pdfalyzer 1.14.8__py3-none-any.whl → 1.14.10__py3-none-any.whl

CHANGELOG.md

@@ -1,5 +1,11 @@
 # NEXT RELEASE
 
+### 1.14.10
+* Add `malware_MaldocinPDF` YARA rule
+
+### 1.14.9
+* Add [ActiveMime YARA rule](https://blog.didierstevens.com/2023/08/29/quickpost-pdf-activemime-maldocs-yara-rule/)
+
 ### 1.14.8
 * Handle internal YARA errors more gracefully with error messages instead of crashes (currently seeing `ERROR_TOO_MANY_RE_FIBERS` on macOS on some files for unknown reasons that we hope will go away eventually)
 

pdfalyzer/binary/binary_scanner.py

@@ -30,7 +30,7 @@ from pdfalyzer.util.adobe_strings import CONTENTS, CURRENTFILE_EEXEC, FONT_FILE_
 
 class BinaryScanner:
     def __init__(self, _bytes: bytes, owner: PdfTreeNode, label: Optional[Text] = None):
-        """owner is an optional link back to the object containing this binary"""
+        """'owner' arg is an optional link back to the object containing this binary."""
         self.bytes = _bytes
         self.label = label
         self.owner = owner
@@ -43,8 +43,8 @@ class BinaryScanner:
         self.regex_extraction_stats = defaultdict(lambda: RegexMatchMetrics())
 
     def check_for_dangerous_instructions(self) -> None:
-        """Scan for all the strings in DANGEROUS_INSTRUCTIONS list and decode bytes around them"""
-        subheader = "Scanning Binary For Anything That Could Be Described As 'Sus'..."
+        """Scan for all the strings in DANGEROUS_INSTRUCTIONS list and decode bytes around them."""
+        subheader = "Scanning Binary For Anything That Could Be Described As 'sus'..."
         print_section_sub_subheader(subheader, style=f"bright_red")
 
         for instruction in DANGEROUS_STRINGS:
@@ -62,7 +62,7 @@ class BinaryScanner:
                 self.process_yara_matches(yaralyzer, instruction, force=True)
 
     def check_for_boms(self) -> None:
-        """Check the binary data for BOMs"""
+        """Check the binary data for BOMs."""
         print_section_sub_subheader("Scanning Binary for any BOMs...", style='BOM')
 
         for bom_bytes, bom_name in BOMS.items():
@@ -105,11 +105,11 @@ class BinaryScanner:
         return self._quote_yaralyzer(QUOTE_PATTERNS[BACKTICK], BACKTICK).match_iterator()
 
     def extract_front_slash_quoted_bytes(self) -> Iterator[Tuple[BytesMatch, BytesDecoder]]:
-        """Returns an interator over all strings surrounded by front_slashes (hint: regular expressions)"""
+        """Returns an interator over all strings surrounded by front_slashes (hint: regular expressions)."""
         return self._quote_yaralyzer(QUOTE_PATTERNS[FRONTSLASH], FRONTSLASH).match_iterator()
 
     def print_stream_preview(self, num_bytes=None, title_suffix=None) -> None:
-        """Print a preview showing the beginning and end of the embedded stream data"""
+        """Print a preview showing the beginning and end of the embedded stream data."""
         num_bytes = num_bytes or PdfalyzerConfig._args.preview_stream_length or console_width()
         snipped_byte_count = self.stream_length - (num_bytes * 2)
         console.line()
@@ -134,7 +134,7 @@ class BinaryScanner:
         console.line()
 
     def process_yara_matches(self, yaralyzer: Yaralyzer, pattern: str, force: bool = False) -> None:
-        """Decide whether to attempt to decode the matched bytes, track stats. force param ignores min/max length"""
+        """Decide whether to attempt to decode the matched bytes, track stats. force param ignores min/max length."""
         for bytes_match, decoder in yaralyzer.match_iterator():
             log.debug(f"Trackings stats for match: {pattern}, bytes_match: {bytes_match}, is_decodable: {bytes_match.is_decodable()}")
 
@@ -185,7 +185,7 @@ class BinaryScanner:
         )
 
     def _print_suppression_notices(self) -> None:
-        """Print notices in queue in a single panel; empty queue"""
+        """Print the notices in queue in a single display panel and then empty the queue."""
         if len(self.suppression_notice_queue) == 0:
             return
 
