The mission began with a seemingly benign artifact—a standard digital incident report in PDF format. On the surface, the document appeared completely harmless, but an initial strings analysis immediately raised alarms: hidden within the document's structure were heavily obfuscated /S /JavaScript tags.
My first objective was to dissect the document's internal hierarchy. I deployed qpdf to decompress and extract the raw object streams. Filtering through the noise, I uncovered an embedded JavaScript payload specifically designed to dynamically generate an XOR key sequence based on the document's metadata (Author: JiaTan, SecretCode: v0id).
Armed with this intelligence, I shifted focus to the embedded images. Suspecting deeper layers, I ran a comprehensive Steganographic search using stegseek. Pairing the discovered passphrase (gangsta) with the metadata context allowed me to forcefully extract the hidden text files embedded directly inside the JPEG layers, revealing the final payload.
Key Takeaways
- PDF documents are Turing-complete execution vectors. Always analyze embedded object streams for masked JS logic.
- Digital forensics often requires chaining distinct vulnerabilities: extracting metadata keys to unlock steganographic payloads.