pdfalyzer 1.14.7__py3-none-any.whl → 1.14.9__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of pdfalyzer might be problematic. Click here for more details.
- CHANGELOG.md +6 -0
- pdfalyzer/__init__.py +1 -1
- pdfalyzer/output/layout.py +4 -0
- pdfalyzer/output/pdfalyzer_presenter.py +12 -3
- pdfalyzer/yara_rules/PDF.yara +36 -0
- {pdfalyzer-1.14.7.dist-info → pdfalyzer-1.14.9.dist-info}/METADATA +1 -1
- {pdfalyzer-1.14.7.dist-info → pdfalyzer-1.14.9.dist-info}/RECORD +10 -10
- {pdfalyzer-1.14.7.dist-info → pdfalyzer-1.14.9.dist-info}/LICENSE +0 -0
- {pdfalyzer-1.14.7.dist-info → pdfalyzer-1.14.9.dist-info}/WHEEL +0 -0
- {pdfalyzer-1.14.7.dist-info → pdfalyzer-1.14.9.dist-info}/entry_points.txt +0 -0
CHANGELOG.md
CHANGED
|
@@ -1,5 +1,11 @@
|
|
|
1
1
|
# NEXT RELEASE
|
|
2
2
|
|
|
3
|
+
### 1.14.9
|
|
4
|
+
* Add [ActiveMime YARA rule](https://blog.didierstevens.com/2023/08/29/quickpost-pdf-activemime-maldocs-yara-rule/)
|
|
5
|
+
|
|
6
|
+
### 1.14.8
|
|
7
|
+
* Handle internal YARA errors more gracefully with error messages instead of crashes (currently seeing `ERROR_TOO_MANY_RE_FIBERS` on macOS on some files for unknown reasons that we hope will go away eventually)
|
|
8
|
+
|
|
3
9
|
### 1.14.7
|
|
4
10
|
* Bump `yaralyzer` version to 0.9.4 (and thus bump `yara-python` to 4.3.0+)
|
|
5
11
|
* Remove unused imports, remove unused `requirements.txt` file.
|
pdfalyzer/__init__.py
CHANGED
|
@@ -72,7 +72,7 @@ def pdfalyze():
|
|
|
72
72
|
|
|
73
73
|
|
|
74
74
|
def pdfalyzer_show_color_theme() -> None:
|
|
75
|
-
"""Utility method to show pdfalyzer's color theme. Invocable with '
|
|
75
|
+
"""Utility method to show pdfalyzer's color theme. Invocable with 'pdfalyzer_show_color_theme'."""
|
|
76
76
|
console.print(Panel('The Pdfalyzer Color Theme', style='reverse'))
|
|
77
77
|
|
|
78
78
|
colors = [
|
pdfalyzer/output/layout.py
CHANGED
|
@@ -65,5 +65,9 @@ def print_headline_panel(headline, style: str = ''):
|
|
|
65
65
|
_print_header_panel(headline, style, False, console_width())
|
|
66
66
|
|
|
67
67
|
|
|
68
|
+
def print_fatal_error_panel(headline):
|
|
69
|
+
print_headline_panel(headline, style='red blink')
|
|
70
|
+
|
|
71
|
+
|
|
68
72
|
def _print_header_panel(headline: str, style: str, expand: bool, width: int, padding: tuple = (0,)) -> None:
|
|
69
73
|
console.print(Panel(headline, style=style, expand=expand, width=width or subheading_width(), padding=padding))
|
|
@@ -4,6 +4,7 @@ Handles formatting of console text output for Pdfalyzer class.
