This signature identifies potentially malicious PDF documents by looking for a common form of obfuscation applied to them. If this signature fires, it may indicate an attempt at exploiting a PDF reader or browser vulnerability, and attempting to hide the fact it is doing so.This signature is a lighter-weight version of the Obfuscated PDF Document signature (23099-0). This signature uses less memory and CPU processing, but may match non PDF traffic.
There are no suggested filters.
This signature is less precise than 23099-0, and does not anchor on the start of a PDF document. Therefore, it's possible that this signature may fire on traffic that is not a PDF document.
This signature does not obsolete 23099-0 because of the difference in how precise the signature operates on matching traffic. It is up to the device administrator as to which signature they prefer to use.
LEGAL DISCLAIMER THE INFORMATION ON THIS PAGE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION CONTAINED HEREIN, OR MATERIALS LINKED FROM THE DOCUMENT, IS AT YOUR OWN RISK. INFORMATION IN THIS DOCUMENT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.