Link to home
Create AccountLog in
Avatar of keith1001
keith1001Flag for United States of America

asked on

Software to Scan PDF for xploits, malware, security flaws

Anyone know of any software that will scan PDF's for security related issues, like malware, viruses.  I also have seen were a corrupt PDF could take over an iPad.

So I'm looking for some good scannng software.
Avatar of btan
btan

Pls see  @ http://www.pentestit.com/2009/10/04/tutorial-analyze-pdf-files/

Now, lets get to the other tool that will help us to make sure if the PDF is malicious or not. It is called PDF-Parser. This script will tell you if the semantics of a PDF document have been maintained or not. If it gives off an warning, probably the PDF was injected with a tool like PDFinjector or make-pdf-javascript.

See the section on PDF @ http://zeltser.com/reverse-malware/analyzing-malicious-documents.html

Tools for Analyzing Adobe PDF Files


PDFiD identifies PDFs that contain strings associated with scripts and actions. (Part of PDF Tools)
PDF-parser identifies key elements of the PDF file without rendering it (Part of PDF Tools)
Origami Walker examines the structure of PDF files.
Origami pdfscan identifies PDFs that contain strings associated with scripts and actions.
Origami extractjs and Jsunpack-n’s pdf.py extract JavaScript from PDF files.
Sumatra PDF and MuPDF are lightweight and free viewers that may be used in place of Adobe Acrobat.
Malzilla can extract and decompress zlib streams from PDFs, and can help deobfuscate JavaScript.
Jsunpack-n can extract and decode JavaScript from pcap network captures, and can decode PDF files.
CWSandbox, Wepawet, and Jsunpack can analyze some aspects of malicious PDF files.
see this link for an adobe forum on the issues you raised:
                forums.adobe.com/thread/286476?tstart=0
oops, the link above should be:
        http://forums.adobe.com/thread/286476?tstart=0
Also this would be helpful with configuring PDF as another layer to see that exploit does not run so easily

@ http://www.brighthub.com/computing/enterprise-security/articles/76970.aspx
Are you looking for a windows tool? Pdfvoid.com was a good site to goto haven't seen them for a bit. If your just wanting to look at the PDF there are a few tools out there. Would help to know what your looking for exactly and for general purpose. Is antivirus not good enough?
Wepawet is a service for detecting and analyzing web-based malware. It currently handles Flash, JavaScript, and PDF files. But if it is sensitive document, suggest not and probably MD5 hash can be used online (e.g. 2nd link or even virustotal) but it is signature based - meaning already something detected before.

@ http://wepawet.iseclab.org/
@ http://wepawet.iseclab.org/tools.php

To use Wepawet: Upload a sample or specify a URL and wait for the resource to be analyzed. At the end of the analysis phase, it tells you whether the resource is malicious or benign and provides you with information that helps you understand why it was classified in a way or the other. It does not just tell you that a resource is malicious, it also shows you the exact vulnerability (or, more likely, the vulnerabilities) that are exploited during an attack.
Reason I asked before is so I dony half the worlds tools on here I have a rather large list. Just need to know what expectations that you are looking for like offline scanning, online, heuristics, specific exploit scanning, custom scanning, etc.  Hope to hear back from you soon.
Avatar of keith1001

ASKER

I would like a Windows base software that will scan PDF's for injections, malware, bad-scripts, viruses.
you may want to check out

a) PDF Stream Dumper by “Dave” is a powerful Windows program that combines a number of PDF analysis tools under a unified GUI. It makes it possible to explore PDF contents, decode object contents, deobfuscate JavaScript, examine shellcode, etc.

@ http://blog.zeltser.com/post/3235995383/pdf-stream-dumper-malicious-file-analysis

b) PDF Dissector by Zynamics

@ http://www.zynamics.com/pdfdissector/manual/html/introduction.htm
Keith, Considering all your requirements I would suggest you not use PDF Stream dumper as it is a older utility but more importantly contains a outdated non-production exploit scanner. It wouldn't meet your needs.

- It does not have updated exploit list.
- Manual analysis is needed for this tool. Not automated. VBS scripts are automated.
- Difficult to use for someone not in the field.


If your well versed and know what your looking for and want to manually look for exploits and bad code. Use malzilla or PDF stream dumper. As for one that includes automated searching. I'll get back to you with one.



@ Keith, actually the online tool can give a edge but since you wanted offline Windows base software that will scan PDF's for injections, malware, bad-scripts, viruses, I will say that it does not really matters whether the tool is old or not updated, it still does serve it purposes. Agree with Russell that the tool can be too specialised but minimally the quick run through in the article tell where it is. There are commandline version as well such as pdf-parser, pdf-id but they will need more expertise. Maybe run it as bat file with command option on. For info, even pdf-id is implemented on the well-known VirusTotal site (http://www.virustotal.com). The site scanned with more than 40 different anti-virus products and several tools.

I know you will not be into reading the technical, but if you think you are into it. Can check out this ebook
@ http://blog.didierstevens.com/2010/09/26/free-malicious-pdf-analysis-e-book/
Going up a few posts and referencing "PDF Dissector by Zynamics"

This would most likely meet all your criteria.

- It scans for exploits
- Scriptable search engine through pluggins.
- Show object tables and fields for things like javascript(callee, eval, encrypted shellcode, Etc) injection, flash (.swf).
- Decodes shellcode and shows remote download site for the shellcodes payload(Trojan usually or downloader).
- Easy to use interface
- Can be used to scan multiple PDF files in a automated fashion and report findings.
- Runs on windows

I believe this also gives you the CVE listing for the exploit the file is using as well. Most of the other tools are in the $1000+ range and or are in a interpreted language(python, Ruby), difficult to use. So not valid for your case.

This may cost alittle, but in the end it will pay off in time and security of your investment.
Can find a link to download PDF Dissector....
ASKER CERTIFIED SOLUTION
Avatar of Russell_Venable
Russell_Venable
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Another (but may not be as suitable) PDF examiner but can be expensive for Enterprise grade, hosted type, they do have command line

@ http://www.malwaretracker.com/pdfexaminer.php

    Display PDF file structure as individual objects in both encoded and uncompressed format, exploit or JavaScript objects are automatically flagged.
    Automatically detect published exploits with CVE number.
    Deobfuscate common JavaScript obfuscation techniques automatically.
    Flag obfuscated JavaScript in objects.
    Process PDF encryption to view objects decrypted.
    Automatically extract and analyze embedded PDFs.
    View as hexview, or raw in browser, or download as file (easily download Flash files, embedded truetype fonts, shellcode, or JavaScript blocks for external analysis.)
    Search database for PDF files with similar exploits.
    Batch ingest a single file or directory of PDFs from the command line.
    Receive regular PDF exploit signature updates.
    Extend the default functionality with your own scripts or signatures.