Sep 26, 2025 20:00:00

A case where a client requested a refund of a security deposit from a real estate company and was sent a 'PDF file of an altered contract'

In recent years, rental contracts, insurance policies, and other documents are increasingly being stored in PDF files. However, when programmer

Matthew Garrett moved out of a rental property, he was presented with a 'PDF file of a contract that had been tampered with' by the real estate company. Garrett explains in his blog how he was able to prove that the PDF file had been tampered with.

mjg59 | Investigating a forged PDF
https://mjg59.dreamwidth.org/73317.html

In California, where Garrett lives, landlords are required to return security deposits within 21 days of a tenant moving out. However, Garrett said he didn't receive his money even after the deadline. Since the lease didn't include the landlord's name or address, Garrett consulted the real estate company that brokered the lease.

However, the real estate company denied Garrett's request for a refund, claiming that the lease clearly stated that the landlord was holding the security deposit. A portion of the PDF file sent to Garrett by the real estate company is shown below. The part circled in red contains the landlord's name and the statement that 'the landlord is holding the security deposit.'

However, the PDF file that Garrett had saved from the time of signing the contract had the problematic section blank, meaning the PDF file the real estate company sent him after his inquiry had been altered.

The PDF file was signed by a signature service called

RightSignature , and strangely enough, the certification information listed on the RightSignature authentication page was identical between the PDF file Garrett had saved and the modified PDF file.

Garrett examined the two files using the PDF file analysis tool ' PDFtk ' and found that both files were created in June 2025, the date of the contract, but the modified PDF file had a modification date of September 2025. Furthermore, PDF files contain identifiers called 'ID0,' which is assigned when the file is created, and 'ID1,' which is assigned when the file is modified. The value of ID1 had changed in the modified file.

Using the above evidence, Garrett complained to the real estate company that the contract had been altered. However, the company representative denied the alteration, saying, 'RightSignature reseals the file every time it downloads it. This process must have changed the ID1 value.'

Garrett then re-analyzed the PDF file using another tool called ' pdfalyzer .' The results revealed that the file had been edited using Adobe Acrobat. Furthermore, Adobe Acrobat has a feature that 'rewrites font reference names in PDF files to a proprietary format.' He discovered that the name of a font called 'Courier,' which did not exist in the PDF file before it was signed but was added when it was signed with RightSignature, had also been rewritten. This confirmed that the PDF file had been rewritten after it was signed.

Furthermore, analysis of the RightSignature authentication page using browser developer tools revealed the presence of a 'base.pdf' on the page, which matched the original PDF. This means that the RightSignature page continued to display information about 'base.pdf' even after the PDF file was altered.

Garrett is considering contacting the California Department of Real Estate and consulting with a lawyer.