@@ -195,5 +195,5 @@ class BinaryScanner:
         self.suppression_notice_queue = []
 
     def _eexec_idx(self) -> int:
-        """Returns the location of CURRENTFILES_EEXEC within the binary stream dataor 0"""
+        """Returns the location of CURRENTFILES_EEXEC within the binary stream data (or 0 if it's not there)."""
         return self.bytes.find(CURRENTFILE_EEXEC) if CURRENTFILE_EEXEC in self.bytes else 0

pdfalyzer/decorators/document_model_printer.py

@@ -1,5 +1,5 @@
 """
-Deprecated pre-tree, more rawformat reader.
+Deprecated old, pre-tree, more rawformat reader.
 """
 from io import StringIO
 

pdfalyzer/decorators/pdf_object_properties.py

@@ -47,7 +47,7 @@ class PdfObjectProperties:
             self.label = address
             self.type = root_address(address) if isinstance(address, str) else None
 
-        # Force a string. TODO this sucks.
+        # Force self.label to be a string. TODO this sucks.
         if isinstance(self.label, int):
             self.label = f"{UNLABELED}[{self.label}]"
 

pdfalyzer/decorators/pdf_tree_node.py

@@ -29,9 +29,9 @@ DECODE_FAILURE_LEN = -1
 class PdfTreeNode(NodeMixin, PdfObjectProperties):
     def __init__(self, obj: PdfObject, address: str, idnum: int):
         """
-        obj: The underlying PDF object
-        address: the first address that points from some node to this one
-        idnum: ID used in the reference
+        obj:     The underlying PDF object
+        address: The first address that points from some node to this one
+        idnum:   ID used in the reference
         """
         PdfObjectProperties.__init__(self, obj, address, idnum)
         self.non_tree_relationships: List[PdfObjectRelationship] = []
@@ -54,7 +54,7 @@ class PdfTreeNode(NodeMixin, PdfObjectProperties):
 
     @classmethod
     def from_reference(cls, ref: IndirectObject, address: str) -> 'PdfTreeNode':
-        """Builds a PdfTreeDecorator from an IndirectObject"""
+        """Builds a PdfTreeDecorator from an IndirectObject."""
         try:
             return cls(ref.get_object(), address, ref.idnum)
         except PdfReadError as e:
@@ -90,7 +90,7 @@ class PdfTreeNode(NodeMixin, PdfObjectProperties):
         log.info(f'Added other relationship: {relationship} {self}')
 
     def remove_non_tree_relationship(self, from_node: 'PdfTreeNode') -> None:
-        """Remove all non_tree_relationships from from_node to this node"""
+        """Remove all non_tree_relationships from from_node to this node."""
         relationships_to_remove = [r for r in self.non_tree_relationships if r.from_node == from_node]
 
         if len(relationships_to_remove) == 0:
@@ -104,7 +104,7 @@ class PdfTreeNode(NodeMixin, PdfObjectProperties):
             self.non_tree_relationships.remove(relationship)
 
     def nodes_with_here_references(self) -> List['PdfTreeNode']:
-        """Return a list of nodes that contain this nodes PDF object as an IndirectObject reference"""
+        """Return a list of nodes that contain this nodes PDF object as an IndirectObject reference."""
         return [r.from_node for r in self.non_tree_relationships if r.from_node]
 
     def non_tree_relationship_count(self) -> int:
@@ -120,11 +120,11 @@ class PdfTreeNode(NodeMixin, PdfObjectProperties):
         return list(addresses)
 
     def references_to_other_nodes(self) -> List[PdfObjectRelationship]:
-        """Returns all nodes referenced from node.obj (see PdfObjectRelationship definition)"""
+        """Returns all nodes referenced from node.obj (see PdfObjectRelationship definition)."""
         return PdfObjectRelationship.build_node_references(from_node=self)
 
     def contains_stream(self) -> bool:
-        """Returns True for ContentStream, DecodedStream, and EncodedStream objects"""
+        """Returns True for ContentStream, DecodedStream, and EncodedStream objects."""
         return isinstance(self.obj, StreamObject)
 
     def tree_address(self, max_length: Optional[int] = DEFAULT_MAX_ADDRESS_LENGTH) -> str:
@@ -144,7 +144,7 @@ class PdfTreeNode(NodeMixin, PdfObjectProperties):
         return '...' + address[-max_length:][3:]
 
