PDF analysis tool utilizing PDF to JSON conversion.
This code was written so that I could do more detailed analysis of PDF documents, on the fly and incorporate it into a security stack. “On the fly” is key. PyDF2JSON is simply some python code that creates a json structure out of PDF documents. It breaks a PDF document down into all its individual parts, and retains those parts for analysis. Once this is done, a more detailed analysis should be possible.
Clone the repo and use it. Optionally, run python setup.py build/install to make the pydf2json module importable by all the things.
> pydf.py -h usage: pydf.py [-h] [-d LOCATION] [--no_summary] [--show_json] [--show_ttf] [--show_bitmap] [--show_pics] [--show_embedded_files] pdf > pydf.py Docusign.pdf Summary of PDF attributes: -------------------------- AA: 0 AcroForms: 0 Embedded Files: 0 JS: 0 Launch: 0 Object Streams: 0 OpenActions: 0 Pages: 2 URIs in document: O: 38 0 http://<redacted>.com/llp.php
pydf.py calls the pydf2json module to convert the PDF into a json-style dict and then accesses the structure to create the summary you see above.
I am versed in the concept of OPSEC. If you have a PDF that this fails on / causes crash, Please send me the PDF in question if possible. No document sent to me will be shared with anyone at anytime and will be destroyed when I’m done testing with it. Archive it with a utility like 7Zip and encrypt it with the following password: fr74ed83e.dj#ifkk
Send it to email@example.com The password is simply to keep PDF from being scanned by AV. :)
This code was inspired by my desire to have a pdf analysis module for the LaikaBOSS framework. See: LaikaBOSS developed by Lockheed Martin.
- Expand on the summary to include the following:
- [ ] Add the type of Launch and maybe trigger on some keywords like cmd.exe and .vbs to indicate malware.
- [ ] Possibly provide information on what objects contain js instead of just giving a count.
- [x] Ongoing testing to see what breaks the json construction.
- [ ] More robust error checking. It is currently weak because I have mainly been concerned with making things work.
- [ ] Fix stream decoding: If stream decoding fails then store encoded stream instead of erroring out.
- [ ] Currently have only 2 functioning PNG decoders. I have only come across PDF’s that use algo 1 and 2.
- [ ] Currently no TIFF decoder. Haven’t come across a need to provide it.
- [ ] Stream extension processing is non-existent. Haven’t come across a PDF that uses it yet.
- LaikaBOSS module creation.
- [ ] Code and test explode_pdf.py