Didier Stevens

Tuesday 31 March 2009

PDFiD

Filed under: Malware,My Software,PDF — Didier Stevens @ 7:08

I’ve developed a new tool to triage PDF documents, PDFiD. It helps you differentiate between PDF documents that could be malicious and those that are most likely not. I’ve kept the design very simple (it’s not a parser, but a string scanner) to be fast and to avoid exploitable bugs.

VirusTotal will included it if Julio Canto is satisfied with the tests 🙂 .

20090330-214223

38 Comments »

  1. I’m sure I will, but I allways test tools before including them. I think it will be a very interesting add for malware researchers 🙂

    Comment by jcanto — Tuesday 31 March 2009 @ 7:17

  2. Great looking tool. Something that people might be able to build into their gateway checks if they can’t update to the latest Acrobat version yet.

    Comment by ChrisJohnRiley — Tuesday 31 March 2009 @ 10:28

  3. Yes, the scanning function returns XML with the result (per Julio’s request), so you could parse that and block for example every PDF with JavaScript.

    Comment by Didier Stevens — Tuesday 31 March 2009 @ 10:45

  4. […] PDFiD – Didier Stevens a tool developed to triage PDF docs […]

    Pingback by Security Briefing - March 31st : Liquidmatrix Security Digest — Tuesday 31 March 2009 @ 13:52

  5. This is pretty handy for a first pass. I like it!

    I also wanted to note that a PDF with a compressed object stream containing the Catalog (OpenAction) and the Javascript action object will escape this check. Many modern PDFs contain a compressed object stream, so this isn’t an anomaly in itself. Example is at http://dblaz.beevomit.org/sneaky-2.pdf

    The sample just pops up an alert, but when run through PDFiD.py will not notice any OpenAction or Javascript.

    This also seems like a useful technique for obfuscation.

    Comment by Dion — Tuesday 31 March 2009 @ 15:40

  6. Good point, object streams (/ObjStm) can be used to obfuscate objects by compressing them. I will include /ObjStm in the strings to scan for.

    Thanks Dion!

    Comment by Didier Stevens — Tuesday 31 March 2009 @ 16:23

  7. As PDF Analyzer is very limited and as PDF Structazer suggested by E.Filiol at BH2008 is not public yet, it is then nice to see an interesting tool.
    For PDF readers alternatives like PDF XChange viewer or Drumlin (for Sumatra, it might be vulerable OR it has probles for decoing this compression format), and defensive mesures, take a look at this discussion
    http://www.wilderssecurity.com/showthread.php?s=8f7f57891e013494615fb28ea331f7c6&t=233881

    After Virustotal, it would be helpful to add your tool to Webpawnet scan platform http://wepawet.iseclab.org/
    Qui a dit qu’il n’ y avait que les frites, les chocolats et la biere en Belgique?
    Cordialement

    Comment by kareldjag — Tuesday 31 March 2009 @ 23:27

  8. Thanks. I’m in contact with the author of wepawet and we agreed to work together.

    Comment by Didier Stevens — Wednesday 1 April 2009 @ 6:48

  9. […] PDFiD Filed under: Malware, My Software, PDF — Didier Stevens @ 7:08 […]

    Pingback by Didier Stevens posted PDFid « Betterworldforus — Friday 3 April 2009 @ 18:34

  10. Hey Didier, Question for you; If you run hachoir-subfile (http://hachoir.org/wiki/hachoir-subfile) against your various malicious PDFs, does it extract anything interesting? I’m wondering if it will pull out any script code into a file that’s convenient to work with. – Thanks

    Comment by johnmccash — Thursday 9 April 2009 @ 12:08

  11. I doubt it will find content, by default embedded JavaScript and embedded files are compressed (/FlateDecode).

    Comment by Didier Stevens — Sunday 12 April 2009 @ 16:43

  12. […] this time, I’m very proud and I’m not hiding it: my PDFiD tool is now running on […]

    Pingback by PDFiD On VirusTotal « Didier Stevens — Tuesday 21 April 2009 @ 16:59

  13. And what does all this figures means? For a non-specialist this is garbage!

    Comment by paul — Wednesday 22 April 2009 @ 10:23

  14. @paul All figures are explained on the PDFiD page, just take the time to click on the first link in this blogpost. If you can’t find it, here it is: https://blog.didierstevens.com/programs/pdf-tools/#pdfid

    Comment by Didier Stevens — Wednesday 22 April 2009 @ 10:34

  15. […] PDF, Quickpost — Didier Stevens @ 16:52 This is a beta release of my new version of PDFiD tool because Adobe recommends disabling JavaScript to protect yourself against the new […]

    Pingback by Quickpost: Disarming a PDF File « Didier Stevens — Wednesday 29 April 2009 @ 16:53

  16. this is fantastic. anyone have thoughts on how to integrate this w/ a mail gateway?

