PDF Forensics

Sildes by Grisha Kumar and add to by Mr Staffen

PDF (Portable Document Format)

• The PDF is a document format from Adobe Inc • PDF metadata can be stored in a document

information dictionary or as a metadata stream, sometimes both.

• The PDF standard supports embedding many types of files such as images. Embedded files may contain their own metadata.

make-pdf-javascript.py

• is a set of tools written by Didier Stevens• The make PDF javascript can be used to create a

malicious PDF• make-pdf-javascript.py allows one to create a simple

PDF document with embedded JavaScript that will execute upon opening of the PDF document.– make-pdf-javascript.py [options] pdf-file

• make-pdf-embedded.py creates a PDF file with an embedded file.– make-pdf-embedded.py [option] pdf-to-embed pfd-file

PDFiD

• PDFiD written by Didier Stevens to analyze malicious PDF’s • PDF files can be embedded with malicious code that can run

on the users system. – Eg. Javascript

• PDFiD is a python module that can analyze and sanitize PDF files. PDF files can be embedded with malicious code that can run on the user’s system, Eg. Javascript. This tool is written by Didier Stevens. We are going to analyze a simple PDF file and a malicious PDF file and also a normal exe file that has been converted to pfd extension. This tool can be very helpful in verifying if a PDF file is malicious or not.

PDFiD – String check

• obj• endobj• stream• endstream• xref• trailer• startxref• /Page• /Encrypt

• /ObjStm• /JS• /JavaScript• /AA• /OpenAction• /JBIG2Decode• /RichMedia• /Launch• /XFA

PDF (Portable Document Format) Terms:

• AA :: an additional actions dictionary defining a fields behavior in response to trigger events• AcroForm :: PDF files interactive form dictionary• endobj :: specifies the end of a object in a PDF file• endstream :: the end marker of a stream object in a PDF file• JavaScript :: javascript dictionary containing javascript scripts• JBIG2Decode :: decompresses data encoded using the JBIG2 standard• JS :: a text string or stream containing JavaScript that will be executed when the action is

triggered• Launch :: launch an application which usually opens a file• obj :: the beginning of a object in a PDF file• ObjStm :: object stream• OpenAction :: destination that shall be displayed or action that will be performed when PDF

is opened• RichMedia :: interactive PDF elements• startxref :: follows trailer keyword and is offset of the cross-reference stream• stream :: the beginning marker of a stream object PDF file• trailer :: provides a method to quickly find a cross-reference table and certain special objects• xref :: notes a cross-reference section in a PDF file

How to create a malicious PDF:• The following commands can be used: • make-pdf-javascript.py allows one to create a

simple PDF document with embedded JavaScript that will execute upon opening of the PDF document.

• make-pdf-javascript.py [options] pdf-file• make-pdf-embedded.py creates a PDF file with an

embedded file.• make-pdf-embedded.py [option] pdf-to-embed

pfd-file

PDFiD Analysis

• The PDFiD tool is run against 2 PDF documents – Pdf_white : A simple PDF document taken off the

internet without any malicious content– Pdf_black : The same PDF document is embedded

with malicious content

PDFiD – Analysis (White)

PDFiD – Analysis (Black)

PDF Phraser

• This tool will parse a PDF document to identify the fundamental elements used in the analyzed file. It will not render a PDF document.

• The commands are run against the pdf_black• Commands– pdf-parser.py --stats [pdf]– pdf-parser.py --search javascript [pdf]– pdf-parser.py --search javascript --raw [pdf]

Tools for Analyzing Adobe PDF Files

• PDFiD identifies PDFs that contain strings associated with scripts and actions.• PDF-parser and Origami’s pdfwalker examines the structure of PDF files.• Origami’s pdfextract and Jsunpack-n’s pdf.py extract JavaScript from PDF files.• PDF Stream Dumper combines many PDF analysis tools under a single

graphical user interface.• Peepdf and Origami’s pdfsh offer an interactive command-line shell for

examining PDF files.• PDF X-RAY Lite creates an HTML report containing decoded PDF file structure

and contents.• SWF mastah extracts SWF objects from PDF files.• Pyew includes commands for examining and decoding structure and content

of PDF files.