Avatar of keith1001
keith1001
Flag for United States of America asked on

Software to Scan PDF for xploits, malware, security flaws

Anyone know of any software that will scan PDF's for security related issues, like malware, viruses.  I also have seen were a corrupt PDF could take over an iPad.

So I'm looking for some good scannng software.
VulnerabilitiesSecurityAdobe Acrobat

Avatar of undefined
Last Comment
btan

8/22/2022 - Mon
btan

Pls see  @ http://www.pentestit.com/2009/10/04/tutorial-analyze-pdf-files/

Now, lets get to the other tool that will help us to make sure if the PDF is malicious or not. It is called PDF-Parser. This script will tell you if the semantics of a PDF document have been maintained or not. If it gives off an warning, probably the PDF was injected with a tool like PDFinjector or make-pdf-javascript.

See the section on PDF @ http://zeltser.com/reverse-malware/analyzing-malicious-documents.html

Tools for Analyzing Adobe PDF Files


PDFiD identifies PDFs that contain strings associated with scripts and actions. (Part of PDF Tools)
PDF-parser identifies key elements of the PDF file without rendering it (Part of PDF Tools)
Origami Walker examines the structure of PDF files.
Origami pdfscan identifies PDFs that contain strings associated with scripts and actions.
Origami extractjs and Jsunpack-n’s pdf.py extract JavaScript from PDF files.
Sumatra PDF and MuPDF are lightweight and free viewers that may be used in place of Adobe Acrobat.
Malzilla can extract and decompress zlib streams from PDFs, and can help deobfuscate JavaScript.
Jsunpack-n can extract and decode JavaScript from pcap network captures, and can decode PDF files.
CWSandbox, Wepawet, and Jsunpack can analyze some aspects of malicious PDF files.
puppydogbuddy

see this link for an adobe forum on the issues you raised:
                forums.adobe.com/thread/286476?tstart=0
puppydogbuddy

oops, the link above should be:
        http://forums.adobe.com/thread/286476?tstart=0
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
btan

Also this would be helpful with configuring PDF as another layer to see that exploit does not run so easily

@ http://www.brighthub.com/computing/enterprise-security/articles/76970.aspx
Russell_Venable

Are you looking for a windows tool? Pdfvoid.com was a good site to goto haven't seen them for a bit. If your just wanting to look at the PDF there are a few tools out there. Would help to know what your looking for exactly and for general purpose. Is antivirus not good enough?
btan

Wepawet is a service for detecting and analyzing web-based malware. It currently handles Flash, JavaScript, and PDF files. But if it is sensitive document, suggest not and probably MD5 hash can be used online (e.g. 2nd link or even virustotal) but it is signature based - meaning already something detected before.

@ http://wepawet.iseclab.org/
@ http://wepawet.iseclab.org/tools.php

To use Wepawet: Upload a sample or specify a URL and wait for the resource to be analyzed. At the end of the analysis phase, it tells you whether the resource is malicious or benign and provides you with information that helps you understand why it was classified in a way or the other. It does not just tell you that a resource is malicious, it also shows you the exact vulnerability (or, more likely, the vulnerabilities) that are exploited during an attack.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Russell_Venable

Reason I asked before is so I dony half the worlds tools on here I have a rather large list. Just need to know what expectations that you are looking for like offline scanning, online, heuristics, specific exploit scanning, custom scanning, etc.  Hope to hear back from you soon.
keith1001

ASKER
I would like a Windows base software that will scan PDF's for injections, malware, bad-scripts, viruses.
btan

you may want to check out

a) PDF Stream Dumper by “Dave” is a powerful Windows program that combines a number of PDF analysis tools under a unified GUI. It makes it possible to explore PDF contents, decode object contents, deobfuscate JavaScript, examine shellcode, etc.

@ http://blog.zeltser.com/post/3235995383/pdf-stream-dumper-malicious-file-analysis

b) PDF Dissector by Zynamics

@ http://www.zynamics.com/pdfdissector/manual/html/introduction.htm
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
Russell_Venable

Keith, Considering all your requirements I would suggest you not use PDF Stream dumper as it is a older utility but more importantly contains a outdated non-production exploit scanner. It wouldn't meet your needs.

- It does not have updated exploit list.
- Manual analysis is needed for this tool. Not automated. VBS scripts are automated.
- Difficult to use for someone not in the field.


If your well versed and know what your looking for and want to manually look for exploits and bad code. Use malzilla or PDF stream dumper. As for one that includes automated searching. I'll get back to you with one.



btan

@ Keith, actually the online tool can give a edge but since you wanted offline Windows base software that will scan PDF's for injections, malware, bad-scripts, viruses, I will say that it does not really matters whether the tool is old or not updated, it still does serve it purposes. Agree with Russell that the tool can be too specialised but minimally the quick run through in the article tell where it is. There are commandline version as well such as pdf-parser, pdf-id but they will need more expertise. Maybe run it as bat file with command option on. For info, even pdf-id is implemented on the well-known VirusTotal site (http://www.virustotal.com). The site scanned with more than 40 different anti-virus products and several tools.

I know you will not be into reading the technical, but if you think you are into it. Can check out this ebook
@ http://blog.didierstevens.com/2010/09/26/free-malicious-pdf-analysis-e-book/
Russell_Venable

Going up a few posts and referencing "PDF Dissector by Zynamics"

This would most likely meet all your criteria.

- It scans for exploits
- Scriptable search engine through pluggins.
- Show object tables and fields for things like javascript(callee, eval, encrypted shellcode, Etc) injection, flash (.swf).
- Decodes shellcode and shows remote download site for the shellcodes payload(Trojan usually or downloader).
- Easy to use interface
- Can be used to scan multiple PDF files in a automated fashion and report findings.
- Runs on windows

I believe this also gives you the CVE listing for the exploit the file is using as well. Most of the other tools are in the $1000+ range and or are in a interpreted language(python, Ruby), difficult to use. So not valid for your case.

This may cost alittle, but in the end it will pay off in time and security of your investment.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
keith1001

ASKER
Can find a link to download PDF Dissector....
Russell_Venable

One sec
ASKER CERTIFIED SOLUTION
Russell_Venable

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
btan

Another (but may not be as suitable) PDF examiner but can be expensive for Enterprise grade, hosted type, they do have command line

@ http://www.malwaretracker.com/pdfexaminer.php

    Display PDF file structure as individual objects in both encoded and uncompressed format, exploit or JavaScript objects are automatically flagged.
    Automatically detect published exploits with CVE number.
    Deobfuscate common JavaScript obfuscation techniques automatically.
    Flag obfuscated JavaScript in objects.
    Process PDF encryption to view objects decrypted.
    Automatically extract and analyze embedded PDFs.
    View as hexview, or raw in browser, or download as file (easily download Flash files, embedded truetype fonts, shellcode, or JavaScript blocks for external analysis.)
    Search database for PDF files with similar exploits.
    Batch ingest a single file or directory of PDFs from the command line.
    Receive regular PDF exploit signature updates.
    Extend the default functionality with your own scripts or signatures.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck