While analyzing a recent pdf sample exploiting the TIFF vuln it used a known technique to obfuscate it’s content: it appends a pdf to the first one after a bunch of of “garbage” (that contains the dropped executables)
%PDF-1.6 ... %%EOF [GARBAGE] %PDF-1.6 ... %%EOF
I tried to run my extractor on the sample to retrieve all the streams decompressed but i didn’t found the one containing the famous exploit
The reason why i wasn’t able to recover the exploit is that the second pdf redefined an object (0 1) and so the first dumped stream was overwritten by the last one thus hiding the exploit.
I just did a little modification to preserve all the streams extracted even if there is a id collision, you can download it