Then run pdfid against the pdf to get counts of what types of objects are in the pdf.
python.exe pdfid.py badpdf.pdf
Notice you see that the counts indicate "1" Javascript section in the PDF. Could be suspicious?
Then run pdf-parser to extract the raw contents of the pdf (including the javascript).
python.exe pdf-parser.py -f -w badpdf.pdf > output.txt
Open the output.txt in Notepad++
Scroll down and find the javascript!
Time for analysis!!!
Thank you to this great post by Zelster Security group for getting me started on this and these great tools by Didier Stevens.
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
No comments:
Post a Comment