Jump to content
Anastasis

Creating and Analyzing a Malicious PDF File with PDF-Parser Tool

Recommended Posts

Anastasis
Malicious PDF File
 

This tool will parse a PDF document to distinguish the central components utilized as a part of analyzed file. It won’t render a PDF archive.

Features included:

  • Load/parse objects and headers
  • Extract meta data (author, description, …)
  • Extract text from ordered pages
  • Support of compressed pdf
  • Support of MAC OS Roman charset encoding
  • Handling of hexa and octal encoding in text sections
  • PSR-0 compliant (autoloader)
  • PSR-1 compliant (code styling)
 

Analyzing a Malicious PDF File

 

We have created the PDF file with an EXE file embedded with it.

Step 1: To launch the PDF parser type pdf-parser

root@kali:~# pdf-parser -h List all the options with PDFParser

 

Step2: To get the stats of the PDF Document.

root@kali:~# pdf-parser -a /root/Desktop/template.pdf

Analyzing a Malicious PDF File

Step3: Passing stream data through Filters FlateDecode,ASCIIHexDecode, ASCII85Decode, LZWDecode and RunLengthDecode.

root@kali:~# pdf-parser -f /root/Desktop/template.pdf

Analyzing a Malicious PDF File

Analyzing a Malicious PDF File

 

 

Step4: To get the Hashes of the PDF file.

root@kali:~# pdf-parser -H /root/Desktop/template.pdf

Analyzing a Malicious PDF File

Step5: Case sensitive search in streams

root@kali:~# pdf-parser –casesensitive /root/Desktop/template.pdf

Analyzing a Malicious PDF File

Step6: To get the javascripts added with the document.

pdf-parser –search javascript –raw /root/Desktop/template.pdf

Analyzing a Malicious PDF File

The stats option show insights of the items found in the PDF report. Utilize this to recognize PDF archives with unusual/unexpected objects, or to characterize PDF records.

The search option scans for a string in indirect objects (not inside the surge of Indirect objects). The inquiry is not case-sensitive and is defenseless to obfuscation methods.

Filter option applies the filter(s) to the stream, whereas raw option makes pdf-parser output raw data.

Share this post


Link to post
Share on other sites

Δημιουργήστε ένα λογαριασμό ή συνδεθείτε προκειμένου να το δείτε

Πρέπει να είστε μέλος για να μπορέσετε να αφήσετε κάποιο σχόλιο

Δημιουργία λογαριασμού

Κάντε μια δωρεάν εγγραφή στην κοινότητά μας. Η εγγραφές μας είναι εύκολες.!

Εγγραφή τώρα

Σύνδεση

Εάν έχετε ήδη λογαριασμό σε αυτό το Forum; Συνδεθείτε εδώ.

Συνδεθείτε τώρα

  • Μηνύματα

    • de4d_R1n63r
      Πως μπορώ να δημιουργήσω ένα evilAP (Access Point) όπου όταν ένας χρήστης συνδέεται θα πρέπει πρώτα να περάσει από ένα fake captive Portal που εχω φτοιάξει εγώ και το τρέχω στο localhost?  Παράδειγμα: όπως οι καφετέριες έχουν το Free access Captive Portal! Όπου Πρέπει να κάνεις Κλικ κάπου πρώτα και μετά μπορείς να συνεχισεις να σερφάρεις «ανενοχλητος». Κατάφερα Να στήσω ενα Access Point με το mitmAP.py αλλά κολλάω στη Δημιουργία Του Captive Portal...  Λογισμικό : kali Linux 2.0 Virtual machine Οποιαδήποτε βοήθεια είναι καλοδεχούμενη!  Σας ευχαριστώ Πολύ! 
    • dichvusocks
      Payment Instantly perfectmoney, bitcoin, wmtransfer, wex, ETH (Please click Buy Socks)
      Update Tools Client Dichvusocks.us http://dichvusocks.us/tools.php Link check socks http://check.dichvusocks.us/
      LIVE | 37.59.8.29:19571 | 1.52 | Unknow | Unknow | ns3099982.ovh.net | France | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 103.21.163.81:6667 | 1.69 | Gujarat | 396445 | N/A | India | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 188.120.228.252:42796 | 1.72 | Unknow | Unknow | stylemax.ru | Russian Federation | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 150.129.52.74:6667 | 1.22 | Gujarat | 394601 | N/A | India | Blacklist: No | Checked at http://dichvusocks.us
      LIVE | 79.137.72.22:56975 | 0.5 | Unknow | Unknow | 22.ip-79-137-72.eu | France | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 118.139.176.242:40440 | 0.73 | Unknow | Unknow | ip-118-139-176-242.ip.secureserver.net | Singapore | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 95.110.227.5:50459 | 0.61 | Toscana | 52100 | host5-227-110-95.serverdedicati.aruba.it | Italy | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 103.250.148.82:6667 | 1.05 | Gujarat | 382845 | N/A | India | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 192.169.140.100:28724 | 1.56 | Arizona | 85260 | ip-192-169-140-100.ip.secureserver.net | United States | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 132.148.130.208:24484 | 1.36 | California | 92603 | ip-132-148-130-208.ip.secureserver.net | United States | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 192.169.202.104:36198 | 1.75 | Arizona | 85260 | ip-192-169-202-104.ip.secureserver.net | United States | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 192.169.196.126:6365 | 1.76 | Arizona | 85260 | ip-192-169-196-126.ip.secureserver.net | United States | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 118.139.176.242:61359 | 0.74 | Unknow | Unknow | ip-118-139-176-242.ip.secureserver.net | Singapore | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 37.208.69.147:9050 | 0.86 | Unknow | Unknow | stitu.shapefeeds.com | Anonymous Proxy | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 103.250.166.4:6667 | 1.08 | Gujarat | 370201 | N/A | India | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 125.227.69.220:3261 | 0.91 | Unknow | Unknow | 114-26-161-57.dynamic-ip.hinet.net | Taiwan | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 43.224.8.121:6667 | 1.29 | Gujarat | 363001 | N/A | India | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 150.129.52.75:6667 | 1.44 | Gujarat | 394601 | N/A | India | Blacklist: Yes | Checked at http://dichvusocks.us
       
