Directory: /pentest/forensics/pdfid
pdfid is a simple pdf analysis tool. It won't give us a very detailed information, just some high level, which can be enough in some cases, like for quick verification. For detailed analysis there are other tools. This one will scan the PDF file for the following strings: obj, endobj, stream, endstream, xref, trailer, startxref, /Page, /Encrypt, /ObjStm, /JS, /JavaScript, /AA, /OpenAction, /JBIG2Decode, /RichMedia, /Launch. The tool can rename some of the possibly malicious strings (like /JavaScript), and thus disarm the PDF, and making it safe o open.
I created a malicious PDF for analysis with Metasploit using exploit:
exploit/windows/fileformat/adobe_geticon
and payload:
windows/meterpreter/reverse_tcp
Using the tool:
./pdfid.py /root/Desktop/forensics/pdf/msf.pdf - basic usage
./pdfid.py -e /root/Desktop/forensics/pdf/msf.pdf - extract more details
./pdfid.py -d /root/Desktop/forensics/pdf/msf.pdf - rename malicious strings
Basic run:
Display more information:
Disarming the PDF:
Reanalyze the disarmed PDF:
Additionally with the -s option we can scan all pdfs within a directory.
Official website: http://blog.didierstevens.com/programs/pdf-tools/#pdfid
No comments:
Post a Comment