PDF Forensics - Help Required in Understadning Result

According to Goggle,

AA = Additional Action

The PDF file looks perfect except the /AA value. I would like to understand the result attached with this so I can conclude and test other pdf files.

The best solution is to learn PDF. The PDF Reference Manual (in the different versions) is usually available on-line from Adobe. PDF 1.6 is described in the fifth edition, available here http//partners . adobe . com/public/developer/en/pdf/PDFReference16.pdf

PDF is a programming language (though it is not a general-purpose programming language) you can create variables, streams, dictionaries etc. (You can even define certain types of functions.) You typically give these entities names, so that you can refer to them. Those names, identifiers, must start with a '/', and be followed by any regular characater except whitespace or delimiters. That what you see /AA.

Exactly what the name /AA means in the file you are examining, though, depends on what the PDF program in that file does. It could be a value in a dictionary, in which case its definition will look somewhat like

42 0 obj
<<
/AA 12345 ... or (This is a string) or some other PDF object
...
>>
endobj
It could also be a name of a character in some particular type face, for example.

The PDF Reference Manual does not define /AA or reserve the name, so its 'meaning' cannot be decided without inspection of the actual PDF code. As it only occurs once (?), it's clearly not something that is used a lot.

However, the PDFiD description clearly says why it looks for /AA. and the other special names it reports. (Looks like it assumes some particular PDF writing application.) As far as I can decide, it assumes that you understand PDF, and can evaluate the report for yourself – probably by examining the PDF code. Note the warning about false positives.

blog.didierstevens.com

Best place to learn about pdf security.