    • vn5socks.net
      LIVE ~ 204.42.255.250:13264 | 0.245 | Englewood | CO | 80112 | United States | Checked at vn5socks.net
      LIVE ~ 37.59.56.88:17371 | 0.235 | Unknown | Unknown | Unknown | France | Checked at vn5socks.net
      LIVE ~ 66.110.216.221:39603 | 0.303 | Atlanta | GA | 30328 | United States | Checked at vn5socks.net
      LIVE ~ 184.185.2.146:47659 | 0.292 | Unknown | Unknown | Unknown | United States | Checked at vn5socks.net
      LIVE ~ 165.227.214.55:2018 | 0.232 | Santa Cruz | CA | 95060 | United States | Checked at vn5socks.net
      LIVE ~ 52.196.27.196:34000 | 0.107 | Wilmington | DE | 19893 | United States | Checked at vn5socks.net
      LIVE ~ 45.55.169.78:19556 | 0.269 | Unknown | Unknown | Unknown | Unknown | Checked at vn5socks.net
      LIVE ~ 72.11.148.222:56533 | 0.197 | Los Angeles | CA | 90014 | United States | Checked at vn5socks.net
      LIVE ~ 216.21.200.120:10200 | 0.239 | Walpole | ME | 04573 | United States | Checked at vn5socks.net
      LIVE ~ 66.110.216.105:39431 | 0.302 | Atlanta | GA | 30328 | United States | Checked at vn5socks.net
      LIVE ~ 192.169.250.198:40710 | 0.193 | Unknown | Unknown | Unknown | Unknown | Checked at vn5socks.net
      LIVE ~ 192.169.180.124:6085 | 0.221 | Unknown | Unknown | Unknown | Unknown | Checked at vn5socks.net
      LIVE ~ 69.198.62.206:39593 | 0.364 | Richardson | TX | Unknown | United States | Checked at vn5socks.net
      LIVE ~ 50.63.153.173:46311 | 0.196 | Scottsdale | AZ | 85260 | United States | Checked at vn5socks.net
      LIVE ~ 192.169.188.100:53562 | 0.194 | Unknown | Unknown | Unknown | Unknown | Checked at vn5socks.net
      LIVE ~ 173.249.7.249:34925 | 0.258 | Pacifica | CA | 94044 | United States | Checked at vn5socks.net
      LIVE ~ 192.210.202.156:2018 | 0.237 | Unknown | Unknown | Unknown | Unknown | Checked at vn5socks.net
      LIVE ~ 50.63.153.173:25515 | 0.2 | Scottsdale | AZ | 85260 | United States | Checked at vn5socks.net
    • tisocks
      SOCKS Proxy List by Tisocks.net
      If you Need Socks5 , Please visit service and add fund via PM , BTC WMZ , WEX . Thanks all!!
      Add fund : https://tisocks.net/addfund
      Check socks5 Online here : https://checksocks5.com
      LIVE | 64.118.87.14:40028 | 0.052 | SOCKS5 | New Jersey | 07310 | drive500.123servers.com | United States | Checked at https://tisocks.net
      LIVE | 64.118.87.11:40028 | 0.052 | SOCKS5 | New Jersey | 07310 | drive500.123servers.com | United States | Checked at https://tisocks.net
      LIVE | 64.118.88.53:40028 | 0.052 | SOCKS5 | New Jersey | 07310 | drive500.123servers.com | United States | Checked at https://tisocks.net
      LIVE | 79.137.72.22:56975 | 0.335 | SOCKS5 | Unknow | Unknow | 22.ip-79-137-72.eu | France | Checked at https://tisocks.net
      LIVE | 192.169.142.205:4265 | 0.281 | SOCKS5 | Arizona | 85260 | ip-192-169-136-149.ip.secureserver.net | United States | Checked at https://tisocks.net
      LIVE | 64.130.131.172:34048 | 0.224 | SOCKS5 | Kentucky | 42141 | 64-130-131-172.pool.dsl.scrtc.com | United States | Checked at https://tisocks.net
      LIVE | 69.89.101.16:62720 | 0.169 | SOCKS5 | Michigan | 48915 | 69-89-101-16.dhcp.acd.net | United States | Checked at https://tisocks.net
      LIVE | 164.132.20.94:12968 | 0.252 | SOCKS5 | Georgia | 30736 | 64-18-108-170.hsi.catt.com | United States | Checked at https://tisocks.net
      LIVE | 96.31.247.253:38882 | 0.447 | SOCKS5 | California | 90009 | 96-31-247-253-static-ip.telepacific.net | United States | Checked at https://tisocks.net
      LIVE | 149.56.65.157:46684 | 0.324 | SOCKS5 | Al Qahirah | Unknow | host-41.234.217.155.tedata.net | Egypt | Checked at https://tisocks.net
      LIVE | 192.169.140.74:58022 | 0.279 | SOCKS5 | Arizona | 85260 | ip-192-169-140-74.ip.secureserver.net | United States | Checked at https://tisocks.net
      LIVE | 163.172.202.116:42908 | 0.265 | SOCKS5 | Michigan | 48066 | c-68-36-229-146.hsd1.mi.comcast.net | United States | Checked at https://tisocks.net
      LIVE | 149.56.65.157:58128 | 0.404 | SOCKS5 | Region Metropolitana | Unknow | N/A | Chile | Checked at https://tisocks.net
      LIVE | 185.244.128.102:28102 | 0.555 | SOCKS5 | Unknow | Unknow | N/A | Romania | Checked at https://tisocks.net
      LIVE | 64.118.88.39:40028 | 0.059 | SOCKS5 | New Jersey | 07310 | drive500.123servers.com | United States | Checked at https://tisocks.net
    • shopsocks5.com
      [Shopsocks5.com] Service Socks5 Cheap
      Payment Instantly Perfectmoney, Bitcoin, Wmtransfer, BTC-E ( Please click Buy Socks )
      Check Socks Online  http://shopsocks5.com/check/




