Skip to content

tylabs/pdfexaminer

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
optional
optional
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
eula.txt
eula.txt
 
 
pdfex-cli.php
pdfex-cli.php
 
 
pdfex-lib.php
pdfex-lib.php
 
 
pdfex-sig.php
pdfex-sig.php
 
 
pdfex.php
pdfex.php
 
 

Repository files navigation

PDFExaminer Tool - Analyse PDF Malware

PDFExaminer Command Line Scanner

This document describes installation and usage of the PDF Examiner – command line version. The PDFExaminer command line scanner is a compact PHP library to process PDF documents for decompression, decryption, and deobfuscation, to scan for known exploits and identify suspicious elements of new threats.

Requirements

PHP 5.0 or greater, tested up to 7.0. PHP 5 requires modules php5-hash, php5-ctype, php5-mcrypt and php5-zlib. PHP7 requires only php70-mcrypt 512MB RAM, 1GB Recommended

Recommended

For safe handling of MS Windows based exploits, Linux or Mac OSX is recommended. Yara - malware classification - http://plusvic.github.io/yara/ LibEmu - to detect Windows shellcode - http://libemu.carnivore.it/ NASM - to disassemble Windows shellcode - http://www.nasm.us/

Package Contents

pdfex-cli.php: command line related functions pdfex-lib.php: PDFExaminer engine pdfex-sig.php: detection signatures pdfex.php: command line script

Installation

Copy the PHP files to an accessible directory. It is not necessary to make the files executable.

Running PDF Examiner on the command line

Use the pdfex.php to specify a PDF file or directory of PDF files to process: php pdfex.php file_to_process.pdf

Command line options

php pdfex.php <-p user password> file_to_process.pdf -p option to specify decrypting using a user password.

php pdfex.php <-y yara include> file_to_process.pdf -y option to specify a Yara signature include file.

php pdfex.php file_to_process.pdf Returns the number of positive signature hits

php pdfex.php file_to_process.pdf <is_malware> Returns binary result of scan 0 for clean 1 for malware

php pdfex.php file_to_process.pdf

Returns a texual reporting of suspect PDF by object and generation

php pdfex.php file_to_process.pdf Returns a weighted severity of detected entities >10 is considered malware, however, one point is assigned per JavaScript containing object, potentially causing a false positive effect on complex JavaScript containing documents.

Brackets should be omitted in the actual command line option.

Chain multiple queries together to create your own custom output.

Advanced Options

The following PHP variables in pdfex-cli.php correspond to the following advanced capabilities:

$global_store_files = 1; Save objects of the PDF file in the $pdfdir directory of the named for the MD5 of the current file. The naming convention used is / obj--gen--dup<file offset in bytes to identify duplicate obj/gen combinations>-

$pdfdir = ‘’; Location where extracted objects can be saved.

The following options can be set in pdfex.php: $global_yara_cmd=/path/to/yara; Yara executable.

$global_yara_sig=/path/to/yarainclude.rar; Yara include file with signatures to scan for.

About

PDFExaminer Tool - Analyse PDF Malware

Resources

Readme

License

MIT license
Activity

Stars

52 stars

Watchers

3 watching

Forks

10 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

Languages