Friday, March 27, 2015

Analyzing Malicious PDF with Javascript in It

Let's say you have a PDF that you suspect is suspicious. Here's one way to analyze it. First download Python 2.7, then download these 2 tools (pdfid and pfd-parser) from Didier Stevens.

Then run pdfid against the pdf to get counts of what types of objects are in the pdf.

python.exe badpdf.pdf

Notice you see that the counts indicate "1" Javascript section in the PDF. Could be suspicious?

Then run pdf-parser to extract the raw contents of the pdf (including the javascript).

python.exe -f -w badpdf.pdf > output.txt

Open the output.txt in Notepad++

Scroll down and find the javascript!

Time for analysis!!!

Thank you to this great post by Zelster Security group for getting me started on this and these great tools by Didier Stevens.

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

No comments:

Post a Comment