pdfalyzer 1.14.8__tar.gz → 1.14.10__tar.gz

{pdfalyzer-1.14.8 → pdfalyzer-1.14.10}/CHANGELOG.md

@@ -1,5 +1,11 @@
 # NEXT RELEASE
 
+### 1.14.10
+* Add `malware_MaldocinPDF` YARA rule
+
+### 1.14.9
+* Add [ActiveMime YARA rule](https://blog.didierstevens.com/2023/08/29/quickpost-pdf-activemime-maldocs-yara-rule/)
+
 ### 1.14.8
 * Handle internal YARA errors more gracefully with error messages instead of crashes (currently seeing `ERROR_TOO_MANY_RE_FIBERS` on macOS on some files for unknown reasons that we hope will go away eventually)
 

{pdfalyzer-1.14.8 → pdfalyzer-1.14.10}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: pdfalyzer
-Version: 1.14.8
+Version: 1.14.10
 Summary: A PDF analysis toolkit. Scan a PDF with relevant YARA rules, visualize its inner tree-like data structure in living color (lots of colors), force decodes of suspicious font binaries, and more.
 Home-page: https://github.com/michelcrypt4d4mus/pdfalyzer
 License: GPL-3.0-or-later

{pdfalyzer-1.14.8 → pdfalyzer-1.14.10}/pdfalyzer/binary/binary_scanner.py

@@ -30,7 +30,7 @@ from pdfalyzer.util.adobe_strings import CONTENTS, CURRENTFILE_EEXEC, FONT_FILE_
 
 class BinaryScanner:
     def __init__(self, _bytes: bytes, owner: PdfTreeNode, label: Optional[Text] = None):
-        """owner is an optional link back to the object containing this binary"""
+        """'owner' arg is an optional link back to the object containing this binary."""
         self.bytes = _bytes
         self.label = label
         self.owner = owner
@@ -43,8 +43,8 @@ class BinaryScanner:
         self.regex_extraction_stats = defaultdict(lambda: RegexMatchMetrics())
 
     def check_for_dangerous_instructions(self) -> None:
-        """Scan for all the strings in DANGEROUS_INSTRUCTIONS list and decode bytes around them"""
-        subheader = "Scanning Binary For Anything That Could Be Described As 'Sus'..."
+        """Scan for all the strings in DANGEROUS_INSTRUCTIONS list and decode bytes around them."""
+        subheader = "Scanning Binary For Anything That Could Be Described As 'sus'..."
         print_section_sub_subheader(subheader, style=f"bright_red")
 
         for instruction in DANGEROUS_STRINGS:
@@ -62,7 +62,7 @@ class BinaryScanner:
                 self.process_yara_matches(yaralyzer, instruction, force=True)
 
     def check_for_boms(self) -> None:
-        """Check the binary data for BOMs"""
+        """Check the binary data for BOMs."""
         print_section_sub_subheader("Scanning Binary for any BOMs...", style='BOM')
 
         for bom_bytes, bom_name in BOMS.items():
@@ -105,11 +105,11 @@ class BinaryScanner:
         return self._quote_yaralyzer(QUOTE_PATTERNS[BACKTICK], BACKTICK).match_iterator()
 
     def extract_front_slash_quoted_bytes(self) -> Iterator[Tuple[BytesMatch, BytesDecoder]]:
-        """Returns an interator over all strings surrounded by front_slashes (hint: regular expressions)"""
+        """Returns an interator over all strings surrounded by front_slashes (hint: regular expressions)."""
         return self._quote_yaralyzer(QUOTE_PATTERNS[FRONTSLASH], FRONTSLASH).match_iterator()
 
     def print_stream_preview(self, num_bytes=None, title_suffix=None) -> None:
-        """Print a preview showing the beginning and end of the embedded stream data"""
+        """Print a preview showing the beginning and end of the embedded stream data."""
         num_bytes = num_bytes or PdfalyzerConfig._args.preview_stream_length or console_width()
         snipped_byte_count = self.stream_length - (num_bytes * 2)
         console.line()
@@ -134,7 +134,7 @@ class BinaryScanner:
         console.line()
 
     def process_yara_matches(self, yaralyzer: Yaralyzer, pattern: str, force: bool = False) -> None:
-        """Decide whether to attempt to decode the matched bytes, track stats. force param ignores min/max length"""
+        """Decide whether to attempt to decode the matched bytes, track stats. force param ignores min/max length."""
         for bytes_match, decoder in yaralyzer.match_iterator():
             log.debug(f"Trackings stats for match: {pattern}, bytes_match: {bytes_match}, is_decodable: {bytes_match.is_decodable()}")
 
@@ -185,7 +185,7 @@ class BinaryScanner:
         )
 
     def _print_suppression_notices(self) -> None:
-        """Print notices in queue in a single panel; empty queue"""
+        """Print the notices in queue in a single display panel and then empty the queue."""
         if len(self.suppression_notice_queue) == 0:
             return
 
