How to decode a PDF stream?

by

  1. “Two xref tables and two %%EOF“?

    This alone is not an indication of a malicious PDF file. There can by two or even more instances of each, if the file was generated via the “incremental update” feature. (Each digitally signed PDF file is like that, and each file which was changed in Acrobat and saved by using the ‘Save’ button/menu instead of the ‘Save as…’ button/menu is like that too.)

  2. “How to decode a compressed PDF stream from a specific object”?

    Have a look at Didier Stevens’ Python script pdf-parser.py. With this command line tool, you can dump the decoded stream of any PDF object into a file. Example command to dump the stream of PDF object number 13:

    pdf-parser.py -o 13 -f -d obj13.dump my.pdf

Leave a Comment