Big_Numbers1 rule blocks PDF files with IDs in the trailer

Question

Big_Numbers1 rule blocks PDF files with IDs in the trailer

abdulmuizzf opened this issue 3 years ago · 1 comments

It is common for PDFs to have ID fields in the trailer, and these fields store an array of two 32 character hex strings.

trailer
<</Size 298/Root 1 0 R/Info 282 0 R/ID[<29820DD116F854408DAB303F6BA3C728><29820DD116F854408DAB303F6BA3C728>] /Prev 143837/XRefStm 142970>>
startxref
149958
%%EOF

Big_Numbers1 seems to be written generically to block any sequence of 32 character hex strings, and blocks a lot of PDF files with trailer sequences like the one above.

Is this intentional? If so, what kind of malware is this rule supposed to detect?

Answer 1 · 2022-04-12T15:54:20.000Z

Hi, that rule looks for hex strings of 32 characters long, just that. Think whether it is what you are looking for into PDF files. Maybe, that particular rule is not appropriate for PDF files.