Skip to content

malice-plugins/pdf

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

80 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

pdf logo

malice-pdf

Circle CI License Docker Stars Docker Pulls Docker Image

Malice PDF Plugin

This repository contains a Dockerfile of malice/pdf. It runs PDFiD and pdf-parser.py on samples and will extract and (eventually) submit extracted files as children back to malice for analysis.


Dependencies

Installation

  1. Install Docker.
  2. Download trusted build from public DockerHub: docker pull malice/pdf

Usage

$ docker run --rm -v /path/to/malware:/malware malice/pdf --help

Usage: pdfscan [OPTIONS] COMMAND [ARGS]...

  Malice PDF Plugin

  Author: blacktop <https://github.com/blacktop>

Options:
  --version   print the version
  -h, --help  Show this message and exit.

Commands:
  scan  scan a file
  web   start web service

Scanning

$ docker run --rm -v /path/to/malware:/malware malice/pdf scan --help

Usage: pdfscan.py scan [OPTIONS] FILE_PATH

  Malice PDF Plugin.

Options:
  -v, --verbose            verbose output
  -t, --table              output as Markdown table
  -x, --proxy PROXY        proxy settings for Malice webhook endpoint
                           [$MALICE_PROXY]
  -c, --callback ENDPOINT  POST results back to Malice webhook
                           [$MALICE_ENDPOINT]
  --elasticsearch HOST     elasticsearch address for Malice to store results
                           [$MALICE_ELASTICSEARCH_URL]
  --timeout SECS           malice plugin timeout (default: 10)
                           [$MALICE_TIMEOUT]
  --extract PATH           where to extract the embedded objects to
  -h, --help               Show this message and exit.

This will output to stdout and POST to malice results API webhook endpoint.

Sample Output

{
  "pdf": {
    "streams": {},
    "peepdf": {},
    "pdfid": {
      "heuristics": {
        "embeddedfile": {
          "reason": "`/EmbeddedFile` flag(s) detected",
          "score": 0.9
        },
        "nameobfuscation": {
          "reason": "no hex encoded flags detected",
          "score": 0
        },
        "suspicious": {},
        "triage": {
          "reason": "sample is likely malicious and requires further analysis",
          "score": 1
        }
      },
      "countChatAfterLastEof": "0",
      "errorMessage": "",
      "dates": {
        "date": []
      },
      "nonStreamEntropy": "4.896895",
      "header": "%PDF-1.1",
      "version": "0.2.4",
      "entropy": "",
      "totalEntropy": "7.873045",
      "isPdf": "True",
      "keywords": {
        "keyword": [
          {
            "count": 9,
            "hexcodecount": 0,
            "name": "obj"
          },
          {
            "count": 9,
            "hexcodecount": 0,
            "name": "endobj"
          },
          {
            "count": 2,
            "hexcodecount": 0,
            "name": "stream"
          },
          {
            "count": 2,
            "hexcodecount": 0,
            "name": "endstream"
          },
          {
            "count": 1,
            "hexcodecount": 0,
            "name": "xref"
          },
          {
            "count": 1,
            "hexcodecount": 0,
            "name": "trailer"
          },
          {
            "count": 1,
            "hexcodecount": 0,
            "name": "startxref"
          },
          {
            "count": 1,
            "hexcodecount": 0,
            "name": "/Page"
          },
          ...SNIP...
          {
            "count": 0,
            "hexcodecount": 0,
            "name": "/Colors > 2^24"
          }
        ]
      },
      "countEof": "1",
      "streamEntropy": "7.970107",
      "errorOccured": "False"
    }
  }
}

pdf

[PDFiD]

  • PDF Header: %PDF-1.1
  • Total Entropy: 7.873045
  • Entropy In Streams: 7.970107
  • Entropy Out Streams: 4.896895
  • Count %% EOF: 1
  • Data After EOF: 0
Keyword Count
obj 9
endobj 9
stream 2
endstream 2
xref 1
trailer 1
startxref 1
/Page 1
/Encrypt 0
/ObjStm 0
/JS 1
/JavaScript 1
/AA 0
/OpenAction 1
/AcroForm 0
/JBIG2Decode 0
/RichMedia 0
/Launch 0
/EmbeddedFile 1
/XFA 0
/Colors > 2^24 0
Embedded File

Score: 50

  • /EmbeddedFile flag(s) detected
Triage

Score: 150

  • /JS: indicating javascript is present in the file.
  • /JavaScript: indicating javascript is present in the file.
  • /OpenAction: indicating automatic action to be performed when the page/document is viewed.
Suspicious Properties

Score: 50

  • Page count of 1

[pdf-parser]

Stats
  • Comment: 3
  • XREF: 1
  • Trailer: 1
  • StartXref: 1
  • Indirect object: 9
  • 1: 5
  • /Action 1: 9
  • /Catalog 1: 1
  • /EmbeddedFile 1: 8
  • /Filespec 1: 7
  • /Font 1: 6
  • /Outlines 1: 2
  • /Page 1: 4
  • /Pages 1: 3
TAGS

file_name:

  • eicar-dropper.doc

pestudio_blacklist_string:

  • JavaScript
Embedded Files
Object Sha256
8 eb0ae2d1cd318dc1adb970352e84361f9b194ff14f45b0186e4ed6696900394a
Carved Content

EmbeddedFile:

s<<++<<            /Names [(eicar-dropper.doc) 7 0 R]    /OpenAction 9 0 R

OpenAction:

<<
 /Type /Action
 /S /JavaScript
 /JS (this.exportDataObject({ cName: "eicar-dropper.doc", nLaunch: 2 });)
>>

JS:

(this.exportDataObject({ cName: "eicar-dropper.doc", nLaunch: 2 })    ; )

Documentation

Issues

Find a bug? Want more features? Find something missing in the documentation? Let me know! Please don't hesitate to file an issue

CHANGELOG

See CHANGELOG.md

Contributing

See all contributors on GitHub.

Please update the CHANGELOG.md

Credits

Heavily (if not entirely) influenced by CSE-CST's alsvc_pdfid and alsvc_peepdf

TODO

  • add PDFiD
  • add pdf-parser for streams
  • add peepdf for JS
  • add uwsgi to serve webserver (maybe nginx?)
  • float PDFiD errors up like I do with pdf-parser (handles errors when file is not a PDF)
  • check if PDF is too big (max size 3000000 ??)
  • add smart timeout to avoid DoS samples
  • use https://github.com/unidoc/unidoc instead?? I miss you golang, I miss you soooo hard 😫

License

MIT Copyright (c) 2016-2018 blacktop