PDF Tools (Black Hat EU 2012 Edition) Released

Didier has released several free open source tools to help with the analysis of (malicious) PDF files. These tools are included in popular Linux distros like BackTrack and REMnux. One of these tools, pdfid, is also running on the number one virus scanning site VirusTotal.

pdf-parser.py v0.3.9 (Download)

This tool will parse a PDF document to identify the fundamental elements used in the analyzed file.

make-pdf tools (Download)

make-pdf-embedded.py v0.5.0
make-pdf-javascript.py v0.1
mPDF.py v0.1.4

make-pdf-javascript.py allows one to create a simple PDF document with embedded JavaScript that will execute upon opening of the PDF document. It’s essentially glue-code for the mPDF.py module which contains a class with methods to create headers, indirect objects, stream objects, trailers and XREFs.

pdfid.py v0.0.12 (Download)

This tool is not a PDF parser, but it will scan a file to look for certain PDF keywords, allowing you to identify PDF documents that contain (for example) JavaScript or execute an action when opened. PDFiD will also handle name obfuscation.

PDFiD will scan a PDF document for a given list of strings and count the occurrences (total and obfuscated) of each word:

obj
endobj
stream
endstream
xref
trailer
startxref
/Page
/Encrypt
/ObjStm
/JS
/JavaScript
/AA
/OpenAction
/JBIG2Decode
/RichMedia
/Launch