     def address_of_this_node_in_other(self, from_node: 'PdfTreeNode') -> Optional[str]:
-        """Find the local address used in from_node to refer to this node"""
+        """Find the local address used in 'from_node' to refer to this node."""
         refs_to_this_node = [
             ref for ref in from_node.references_to_other_nodes()
             if ref.to_obj.idnum == self.idnum
@@ -189,7 +189,7 @@ class PdfTreeNode(NodeMixin, PdfObjectProperties):
                 SymlinkNode(self, parent=relationship.from_node)
 
     def descendants_count(self) -> int:
-        """How many nodes in the tree are children/grandchildren/great grandchildren/etc of this one"""
+        """Count nodes in the tree that are children/grandchildren/great grandchildren/etc of this one."""
         return len(self.children) + sum([child.descendants_count() for child in self.children])
 
     def unique_labels_of_referring_nodes(self) -> List[str]:
@@ -211,7 +211,7 @@ class PdfTreeNode(NodeMixin, PdfObjectProperties):
             write_method(f"  {i + 1}. {escape(str(r))}, Descendant Count: {r.from_node.descendants_count()}")
 
     def _colored_address(self, max_length: Optional[int] = None) -> Text:
-        """Rich text version of tree_address()"""
+        """Rich text version of tree_address()."""
         text = Text('@', style='bright_white')
         return text.append(self.tree_address(max_length), style='address')
 

pdfalyzer/decorators/pdf_tree_verifier.py

@@ -29,7 +29,7 @@ class PdfTreeVerifier:
             log.warning(msg)
 
     def verify_unencountered_are_untraversable(self) -> None:
-        """Make sure any PDF object IDs we can't find in tree are /ObjStm or /Xref nodes"""
+        """Make sure any PDF object IDs we can't find in tree are /ObjStm or /Xref nodes."""
         if self.pdfalyzer.pdf_size is None:
             log.warning(f"{SIZE} not found in PDF trailer; cannot verify all nodes are in tree")
             return

pdfalyzer/detection/javascript_hunter.py

@@ -1,5 +1,5 @@
 """
-Count the Javascript (at least the 3+ letter words, record big matches
+Count the Javascript (at least the 3+ letter words, record big matches.
 """
 import re
 

pdfalyzer/detection/yaralyzer_helper.py

@@ -1,5 +1,5 @@
 """
-Class to help with the pre-configured YARA rules in /yara.
+Class to help with the pre-configured YARA rules in the /yara directory.
 """
 from importlib.resources import as_file, files
 from sys import exit

pdfalyzer/helpers/number_helper.py

@@ -1,4 +1,6 @@
-"""Some simple math helpers."""
+"""
+Some simple math helpers.
+"""
 
 
 def is_divisible_by(n: int, divisor: int) -> bool:

pdfalyzer/pdf_object_relationship.py

@@ -6,7 +6,6 @@ from typing import List, Optional, Union
 from PyPDF2.generic import IndirectObject, PdfObject
 from yaralyzer.util.logging import log
 
-#from pdfalyzer.he import has_indeterminate_prefix
 from pdfalyzer.helpers.string_helper import bracketed, is_prefixed_by_any
 from pdfalyzer.util.adobe_strings import *
 

pdfalyzer/pdfalyzer.py

@@ -13,8 +13,8 @@ from anytree import LevelOrderIter, SymlinkNode
 from anytree.search import findall, findall_by_attr
 from PyPDF2 import PdfReader
 from PyPDF2.generic import IndirectObject
-from yaralyzer.output.file_hashes_table import compute_file_hashes
 from yaralyzer.helpers.file_helper import load_binary_data
+from yaralyzer.output.file_hashes_table import compute_file_hashes
 from yaralyzer.output.rich_console import console
 from yaralyzer.util.logging import log
 

pdfalyzer/yara_rules/PDF.yara

@@ -983,3 +983,64 @@ rule PDF_JS_guillemet_close_in_Adobe_Type1_font
         $url_js_backtick_close_obj and Adobe_Type_1_Font
 }
 