|
|
|
4
4
|
from collections import defaultdict
|
|
5
5
|
from typing import Optional
|
|
6
6
|
|
|
7
|
+
import yara
|
|
7
8
|
from anytree import LevelOrderIter, RenderTree, SymlinkNode
|
|
8
9
|
from anytree.render import DoubleStyle
|
|
9
10
|
from rich.markup import escape
|
|
@@ -20,7 +21,8 @@ from pdfalyzer.config import PdfalyzerConfig
|
|
|
20
21
|
from pdfalyzer.decorators.pdf_tree_node import DECODE_FAILURE_LEN
|
|
21
22
|
from pdfalyzer.detection.yaralyzer_helper import get_bytes_yaralyzer, get_file_yaralyzer
|
|
22
23
|
from pdfalyzer.helpers.string_helper import pp
|
|
23
|
-
from pdfalyzer.output.layout import print_section_header, print_section_subheader,
|
|
24
|
+
from pdfalyzer.output.layout import (print_fatal_error_panel, print_section_header, print_section_subheader,
|
|
25
|
+
print_section_sub_subheader)
|
|
24
26
|
from pdfalyzer.output.tables.pdf_node_rich_table import generate_rich_tree, get_symlink_representation
|
|
25
27
|
from pdfalyzer.output.tables.stream_objects_table import stream_objects_table
|
|
26
28
|
from pdfalyzer.output.tables.decoding_stats_table import build_decoding_stats_table
|
|
@@ -124,8 +126,15 @@ class PdfalyzerPresenter:
|
|
|
124
126
|
def print_yara_results(self) -> None:
|
|
125
127
|
"""Scan the overall PDF and each individual binary stream in it with yara_rules/ files"""
|
|
126
128
|
print_section_header(f"YARA Scan of PDF rules for '{self.pdfalyzer.pdf_basename}'")
|
|
127
|
-
YaralyzerConfig.args.standalone_mode = True # TODO: this sucks
|
|
128
|
-
|
|
129
|
+
YaralyzerConfig.args.standalone_mode = True # TODO: using 'standalone mode' like this kind of sucks
|
|
130
|
+
|
|
131
|
+
try:
|
|
132
|
+
self.yaralyzer.yaralyze()
|
|
133
|
+
except yara.Error as e:
|
|
134
|
+
console.print_exception()
|
|
135
|
+
print_fatal_error_panel("Internal YARA error! YARA's error codes can be checked here: https://github.com/VirusTotal/yara/blob/master/libyara/include/yara/error.h")
|
|
136
|
+
return
|
|
137
|
+
|
|
129
138
|
YaralyzerConfig.args.standalone_mode = False
|
|
130
139
|
console.line(2)
|
|
131
140
|
|
pdfalyzer/yara_rules/PDF.yara
CHANGED
|
@@ -983,3 +983,39 @@ rule PDF_JS_guillemet_close_in_Adobe_Type1_font
|
|
|
983
983
|
$url_js_backtick_close_obj and Adobe_Type_1_Font
|
|
984
984
|
}
|
|
985
985
|
|
|
986
|
+
|
|
987
|
+
rule rule_pdf_activemime {
|
|
988
|
+
meta:
|
|
989
|
+
author = "Didier Stevens"
|
|
990
|
+
date = "2023/08/29"
|
|
991
|
+
version = "0.0.1"
|
|
992
|
+
samples = "5b677d297fb862c2d223973697479ee53a91d03073b14556f421b3d74f136b9d,098796e1b82c199ad226bff056b6310262b132f6d06930d3c254c57bdf548187,ef59d7038cfd565fd65bae12588810d5361df938244ebad33b71882dcf683058"
|
|
993
|
+
description = "look for files that start with %PDF- and contain BASE64 encoded string ActiveMim (QWN0aXZlTWlt), possibly obfuscated with extra whitespace characters"
|
|
994
|
+
usage = "if you don't have to care about YARA performance warnings, you can uncomment string $base64_ActiveMim0 and remove all other $base64_ActiveMim## strings"
