Didier Stevens

Wednesday 5 August 2009

Update: PDFiD Version 0.0.8

Filed under: My Software,PDF,Update — Didier Stevens @ 12:33

PDFiD is updated.


  • It detects Flash in PDF (/RichMedia)
  • Actions launched by Forms (/AcroForm)
  • Less stringent %PDF header checking, because I saw some samples designed to bypass pddfid
  • Updated the date format
  • New option –force:  force the scanning of a file, even if no valid %PDF header was found
  • Accepts stdin for pipes, example:  pdf-parser.py –filter –type /ObjStm flash.pdf | pdfid.py –force
    This will scan objects “hidden” in object streams (/objStm)


pdfid_v0_0_8.zip (https)

MD5: 9769FB96899F3AD15510C903A4FB29EF

SHA256: 542734C2613439851AF99B59725B1607F96A6E9396B447C5BD3AF197AABB0231


  1. […] Version 0.3.5 Filed under: My Software, PDF, Update — Didier Stevens @ 0:05 After PDFiD, it’s pdf-parser’s turn to get […]

    Pingback by Update: pdf-parser Version 0.3.5 « Didier Stevens — Thursday 6 August 2009 @ 0:09

  2. Hi Didier,
    >I saw some samples designed to bypass pddfid
    They primarely bypass Anti-virus detection that way – see my kaspersky advisory

    Comment by Thierry Zoller — Thursday 6 August 2009 @ 15:22

  3. You’re right Thierry! Someone e-mailed me a PoC PDF he had developed to bypass PDFiD, and I wrongly made a general statement about this.

    Comment by Didier Stevens — Thursday 6 August 2009 @ 17:21

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.