Almost from the beginning when I released PDFiD, people asked me for anti-virus like feature: that PDFiD would tell you if a PDF was malicious or not. Some people even patched PDFiD with a scoring feature.
But I didn’t want to develop an “anti-virus” for PDFs; PDFiD is a triage tool.
Now you can develop your own scoring system with plugins.
Plugins are loaded with option -p, like this:
I provide 3 plugins: plugin_triage.py, plugin_nameobfuscation.py and plugin_embeddedfile.py. You can run more than one plugin by separating their names with a comma: pdfid.py -p plugin_triage,plugin_embeddedfile js.pdf
Or you can use an @-file: a text file with the names of the plugins you want to run.
To output the result as CSV file, use option -c, and to write the output to a file, use option -o. With option -m, you can provide a minimum score the plugin has to produce for its output to be displayed.
Plugins are Python classes, I’ll explain how to make your own in a later post.
plugin_triage.py produces a score of 1.0 when the PDF requires further analysis, and 0.0 if not.
plugin_nameobfuscation.py produces a score of 1.0 when name obfuscation is used in the PDF.
plugin_embeddedfile.py produces a score of 0.9 when an embedded file is present, and 1.0 when name obfuscation is also used.
pdfid_v0_2_1.zip (https)
MD5: 7463412536678B321276F8720F52DE81
SHA256: F1B4728DD2CE455B863B930E12C6DEC952CB95C0BB3D6924136A6E49ACA877C2
Didier Stevens 