    Comment by jcran — Wednesday 6 May 2009 @ 17:39

  17. Looking at the ICAP protocol is on my too long TODO list 😉
    http://en.wikipedia.org/wiki/Internet_Content_Adaptation_Protocol

    Comment by Didier Stevens — Wednesday 6 May 2009 @ 17:48

  18. […] Dieter talks about how the ifilter will actually allow you to use a pdf to exploit the system because ifilter uses the windows indexing service. He also discusses some of the various methods of prevention including his tool called PDFiD. […]

    Pingback by SecuraBit Episode 32 PDF Love! | SecuraBit — Wednesday 27 May 2009 @ 14:33

  19. […] a big fan of Didier Stevens’s tool called PDFiD. But, like a lot of IT people, I’m also a lazy guy: less manipulations required makes me more […]

    Pingback by /dev/random » Blog Archive » PDFiD Integration with Nautilus — Wednesday 3 June 2009 @ 20:46

  20. […] piedāvā 39 AV un 4 noderīgus tūļus (PEiD, pefile, TrID, PDFiD), kas palīdz antivīrusiem.  Vispār mans favorīts. Neko dižu vai lielāku par 5MB neesmu […]

    Pingback by LOL' īgais blogs. » Online failu skenētāji — Friday 9 October 2009 @ 20:59

  21. […] PDFiD (Didier Stevens) […]

    Pingback by Virus Total « Hasefroch — Tuesday 3 November 2009 @ 6:07

  22. […] […]

    Pingback by Anonymous — Sunday 13 December 2009 @ 9:06

  23. […] PDFiD (Didier Stevens) […]

    Pingback by Scan con 39 antivirus « Red Skull Official Site — Sunday 31 January 2010 @ 19:12

  24. […] PDFiD (Didier Stevens) 原创文章,转载请注明:转载自攻防日志本文链接地址:免费多引擎在线查毒VirusTotal,支持邮件和客户端 您可能还对以下内容感兴趣 […]

    Pingback by 免费多引擎在线查毒VirusTotal,支持邮件和客户端 | 攻防日志 — Wednesday 12 May 2010 @ 17:27

  25. […] PDFiD (Didier Stevens) […]

    Pingback by УдобныйБлог » Virus Total – проверка на вирусы онлайн. — Sunday 23 May 2010 @ 16:01

  27. […] javascript heap overflow in PDF. More info to come. I used Didier Steven’s pdfid and pdf-parser to extract the javascript. The Javascript which is called when the document is […]

    Pingback by The Spy Hunter, Part II – Solution « wirewatcher — Sunday 14 August 2011 @ 20:55

  28. […] javascript heap overflow in PDF. More info to come. I used Didier Steven’s pdfid and pdf-parser to extract the javascript. The Javascript which is called when the document is […]

    Pingback by The Spy Hunter, Part II – Solution | Revolusionline — Monday 5 December 2011 @ 12:24

  29. […] Didier talks about how the ifilter will actually allow you to use a pdf to exploit the system because ifilter uses the windows indexing service. He also discusses some of the various methods of prevention including his tool called PDFiD. […]

    Pingback by SecuraBit Episode 32: PDF Love! « SecuraBit — Tuesday 13 March 2012 @ 15:31

  30. […] to PDFiD, we are able to see there’s an AcroForm action and 6 embedded files. Basically, AcroForm is […]

    Pingback by LinkedIn spam serving Adobe and Java exploits | PandaLabs Blog — Thursday 14 June 2012 @ 14:59

  31. […] to PDFiD, we are means to see there’s an AcroForm movement and 6 embedded files. Basically, AcroForm is […]

    Pingback by IT Secure Site » Blog Archive » LinkedIn spam serving Adobe and Java exploits — Thursday 14 June 2012 @ 19:04

  32. […] to PDFiD, we are able to see there’s an AcroForm action and 6 embedded files. Basically, AcroForm is […]

    Pingback by LinkedIn spam serving Adobe and Java exploits | MediaCenter Panda Security — Tuesday 13 May 2014 @ 9:46

  33. […] initial PDF file has several embedded streams (According to Didier Stevens, PDFiD has 18 embedded streams) the interesting bits are: two SWF files and one mini-PDF […]

    Pingback by Flash in the PDF? Another vulnerability with Adobe PDF/Flash | Naked Security — Thursday 12 June 2014 @ 18:47

  34. […] Link del progetto:pdfid […]

    Pingback by Uso di PDFiD. per avere informazioni sui file PDF. | idolsmarcatblog — Thursday 10 March 2016 @ 14:17

  35. How do we see indirect objects in pdfid? and are pdfid and pdf parser a combination?

    Comment by ritu — Monday 6 March 2017 @ 10:08

  36. pdfid is a triage tool, it doesn’t parse objects. You have to do that with pdf-parser.

    Comment by Didier Stevens — Monday 6 March 2017 @ 16:16

  37. Thank you for making great tools.

    I found one problem during the test.

    If the file name to be scanned contains the string “[“, “]”, it is not checked.

    For example
    C: \ python pdfid.py “c: [test]abcd.pdf”

    “[Test] abcd.pdf” file is not scanned.

    Comment by Monglio — Thursday 13 April 2017 @ 8:53

  38. This is normal behavior. pdfid supports filename wildcards. If you are not familiar with filename wildcards, read this: http://www.linfo.org/wildcard.html

    Comment by Didier Stevens — Sunday 16 April 2017 @ 13:05


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.