Tools for analyzing malicious PDF
Targeting a vulnerability in Acrobat Reader is one of the more popular ways of compromising systems nowadays. Below are the tools that we can use for analyzing malicious PDF.
PDF Stream Dumper PDF Stream Dumper is a free tool for analyzing suspicious PDF files. PDF Stream Dumper is a self-contained program that runs on Microsoft Windows and contains a convenient graphical user interface. The tool contains numerous features.
Peepdf: peepdf is a Python tool to explore PDF files in order to find out if the file can be harmful or not. The aim of this tool is to provide all the necessary components that a security researcher could need in a PDF analysis without using 3 or 4 tools to make all the tasks. With peepdf it's possible to see all the objects in the document showing the suspicious elements, supports all the most used filters and encodings, it can parse different versions of a file, object streams and encrypted files.
PDFiD PDFiD is a Python tool to analyze and sanitize PDF files. It identifies PDFs that contain strings associated with scripts and actions.
PDF-parser examines the structure of PDF files.This tool will parse a PDF document to identify the fundamental elements used in the analyzed file. It will not render a PDF document.
Jsunpack-n’s pdf.py jsunpack-n emulates browser functionality when visiting a URL. It's purpose is to detect exploits that target browser and browser plug-in vulnerabilities. It accepts many different types of input:
PDF files - samples/sample-pdf.file
Packet Captures - samples/sample-http-exploit.pcap
HTML files
JavaScript files
SWF files
Pyew is a python tool to analyse malware. It does have support for hexadecimal viewing, disassembly (Intel 16, 32 and 64 bits), PE and ELF file formats (it performs code analysis and let you write scripts using an API to perform many types of analysis), follows direct call/jmp instructions in the interactive command line, displays function names and string data references; supports OLE2 format, PDF format and more. It also supports plugins to add more features to the tool.
Origami’s pdfwalker: origami is a Ruby framework designed to parse, analyze, and forge PDF documents. This is NOT a PDF rendering library. It aims at providing a scripting tool to generate and analyze malicious PDF files. As well, it can be used to create on-the-fly customized PDFs, or to inject (evil) code into already existing documents.Origami supports advanced features of the latest PDF specifications:
Encryption, up to Adobe Reader X
Digital signatures
Forms (Acrobat and XML)
JavaScript
Annotations
Flash
File attachments
Object streams
Origami’s pdfextract Extracts various data out of a document (streams, scripts, images, fonts, metadata, attachments).
PDF X-RAY PDF X-RAY differs from all other tools because it doesn't focus on the single file. Instead it compares the file you upload against thousands of malicious PDF files in our repository. These checks look for similar data structures within the PDF you upload and ones that have been reviewed by analysts. Using this feature we can begin to see shared coded samples among malicious files or trends due to malicious author coding styles. It creates an HTML report containing decoded PDF file structure and contents.
Origami’s pdfsh offer an interactive command-line shell for examining PDF files. pdfsh is the Command Line Interface (CLI) version of Origami.
SWF mastah extracts SWF objects from PDF files.
%2Bdork%2Blist%2Binfosec%2Baffairs.png)
No comments:
Post a Comment