+
+rule rule_pdf_activemime {
+    meta:
+        author = "Didier Stevens"
+        date = "2023/08/29"
+        version = "0.0.1"
+        samples = "5b677d297fb862c2d223973697479ee53a91d03073b14556f421b3d74f136b9d,098796e1b82c199ad226bff056b6310262b132f6d06930d3c254c57bdf548187,ef59d7038cfd565fd65bae12588810d5361df938244ebad33b71882dcf683058"
+        description = "look for files that start with %PDF- and contain BASE64 encoded string ActiveMim (QWN0aXZlTWlt), possibly obfuscated with extra whitespace characters"
+        usage = "if you don't have to care about YARA performance warnings, you can uncomment string $base64_ActiveMim0 and remove all other $base64_ActiveMim## strings"
+    strings:
+        $pdf = "%PDF-"
+//        $base64_ActiveMim0 = /[ \t\r\n]*Q[ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
+        $base64_ActiveMim1 = /Q  [ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
+        $base64_ActiveMim2 = /Q \t[ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
+        $base64_ActiveMim3 = /Q \r[ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
+        $base64_ActiveMim4 = /Q \n[ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
+        $base64_ActiveMim5 = /Q\t [ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
+        $base64_ActiveMim6 = /Q\t\t[ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
+        $base64_ActiveMim7 = /Q\t\r[ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
+        $base64_ActiveMim8 = /Q\t\n[ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
+        $base64_ActiveMim9 = /Q\r [ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
+        $base64_ActiveMim10 = /Q\r\t[ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
+        $base64_ActiveMim11 = /Q\r\r[ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
+        $base64_ActiveMim12 = /Q\r\n[ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
+        $base64_ActiveMim13 = /Q\n [ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
+        $base64_ActiveMim14 = /Q\n\t[ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
+        $base64_ActiveMim15 = /Q\n\r[ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
+        $base64_ActiveMim16 = /Q\n\n[ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
+        $base64_ActiveMim17 = /QW [ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
+        $base64_ActiveMim18 = /QW\t[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
+        $base64_ActiveMim19 = /QW\r[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
+        $base64_ActiveMim20 = /QW\n[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
+        $base64_ActiveMim21 = /QWN[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
+    condition:
+        $pdf at 0 and any of ($base64_ActiveMim*)
+}
+
+
+rule malware_MaldocinPDF {
+    meta:
+        author         = "Yuma Masubuchi and Kota Kino"
+        description    = "Search for embeddings of malicious Word files into a PDF file."
+        created_date   = "2023-08-15"
+        blog_reference = "https://malware.news/t/maldoc-in-pdf-detection-bypass-by-embedding-a-malicious-word-file-into-a-pdf-file/72815"
+        labs_reference = "N/A"
+        labs_pivot     = "N/A"
+        samples        = "ef59d7038cfd565fd65bae12588810d5361df938244ebad33b71882dcf683058"
+
+    strings:
+        $docfile2 = "<w:WordDocument>" ascii nocase
+        $xlsfile2 = "<x:ExcelWorkbook>" ascii nocase
+        $mhtfile0 = "mime" ascii nocase
+        $mhtfile1 = "content-location:" ascii nocase
+        $mhtfile2 = "content-type:" ascii nocase
+
+     condition:
+        (uint32(0) == 0x46445025) and
+        (1 of ($mhtfile*)) and
+        ( (1 of ($docfile*)) or
+          (1 of ($xlsfile*)) )
+}

{pdfalyzer-1.14.8.dist-info → pdfalyzer-1.14.10.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: pdfalyzer
-Version: 1.14.8
+Version: 1.14.10
 Summary: A PDF analysis toolkit. Scan a PDF with relevant YARA rules, visualize its inner tree-like data structure in living color (lots of colors), force decodes of suspicious font binaries, and more.
 Home-page: https://github.com/michelcrypt4d4mus/pdfalyzer
 License: GPL-3.0-or-later