        Live | 184.185.2.146:47659 | United States | Unknown | Unknown | Unknown | Checked at Shopsocks5.com Live | 72.210.252.134:46164 | United States | Unknown | Unknown | Unknown | Checked at Shopsocks5.com Live | 14.102.109.133:10198 | India | New Delhi | 07 | Unknown | Checked at Shopsocks5.com Live | 138.68.59.157:1210 | United States | Wilmington | DE | 19880 | Checked at Shopsocks5.com Live | 31.148.219.150:1443 | Netherlands | Unknown | Unknown | Unknown | Checked at Shopsocks5.com Live | 173.245.239.223:16938 | United States | Atlanta | GA | 30328 | Checked at Shopsocks5.com Live | 208.97.31.229:53124 | United States | Atlanta | GA | 30328 | Checked at Shopsocks5.com Live | 72.49.49.11:31034 | United States | Unknown | Unknown | Unknown | Checked at Shopsocks5.com Live | 205.240.205.108:25798 | Honduras | San Pedro Sula | 06 | Unknown | Checked at Shopsocks5.com Live | 69.61.200.104:36181 | United States | Unknown | Unknown | Unknown | Checked at Shopsocks5.com Live | 216.144.230.233:15993 | United States | Santa Ana | CA | 92705 | Checked at Shopsocks5.com Live | 204.42.255.250:13264 | United States | Englewood | CO | 80111 | Checked at Shopsocks5.com Live | 98.172.253.157:40753 | United States | Unknown | Unknown | Unknown | Checked at Shopsocks5.com Live | 37.59.56.88:3605 | France | Unknown | Unknown | Unknown | Checked at Shopsocks5.com Live | 72.11.148.222:56533 | United States | Los Angeles | CA | 90014 | Checked at Shopsocks5.com Live | 52.196.27.196:34000 | Japan | Tokyo | 40 | 100-0001 | Checked at Shopsocks5.com
×