Malice PDF Plugin
This repository contains a Dockerfile of malice/pdf. It runs PDFiD and pdf-parser.py on samples and will extract and (eventually) submit extracted files as children back to malice for analysis.
- Install Docker.
- Download trusted build from public DockerHub:
docker pull malice/pdf
$ docker run --rm -v /path/to/malware:/malware malice/pdf --help
Usage: pdfscan [OPTIONS] COMMAND [ARGS]...
Malice PDF Plugin
Author: blacktop <https://github.com/blacktop>
Options:
--version print the version
-h, --help Show this message and exit.
Commands:
scan scan a file
web start web service
$ docker run --rm -v /path/to/malware:/malware malice/pdf scan --help
Usage: pdfscan.py scan [OPTIONS] FILE_PATH
Malice PDF Plugin.
Options:
-v, --verbose verbose output
-t, --table output as Markdown table
-x, --proxy PROXY proxy settings for Malice webhook endpoint
[$MALICE_PROXY]
-c, --callback ENDPOINT POST results back to Malice webhook
[$MALICE_ENDPOINT]
--elasticsearch HOST elasticsearch address for Malice to store results
[$MALICE_ELASTICSEARCH_URL]
--timeout SECS malice plugin timeout (default: 10)
[$MALICE_TIMEOUT]
--extract PATH where to extract the embedded objects to
-h, --help Show this message and exit.
This will output to stdout and POST to malice results API webhook endpoint.
{
"pdf": {
"streams": {},
"peepdf": {},
"pdfid": {
"heuristics": {
"embeddedfile": {
"reason": "`/EmbeddedFile` flag(s) detected",
"score": 0.9
},
"nameobfuscation": {
"reason": "no hex encoded flags detected",
"score": 0
},
"suspicious": {},
"triage": {
"reason": "sample is likely malicious and requires further analysis",
"score": 1
}
},
"countChatAfterLastEof": "0",
"errorMessage": "",
"dates": {
"date": []
},
"nonStreamEntropy": "4.896895",
"header": "%PDF-1.1",
"version": "0.2.4",
"entropy": "",
"totalEntropy": "7.873045",
"isPdf": "True",
"keywords": {
"keyword": [
{
"count": 9,
"hexcodecount": 0,
"name": "obj"
},
{
"count": 9,
"hexcodecount": 0,
"name": "endobj"
},
{
"count": 2,
"hexcodecount": 0,
"name": "stream"
},
{
"count": 2,
"hexcodecount": 0,
"name": "endstream"
},
{
"count": 1,
"hexcodecount": 0,
"name": "xref"
},
{
"count": 1,
"hexcodecount": 0,
"name": "trailer"
},
{
"count": 1,
"hexcodecount": 0,
"name": "startxref"
},
{
"count": 1,
"hexcodecount": 0,
"name": "/Page"
},
...SNIP...
{
"count": 0,
"hexcodecount": 0,
"name": "/Colors > 2^24"
}
]
},
"countEof": "1",
"streamEntropy": "7.970107",
"errorOccured": "False"
}
}
}
- PDF Header:
%PDF-1.1
- Total Entropy:
7.873045
- Entropy In Streams:
7.970107
- Entropy Out Streams:
4.896895
- Count %% EOF:
1
- Data After EOF:
0
Keyword | Count |
---|---|
obj | 9 |
endobj | 9 |
stream | 2 |
endstream | 2 |
xref | 1 |
trailer | 1 |
startxref | 1 |
/Page | 1 |
/Encrypt | 0 |
/ObjStm | 0 |
/JS | 1 |
/JavaScript | 1 |
/AA | 0 |
/OpenAction | 1 |
/AcroForm | 0 |
/JBIG2Decode | 0 |
/RichMedia | 0 |
/Launch | 0 |
/EmbeddedFile | 1 |
/XFA | 0 |
/Colors > 2^24 | 0 |
Score:
50
/EmbeddedFile
flag(s) detected
Score:
150
/JS
: indicating javascript is present in the file./JavaScript
: indicating javascript is present in the file./OpenAction
: indicating automatic action to be performed when the page/document is viewed.
Score:
50
- Page count of 1
Comment: 3
XREF: 1
Trailer: 1
StartXref: 1
Indirect object: 9
1: 5
/Action 1: 9
/Catalog 1: 1
/EmbeddedFile 1: 8
/Filespec 1: 7
/Font 1: 6
/Outlines 1: 2
/Page 1: 4
/Pages 1: 3
file_name:
eicar-dropper.doc
pestudio_blacklist_string:
JavaScript
Object | Sha256 |
---|---|
8 | eb0ae2d1cd318dc1adb970352e84361f9b194ff14f45b0186e4ed6696900394a |
EmbeddedFile:
s<<++<< /Names [(eicar-dropper.doc) 7 0 R] /OpenAction 9 0 R
OpenAction:
<<
/Type /Action
/S /JavaScript
/JS (this.exportDataObject({ cName: "eicar-dropper.doc", nLaunch: 2 });)
>>
JS:
(this.exportDataObject({ cName: "eicar-dropper.doc", nLaunch: 2 }) ; )
Find a bug? Want more features? Find something missing in the documentation? Let me know! Please don't hesitate to file an issue
See CHANGELOG.md
See all contributors on GitHub.
Please update the CHANGELOG.md
Heavily (if not entirely) influenced by CSE-CST's alsvc_pdfid and alsvc_peepdf
- add PDFiD
- add pdf-parser for streams
-
add peepdf for JS - add uwsgi to serve webserver (maybe nginx?)
- float PDFiD errors up like I do with pdf-parser (handles errors when file is not a PDF)
- check if PDF is too big (max size 3000000 ??)
- add smart timeout to avoid DoS samples
- use https://github.com/unidoc/unidoc instead?? I miss you golang, I miss you soooo hard 😫
MIT Copyright (c) 2016-2018 blacktop