{pdfalyzer-1.14.8.dist-info → pdfalyzer-1.14.10.dist-info}/RECORD

@@ -1,21 +1,21 @@
-CHANGELOG.md,sha256=2_xgeLXSP3688zMVp7Tfa2BCoh9XzuKQV9L85gFgZ1c,11016
+CHANGELOG.md,sha256=9AcJopi6RSNZErSW00CtbeXPLf0fz4GGgchYWzctL9E,11195
 LICENSE,sha256=OXLcl0T2SZ8Pmy2_dmlvKuetivmyPd5m1q-Gyd-zaYY,35149
 pdfalyzer/__init__.py,sha256=bip0vBCQXxNVwZrQdT15_YVqE5o7IfS4HZnE38rnqzA,3188
 pdfalyzer/__main__.py,sha256=Ko_AoAyYMLIe_cmhiUSl6twheLZrGyT8aOSJ2CP7EZY,43
-pdfalyzer/binary/binary_scanner.py,sha256=iZN0vrqBFgADR3ACGY5SE9wAcQcNs0hlGgrMg1530sg,10121
+pdfalyzer/binary/binary_scanner.py,sha256=Vl1BarQdk99jDl_NZkBhK85u3auRZrjeR37rThwnzzk,10180
 pdfalyzer/config.py,sha256=oN-pVR037lt3giRsnsm4c8ku5hCW8ChFqYFi9V7w1qU,1918
-pdfalyzer/decorators/document_model_printer.py,sha256=lp6PvyVsxfNzW9k2IEe_8zmAtrPLiGdeFv3F5fCBfpg,2642
+pdfalyzer/decorators/document_model_printer.py,sha256=1fGvbCnMBzpwgePxCIMj1nWUN1lpVtJ1sApTa2sJ3yU,2647
 pdfalyzer/decorators/indeterminate_node.py,sha256=f9Us3Vpr7DIA7PUEvLoMSurRyWySFTiT6Pyjt120PRs,6449
-pdfalyzer/decorators/pdf_object_properties.py,sha256=28jNnav9NYVfMphF7HZQpau0NLV9m-Fzg-S2jBZrkUU,5507
-pdfalyzer/decorators/pdf_tree_node.py,sha256=kdMXdlfcGhaHFDvHjVxFL4jFQ8NJvNXFm53KddxKG7Q,10737
-pdfalyzer/decorators/pdf_tree_verifier.py,sha256=pk0NysYt8PxsKh532IfNSrcoHpdb-wUxUw2TjJFVqDM,4542
+pdfalyzer/decorators/pdf_object_properties.py,sha256=8dqHmi0J2USwnGPSy0Sg_ria_2TsaRWe_HWs-14RKrg,5524
+pdfalyzer/decorators/pdf_tree_node.py,sha256=nIkur38BijcRD-bTJJPrSP25LR9Oiew2E3flzsEZHoQ,10755
+pdfalyzer/decorators/pdf_tree_verifier.py,sha256=IRgm7ikdaqJEq66q3JcMZo49XQoONODM7lySioJfxRc,4543
 pdfalyzer/detection/constants/binary_regexes.py,sha256=rcgQ984q6a8CFvV2QX4-asuqT5w_aH8LPqoN2N13eOM,1665
 pdfalyzer/detection/constants/javascript_reserved_keywords.py,sha256=CXXdWskdQa0Hs5wCci2RBVvipgZg34_cLfmkWG4Xcmg,991
-pdfalyzer/detection/javascript_hunter.py,sha256=pxdy_NIr15uRLvus-iDGpFFCPokf_mSqQJUPndYsD64,710
-pdfalyzer/detection/yaralyzer_helper.py,sha256=v0XN36F2EjioAi4rP1qNqEj_aZJOMDfVQhGiY3Xg66I,1750
+pdfalyzer/detection/javascript_hunter.py,sha256=_wT2vkKTMlm_RGCjYsmwcmV-ag1qep3EpkHmUw0nWcQ,711
+pdfalyzer/detection/yaralyzer_helper.py,sha256=hmrnvTVtaX9l4FbXQrtrdXYHaK_IFSTDIuEWBIDPN74,1764
 pdfalyzer/font_info.py,sha256=L5ykKvlifAQv2uw-pKqxbQPqWrvbli0IcO8DgDK0SQo,6665
 pdfalyzer/helpers/dict_helper.py,sha256=2TP0_EJBouaWD6jfnAekrEZ4M5eHKL8Tm61FgXZtBAg,303
-pdfalyzer/helpers/number_helper.py,sha256=9XVxI6fygHIb0oqkOmFQUlvTxED9QKtwxvIYYGyUYU8,290
+pdfalyzer/helpers/number_helper.py,sha256=8IlRmaOVLJsUV18VLvWRZU8SzRxL0XZjrY3sjmk2Ro4,292
 pdfalyzer/helpers/pdf_object_helper.py,sha256=u0j8B9mY8s5cTGo5LmDcozotvvgZNrwwJ4w_ipQqiXw,1105
