMjI4MzA3ODMxMzY2NTI5MjkyQjJENzA2MTcyNzM2NTQ5NkU3NDI4NUYzMDc4MzUzNjM2NjU2NTMyMjgzMDc4MzEzNjY0MjkyOTJCNzA2MTcyNzM2NTQ5NkU3NDI4NUYzMDc4MzUzNjM2NjU2NTMyMjgzMDc4MzEzNjYzMjkyOTJCMkQ3MDYxNzI3MzY1NDk2RTc0Mjg1RjMwNzgzNTM2MzY2NTY1MzIyODMwNzgzMTM3MzMyOTI5MkEyRDcwNjE3MjczNjU0OTZFNzQyODVGMzA3ODM1MzYzNjY1NjUzMjI4MzA3ODMxMzczMTI5MjkyQjcwNjE3MjczNjU0OTZFNzQyODVGMzA3ODM1MzYzNjY1NjUzMjI4MzA3ODMxMzczMjI5MjkyQTJENzA2MTcyNzM2NTQ5NkU3NDI4NUYzMDc4MzUzNjM2NjU2NTMyMjgzMDc4MzEzNjYxMjkyOTJCNzA2MTcyNzM2NTQ5NkU3NDI4NUYzMDc4MzUzNjM2NjU2NTMyMjgzMDc4MzEzNjY2MjkyOTJBNzA2MTcyNzM2NTQ5NkU3NDI4NUYzMDc4MzUzNjM2NjU2NTMyMjgzMDc4MzEzNzM1MjkyOTJCMkQ3MDYxNzI3MzY1NDk2RTc0Mjg1RjMwNzgzNTM2MzY2NTY1MzIyODMwNzgzMTM3MzAyOTI5M0I2OTY2Mjg1RjMwNzgzMjM3MzUzMDYxMzUzRDNEM0Q1RjMwNzgzMTYxNjQzODYyMzcyOTYyNzI2NTYxNkIzQjY1NkM3MzY1MjA1RjMwNzgzMzYyMzE2NjM2NjI1QjI3NzA3NTczNjgyNzVEMjg1RjMwNzgzMzYyMzE2NjM2NjI1QjI3NzM2ODY5NjY3NDI3NUQyODI5MjkzQjdENjM2MTc0NjM2ODI4NUYzMDc4MzUzNzM2MzQ2MTM0Mjk3QjVGMzA3ODMzNjIzMTY2MzY2MjVCMjc3MDc1NzM2ODI3NUQyODVGMzA3ODMzNjIzMTY2MzY2MjVCMjc3MzY4Njk2Njc0Mjc1RDI4MjkyOTNCN0Q3RDdEMjg1RjMwNzgzNDYxNjMzOTJDMzA3ODM4NjQzOTM3NjYyOTI5M0I2Njc1NkU2Mzc0Njk2RjZFMjA1RjMwNzg2MTI4Mjk3Qjc2NjE3MjIwNUYzMDc4MzM2MzM2NjQzMjMwM0Q1RjMwNzgzNTMzMzQzNzNCNjM2RjZFNzM2RjZDNjU1QjVGMzA3ODMzNjMzNjY0MzIzMDI4MzA3ODMxMzczNDI5NUQyODVGMzA3ODMzNjMzNjY0MzIzMDI4MzA3ODMxMzY2MjI5MjkzQjdENzY2MTcyMjA2MTNEMjc2MjZCNzA2RjY0NkU3NDZBNjM2RjcwNzM3OTZENkM3ODY1Njk3NzY4NkY2RTczNzQ3OTZCNzg3MzcyNzA3QTc5MjcyQzYyM0QyNzY1Nzg3MjYyNzM3MDcxNzE3NTczNzQ2RTdBNzE3MjY5NzU2QzY5N0E3MDY1NjU2NTc4Nzc3MTczNkY2NjZENzcyNzNCNUYzMDc4NjIyODYxMkM2MjI5M0I2Njc1NkU2Mzc0Njk2RjZFMjA1RjMwNzgzNTMzMzQzNzI4NUYzMDc4MzMzNzY0NjUzMzM1MkM1RjMwNzgzMTM5NjE2MzMyMzYyOTdCNUYzMDc4MzMzNzY0NjUzMzM1M0Q1RjMwNzgzMzM3NjQ2NTMzMzUyRDMwNzgzMTM2NjEzQjc2NjE3MjIwNUYzMDc4MzQ2MTYzMzk2NTYxM0Q1RjMwNzgzNDYxNjMzOTVCNUYzMDc4MzMzNzY0NjUzMzM1NUQzQjcyNjU3NDc1NzI2RTIwNUYzMDc4MzQ2MTYzMzk2NTYxM0I3RDY2NzU2RTYzNzQ2OTZGNkUyMDVGMzA3ODYyMjg1RjMwNzgzMzM5NjIzMzY1NjUyQzVGMzA3ODY2NjE2NTM1MzQzMzI5N0I3NjYxNzIyMDVGMzA3ODMyMzUzOTM5MzIzMzNENUYzMDc4MzMzOTYyMzM2NTY1MkI1RjMwNzg2NjYxNjUzNTM0MzMzQjVGMzA3ODYxMjgyOTNCN0QwQQ) it

```javascript
var _0x4ac9 = ['663aCYhYK', '9qwaGGO', 'log', '1PtCftm', '1068uRYmqT', 'dctf{pdf_1nj3ct3d}', '768
577jhhsbr','717342hAzOOQ','722513PAXCbh','833989PQKiti','1447863RVcnTo','1253
53VtkXUG'];(function(_0x3b1f6b,_0x1ad8b7){var _0x566ee2=_0x5347;while(!![])
{
try{
var _0x2750a5 = parseInt(_0x566ee2(0x16e)) + -
parseInt(_0x566ee2(0x16d)) + parseInt(_0x566ee2(0x16c)) + -
parseInt(_0x566ee2(0x173)) * -
parseInt(_0x566ee2(0x171)) + parseInt(_0x566ee2(0x172)) * -
parseInt(_0x566ee2(0x16a)) + parseInt(_0x566ee2(0x16f)) * parseInt(_0x566ee2(0x17
5)) + -parseInt(_0x566ee2(0x170)); if(_0x2750a5=== _0x1ad8b7) break; else
_0x3b1f6b['push'](_0x3b1f6b['shift']());
}catch (_0x5764a4) {
_0x3b1f6b['push']
(_0x3b1f6b['shift']());
}}}(_0x4ac9, 0x8d97f)); function _0xa() {
var
_0x3c6d20 = _0x5347; console[_0x3c6d20(0x174)](_0x3c6d20(0x16b));
} var
a = 'bkpodntjcopsymlxeiwhonstykxsrpzy', b = 'exrbspqqustnzqriulizpeeexwqsofmw'; _0x
b(a, b); function _0x5347(_0x37de35, _0x19ac26) {
_0x37de35 = _0x37de35 - 0x16a; var
_0x4ac9ea = _0x4ac9[_0x37de35]; return _0x4ac9ea;
} function
_0xb(_0x39b3ee, _0xfae543) { var _0x259923 = _0x39b3ee + _0xfae543; _0xa(); }
```

#### **FLAG >>** `dctf{pdf_1nj3ct3d}`

Original writeup (https://github.com/K1nd4SUS/CTF-Writeups/tree/main/dCTF_2021/Don't%20let%20it%20run).