-
Notifications
You must be signed in to change notification settings - Fork 4
/
service_manifest.yml
83 lines (70 loc) · 2 KB
/
service_manifest.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
name: PeePDF
version: $SERVICE_TAG
description: >-
This service uses the Python PeePDF library information from PDFs including JavaScript
blocks which it will attempt to deobfuscate, if necessary, for further analysis.
accepts: (document/pdf|code/xml)
stage: CORE
category: Static Analysis
file_required: true
enabled: true
timeout: 60
disable_cache: false
licence_count: 0
privileged: true
heuristics:
- heur_id: 1
name: Embedded PDF in XDP
filetype: document/pdf
score: 1
description: >-
If there is the <chunk> tag in the PDF file contents, there is an embedded PDF in the XDP.
- heur_id: 2
filetype: document/pdf
name: Large Buffers
score: 100
description: >-
A buffer was found in the JavaScript code.
- heur_id: 3
filetype: document/pdf
name: Contains eval
score: 100
description: >-
The eval() function is found in the javascript block. This is
commonly used to launch deofuscated javascript code.
- heur_id: 4
filetype: document/pdf
name: Contains unescape
score: 100
description: >-
The unescape() function is found in the javascript block. Malware
could use this to deobfuscate code blocks.
- heur_id: 5
filetype: document/pdf
name: JavaScript Shellcode
score: 0
description: >-
Hidden shellcode found inside unescaped bytes.
- heur_id: 6
filetype: document/pdf
name: Unescaped JavaScript Buffer
score: 500
description: >-
If looking for JavaScript shellcode fails, the JavaScript is an
unknown unescaped buffer.
- heur_id: 8
filetype: document/pdf
name: Suspicious JavaScript Elements
score: 0
description: >-
Suspicious JavaScript elements have been found within the file.
- heur_id: 9
name: Contains URL(s)
score: 50
filetype: document/pdf
description: >-
URL(s) have been found within the file.
docker_config:
image: ${REGISTRY}cccs/assemblyline-service-peepdf:$SERVICE_TAG
cpu_cores: 1
ram_mb: 2048