Blackhat Arsenal 2012 Releases: Peepdf (Blackhat Release) v0.2

peepdf is a Python tool to explore PDF files in order to find out if the file can be harmful or not. The aim of this tool is to provide all the necessary components that a security researcher could need in a PDF analysis without using 3 or 4 tools to make all the tasks. It’s included in BackTrack and REMnux.

Some of the peepdf features:

It shows all the objects in the document, highlighting the suspicious elements and potential vulnerabilities.
It supports all the most used filters and encodings.
It can parse different versions of a file, object streams and encrypted documents.
It provides Javascript and shellcode analysis wrappers, thanks to Spidermonkey and Libemu.
It’s able to create new PDF files and modify existent ones using obfuscation techniques.
It’s able to extract all the information easily thanks to its interactive console.

The New Release At Vegas

Added support for AES in the decryption process: Until now peepdf supported RC4 as a decryption algorithm but AES was a must. Now here it is, so no more worries for decrypted documents. I will be ready for new changes in the decryption process, someone in Vegas told me that the next AES modification for PDF files is coming…
Added decrypt command: The normal way of sending malicious encrypted PDF files is with no user password, so the victims don’t need to put any password manually, it uses the “default” blank password to decrypt it. However, in some cases the password was written in the emails body, for instance. For these cases we can use the decrypt command. In a preliminary analysis we see an error that tell us that the password is not correct. But we can use this new command to perform another analysis giving the password used to encrypt the file. This way we can see all the encrypted objects without problems.
Shellcode emulation with pylibemu: The shellcode emulation with peepdf was performed with the sctest binary directly. It wasn’t that smart so I had in the TODO list taking a look at the alternatives. Thanks to Angelo Dell’Aera, pylibemu author, I’ve finally included an smarter way to do it, adding pylibemu to the project. The result is very similar but now you won’t need the sctest binary but installing pylibemu. Besides this, if the shellcode uses the URLDownloadToFile function, pylibemu will try to download the binary to disk. Also, other of the good things of this change is that I can work with Angelo closely to solve any potential issues 🙂 I recommend using the git repository to update the libemu files and then install the latest version of pylibemu.
Added support for HTML entities decoding: One method to obfuscate Javascript code is to encode it with HTML entities. Sascha Weiss shared some samples with me at Black Hat Amsterdam this year (thanks!) and now it’s supported and transparent for the user.
Extraction of Javascript code from XDP packets: When Javascript code is found in a XDP packet (XFA template) normally it’s stored in XML format, in a script element. Until now when you executed the js_code command with an XDP object you had the full content, including the script element, but now the JS code is correctly extracted, without garbage.
Added support for CCITTFaxDecode filter: One more for the collection of supported filters. Thanks to Binjo this decoding filter is included now, due to the fact that we have seen some malicious files including this type of encoding this year.
More colors in the interactive console: I have included more colors in the interactive console to highlight the important elements shown in the info command, like objects containing Javascript code or trigger elements. for example. Also, errors (red) and warnings (yellow) are colorized now. You can always use the -g option (grinch mode) to avoid the colorized output.