 pdfalyzer/helpers/rich_text_helper.py,sha256=Ytd1n1ONmEe7BxEwT-LLT6rt7QF-m_wnapPdwWYT4Pc,1800
 pdfalyzer/helpers/string_helper.py,sha256=75EDEFw3UWHvWF32WtvZVBbqYY3ozO4y30dtH2qVMX0,2278
@@ -28,19 +28,19 @@ pdfalyzer/output/tables/decoding_stats_table.py,sha256=mhQOiWhmovaC4sop38WcxStv_
 pdfalyzer/output/tables/font_summary_table.py,sha256=xfTqC7BlQd0agQf6nDDhkcJno7hru6mf9_xY1f5IDcw,2065
 pdfalyzer/output/tables/pdf_node_rich_table.py,sha256=Soz5gkSl9pMFbwmGxyKyil_9X-Pl-fI0i8s0cvwLC3Q,5909
 pdfalyzer/output/tables/stream_objects_table.py,sha256=nzCTci8Kqs8Pyghad3L5KWHDdIWRSrKCRNW8geA_rMo,707
-pdfalyzer/pdf_object_relationship.py,sha256=fQs0Jx1Tx2aC-ON_hGBMJ96vWkL7JOP_ykustQWVzDQ,5391
-pdfalyzer/pdfalyzer.py,sha256=hifxJfBPoAWL8EJPQ7nEnI5WvijFj3ijlFJ2D4zkp3E,11016
+pdfalyzer/pdf_object_relationship.py,sha256=EgeIiVDofvZd-il114H8ZlKKwCOci5T5S4e15mHK_Wg,5340
+pdfalyzer/pdfalyzer.py,sha256=sOZqOKiRivd2I0Lek_cbYu0h4jIi8DXYnw5H0f6TfcA,11016
 pdfalyzer/util/adobe_strings.py,sha256=A4V3BI2pOaOmF4_RCbtsLxfv5LBWWKVtqrW562DzR6Y,4983
 pdfalyzer/util/argument_parser.py,sha256=EiOBaMRFvb9C_Zq3Odhw0KECSvElEfm8hGyljsOmzV4,8053
 pdfalyzer/util/debugging.py,sha256=nE64VUQbdu2OQRC8w8-AJkMtBOy8Kf3mjozuFslfWsw,156
 pdfalyzer/util/exceptions.py,sha256=XLFFTdx1n6i_VCmvuzvIOCa-djJvGEitfo9lhy3zq0k,98
 pdfalyzer/util/pdf_parser_manager.py,sha256=FVRYAYsCd0y5MAm--qvXnwCZnDtB3x85FdJtb-gpyw4,3109
-pdfalyzer/yara_rules/PDF.yara,sha256=sEUx5t0knhHcUJgHciN3TdZ2Bfp4OnvmrCLlmhFCICo,33476
+pdfalyzer/yara_rules/PDF.yara,sha256=uTBPFzbNb91eWnAM_LzXMKodBxAz2Rj804kQDyeARc8,38667
 pdfalyzer/yara_rules/PDF_binary_stream.yara,sha256=oWRPLe5yQiRFMvi3BTHNTlB6T7NcAuxKn0C9OSvgJSM,804
 pdfalyzer/yara_rules/__init.py__,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 pdfalyzer/yara_rules/lprat.static_file_analysis.yara,sha256=i0CwRH8pBx_QshKFTQtr1CP5n378EZelsF2FxMY2y5A,21859
-pdfalyzer-1.14.8.dist-info/LICENSE,sha256=OXLcl0T2SZ8Pmy2_dmlvKuetivmyPd5m1q-Gyd-zaYY,35149
-pdfalyzer-1.14.8.dist-info/METADATA,sha256=YttrTxzkQ-qUG-7cBTEgELT8B4wWAisaTxU17FAo63Q,24474
-pdfalyzer-1.14.8.dist-info/WHEEL,sha256=d2fvjOD7sXsVzChCqf0Ty0JbHKBaLYwDbGQDwQTnJ50,88
-pdfalyzer-1.14.8.dist-info/entry_points.txt,sha256=rl7OpBvxSNmV90rjTPCjhXTtjRMqZxHUAQfP0Cdmt1Y,111
-pdfalyzer-1.14.8.dist-info/RECORD,,
+pdfalyzer-1.14.10.dist-info/LICENSE,sha256=OXLcl0T2SZ8Pmy2_dmlvKuetivmyPd5m1q-Gyd-zaYY,35149
+pdfalyzer-1.14.10.dist-info/METADATA,sha256=7HuP-rQptGKP3S_BfTMDjHtetCU663pfNYJH7j4B1yw,24475
+pdfalyzer-1.14.10.dist-info/WHEEL,sha256=d2fvjOD7sXsVzChCqf0Ty0JbHKBaLYwDbGQDwQTnJ50,88
+pdfalyzer-1.14.10.dist-info/entry_points.txt,sha256=rl7OpBvxSNmV90rjTPCjhXTtjRMqZxHUAQfP0Cdmt1Y,111
+pdfalyzer-1.14.10.dist-info/RECORD,,