|
|
995
|
+
strings:
|
|
996
|
+
$pdf = "%PDF-"
|
|
997
|
+
// $base64_ActiveMim0 = /[ \t\r\n]*Q[ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
|
|
998
|
+
$base64_ActiveMim1 = /Q [ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
|
|
999
|
+
$base64_ActiveMim2 = /Q \t[ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
|
|
1000
|
+
$base64_ActiveMim3 = /Q \r[ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
|
|
1001
|
+
$base64_ActiveMim4 = /Q \n[ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
|
|
1002
|
+
$base64_ActiveMim5 = /Q\t [ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
|
|
1003
|
+
$base64_ActiveMim6 = /Q\t\t[ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
|
|
1004
|
+
$base64_ActiveMim7 = /Q\t\r[ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
|
|
1005
|
+
$base64_ActiveMim8 = /Q\t\n[ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
|
|
1006
|
+
$base64_ActiveMim9 = /Q\r [ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
|
|
1007
|
+
$base64_ActiveMim10 = /Q\r\t[ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
|
|
1008
|
+
$base64_ActiveMim11 = /Q\r\r[ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
|
|
1009
|
+
$base64_ActiveMim12 = /Q\r\n[ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
|
|
1010
|
+
$base64_ActiveMim13 = /Q\n [ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
|
|
1011
|
+
$base64_ActiveMim14 = /Q\n\t[ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
|
|
1012
|
+
$base64_ActiveMim15 = /Q\n\r[ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
|
|
1013
|
+
$base64_ActiveMim16 = /Q\n\n[ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
|
|
1014
|
+
$base64_ActiveMim17 = /QW [ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
|
|
1015
|
+
$base64_ActiveMim18 = /QW\t[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
|
|
1016
|
+
$base64_ActiveMim19 = /QW\r[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
|
|
1017
|
+
$base64_ActiveMim20 = /QW\n[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
|
|
1018
|
+
$base64_ActiveMim21 = /QWN[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
|
|
1019
|
+
condition:
|
|
1020
|
+
$pdf at 0 and any of ($base64_ActiveMim*)
|
|
1021
|
+
}
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
Metadata-Version: 2.1
|
|
2
2
|
Name: pdfalyzer
|
|
3
|
-
Version: 1.14.
|
|
3
|
+
Version: 1.14.9
|
|
4
4
|
Summary: A PDF analysis toolkit. Scan a PDF with relevant YARA rules, visualize its inner tree-like data structure in living color (lots of colors), force decodes of suspicious font binaries, and more.
|
|
5
5
|
Home-page: https://github.com/michelcrypt4d4mus/pdfalyzer
|
|
6
6
|
License: GPL-3.0-or-later
|
|
@@ -1,6 +1,6 @@
|
|
|
1
|
-
CHANGELOG.md,sha256=
|
|
1
|
+
CHANGELOG.md,sha256=3iHOPV8KwyNpEoiOS92BgtkOnp9sXiuFWStNp2mjj_0,11144
|
|
2
2
|
LICENSE,sha256=OXLcl0T2SZ8Pmy2_dmlvKuetivmyPd5m1q-Gyd-zaYY,35149
|
|
3
|
-
