PDF Mode 10500: RC4 or AES being used?
After extensive searching around and after several test exports with OpenOffice, SoftMaker Office and PDFXChange Editor and again researching I can conclude, that PDF versioning is a big mess.

What I have learned so far:
The PDF Version is no indicator whatsoever in regard of used encryption.
For instance I created several PDF documents with SoftMaker and PDFXChange and selected different encryption standards. But the PDF Version stayed the same.
SoftMaker created V1.4 PDF regardless of 40Bit or 128Bit RC4.
PDFXChange created V1.7 PDF regardless 40Bit RC4, 128Bit RC4, 128Bit AES, ...

So the only real indicator which hashcat mode has to be used, can only be obtained either with exiftool or while looking at the generated string produced by pdf2hashcat.py.
I assume that if the beginning of the produced hash matches the mode provided on the hashcat wiki examples page, then it is the right one...

Furthermore I encountered the encryption standard V4.4 which hashcat seems not supporting? (128Bit AES and 128Bit RC4 with Acrobat compatibility set to v7+)

Please have a look at attached image for a overview and more clarity.

.png   pdf overview.png (Size: 55.98 KB / Downloads: 6)

Messages In This Thread
RE: PDF Mode 10500: RC4 or AES being used? - by SeaWizard - 03-05-2021, 12:20 PM