pdfalyzer/__init__.py,sha256=
|
|
3
|
+
pdfalyzer/__init__.py,sha256=bip0vBCQXxNVwZrQdT15_YVqE5o7IfS4HZnE38rnqzA,3188
|
|
4
4
|
pdfalyzer/__main__.py,sha256=Ko_AoAyYMLIe_cmhiUSl6twheLZrGyT8aOSJ2CP7EZY,43
|
|
5
5
|
pdfalyzer/binary/binary_scanner.py,sha256=iZN0vrqBFgADR3ACGY5SE9wAcQcNs0hlGgrMg1530sg,10121
|
|
6
6
|
pdfalyzer/config.py,sha256=oN-pVR037lt3giRsnsm4c8ku5hCW8ChFqYFi9V7w1qU,1918
|
|
@@ -20,8 +20,8 @@ pdfalyzer/helpers/pdf_object_helper.py,sha256=u0j8B9mY8s5cTGo5LmDcozotvvgZNrwwJ4
|
|
|
20
20
|
pdfalyzer/helpers/rich_text_helper.py,sha256=Ytd1n1ONmEe7BxEwT-LLT6rt7QF-m_wnapPdwWYT4Pc,1800
|
|
21
21
|
pdfalyzer/helpers/string_helper.py,sha256=75EDEFw3UWHvWF32WtvZVBbqYY3ozO4y30dtH2qVMX0,2278
|
|
22
22
|
pdfalyzer/output/character_mapping.py,sha256=lKPf-Xw3K3A3h33EOB_B-YaaxuFie7h7PUXCrphuwmw,2095
|
|
23
|
-
pdfalyzer/output/layout.py,sha256=
|
|
24
|
-
pdfalyzer/output/pdfalyzer_presenter.py,sha256
|
|
23
|
+
pdfalyzer/output/layout.py,sha256=E58T9Tl6BYZTDsj6ouMr1J5SSUiXa7timUNxnOI2IzI,2149
|
|
24
|
+
pdfalyzer/output/pdfalyzer_presenter.py,sha256=-43-4W-Hrbc2FdMjkuAZT3ajtH6cLbOVA5voMw-WeUY,8498
|
|
25
25
|
pdfalyzer/output/styles/node_colors.py,sha256=sw-e97iRwAzqBdg0sP_b__9KCe6MbRcgMzQlPL6sCrA,3987
|
|
26
26
|
pdfalyzer/output/styles/rich_theme.py,sha256=Y8QmuINlyZNIHvf3oD0CV3w2dC49NNKtvOChvudDCT8,1983
|
|
27
27
|
pdfalyzer/output/tables/decoding_stats_table.py,sha256=mhQOiWhmovaC4sop38WcxStv_bIdAlQWUysAz5fW4MU,3461
|
|
@@ -35,12 +35,12 @@ pdfalyzer/util/argument_parser.py,sha256=EiOBaMRFvb9C_Zq3Odhw0KECSvElEfm8hGyljsO
|
|
|
35
35
|
pdfalyzer/util/debugging.py,sha256=nE64VUQbdu2OQRC8w8-AJkMtBOy8Kf3mjozuFslfWsw,156
|
|
36
36
|
pdfalyzer/util/exceptions.py,sha256=XLFFTdx1n6i_VCmvuzvIOCa-djJvGEitfo9lhy3zq0k,98
|
|
37
37
|
pdfalyzer/util/pdf_parser_manager.py,sha256=FVRYAYsCd0y5MAm--qvXnwCZnDtB3x85FdJtb-gpyw4,3109
|
|
38
|
-
pdfalyzer/yara_rules/PDF.yara,sha256=
|
|
38
|
+
pdfalyzer/yara_rules/PDF.yara,sha256=xggHRiwAtOJvrVrpnmlPIjbAKMcNVmSpqYyip3d_3tc,37715
|
|
39
39
|
pdfalyzer/yara_rules/PDF_binary_stream.yara,sha256=oWRPLe5yQiRFMvi3BTHNTlB6T7NcAuxKn0C9OSvgJSM,804
|
|
40
40
|
pdfalyzer/yara_rules/__init.py__,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
|
|
41
41
|
pdfalyzer/yara_rules/lprat.static_file_analysis.yara,sha256=i0CwRH8pBx_QshKFTQtr1CP5n378EZelsF2FxMY2y5A,21859
|
|
42
|
-
pdfalyzer-1.14.
|
|
43
|
-
pdfalyzer-1.14.
|
|
44
|
-
pdfalyzer-1.14.
|
|
45
|
-
pdfalyzer-1.14.
|
|
46
|
-
pdfalyzer-1.14.
|
|
42
|
+
pdfalyzer-1.14.9.dist-info/LICENSE,sha256=OXLcl0T2SZ8Pmy2_dmlvKuetivmyPd5m1q-Gyd-zaYY,35149
|
|
43
|
+
pdfalyzer-1.14.9.dist-info/METADATA,sha256=1jJ2A8tzojq0GgB741OhlJc-AkdHlmGYzPppqEgsQeY,24474
|
|
44
|
+
pdfalyzer-1.14.9.dist-info/WHEEL,sha256=d2fvjOD7sXsVzChCqf0Ty0JbHKBaLYwDbGQDwQTnJ50,88
|
|
45
|
+
pdfalyzer-1.14.9.dist-info/entry_points.txt,sha256=rl7OpBvxSNmV90rjTPCjhXTtjRMqZxHUAQfP0Cdmt1Y,111
|
|
46
|
+
pdfalyzer-1.14.9.dist-info/RECORD,,
|
|
File without changes
|
|
File without changes
|
|
File without changes
|