@@ -195,5 +195,5 @@ class BinaryScanner:
         self.suppression_notice_queue = []
 
     def _eexec_idx(self) -> int:
-        """Returns the location of CURRENTFILES_EEXEC within the binary stream dataor 0"""
+        """Returns the location of CURRENTFILES_EEXEC within the binary stream data (or 0 if it's not there)."""
         return self.bytes.find(CURRENTFILE_EEXEC) if CURRENTFILE_EEXEC in self.bytes else 0

{pdfalyzer-1.14.8 → pdfalyzer-1.14.10}/pdfalyzer/decorators/document_model_printer.py

@@ -1,5 +1,5 @@
 """
-Deprecated pre-tree, more rawformat reader.
+Deprecated old, pre-tree, more rawformat reader.
 """
 from io import StringIO
 

{pdfalyzer-1.14.8 → pdfalyzer-1.14.10}/pdfalyzer/decorators/pdf_object_properties.py

@@ -47,7 +47,7 @@ class PdfObjectProperties:
             self.label = address
             self.type = root_address(address) if isinstance(address, str) else None
 
-        # Force a string. TODO this sucks.
+        # Force self.label to be a string. TODO this sucks.
         if isinstance(self.label, int):
             self.label = f"{UNLABELED}[{self.label}]"
 

{pdfalyzer-1.14.8 → pdfalyzer-1.14.10}/pdfalyzer/decorators/pdf_tree_node.py

@@ -29,9 +29,9 @@ DECODE_FAILURE_LEN = -1
 class PdfTreeNode(NodeMixin, PdfObjectProperties):
     def __init__(self, obj: PdfObject, address: str, idnum: int):
         """
-        obj: The underlying PDF object
-        address: the first address that points from some node to this one
-        idnum: ID used in the reference
+        obj:     The underlying PDF object
+        address: The first address that points from some node to this one
+        idnum:   ID used in the reference
         """
         PdfObjectProperties.__init__(self, obj, address, idnum)
         self.non_tree_relationships: List[PdfObjectRelationship] = []
@@ -54,7 +54,7 @@ class PdfTreeNode(NodeMixin, PdfObjectProperties):
 
     @classmethod
     def from_reference(cls, ref: IndirectObject, address: str) -> 'PdfTreeNode':
-        """Builds a PdfTreeDecorator from an IndirectObject"""
+        """Builds a PdfTreeDecorator from an IndirectObject."""
         try:
             return cls(ref.get_object(), address, ref.idnum)
         except PdfReadError as e:
@@ -90,7 +90,7 @@ class PdfTreeNode(NodeMixin, PdfObjectProperties):
         log.info(f'Added other relationship: {relationship} {self}')
 
     def remove_non_tree_relationship(self, from_node: 'PdfTreeNode') -> None:
-        """Remove all non_tree_relationships from from_node to this node"""
+        """Remove all non_tree_relationships from from_node to this node."""
         relationships_to_remove = [r for r in self.non_tree_relationships if r.from_node == from_node]
 
         if len(relationships_to_remove) == 0:
@@ -104,7 +104,7 @@ class PdfTreeNode(NodeMixin, PdfObjectProperties):
             self.non_tree_relationships.remove(relationship)
 
     def nodes_with_here_references(self) -> List['PdfTreeNode']:
-        """Return a list of nodes that contain this nodes PDF object as an IndirectObject reference"""
+        """Return a list of nodes that contain this nodes PDF object as an IndirectObject reference."""
         return [r.from_node for r in self.non_tree_relationships if r.from_node]
 
     def non_tree_relationship_count(self) -> int:
@@ -120,11 +120,11 @@ class PdfTreeNode(NodeMixin, PdfObjectProperties):
         return list(addresses)
 
     def references_to_other_nodes(self) -> List[PdfObjectRelationship]:
-        """Returns all nodes referenced from node.obj (see PdfObjectRelationship definition)"""
+        """Returns all nodes referenced from node.obj (see PdfObjectRelationship definition)."""
         return PdfObjectRelationship.build_node_references(from_node=self)
 
     def contains_stream(self) -> bool:
-        """Returns True for ContentStream, DecodedStream, and EncodedStream objects"""
+        """Returns True for ContentStream, DecodedStream, and EncodedStream objects."""
         return isinstance(self.obj, StreamObject)
 
     def tree_address(self, max_length: Optional[int] = DEFAULT_MAX_ADDRESS_LENGTH) -> str:
@@ -144,7 +144,7 @@ class PdfTreeNode(NodeMixin, PdfObjectProperties):
         return '...' + address[-max_length:][3:]
 
     def address_of_this_node_in_other(self, from_node: 'PdfTreeNode') -> Optional[str]:
-        """Find the local address used in from_node to refer to this node"""
+        """Find the local address used in 'from_node' to refer to this node."""
         refs_to_this_node = [
             ref for ref in from_node.references_to_other_nodes()
             if ref.to_obj.idnum == self.idnum
@@ -189,7 +189,7 @@ class PdfTreeNode(NodeMixin, PdfObjectProperties):
                 SymlinkNode(self, parent=relationship.from_node)
 
     def descendants_count(self) -> int:
-        """How many nodes in the tree are children/grandchildren/great grandchildren/etc of this one"""
+        """Count nodes in the tree that are children/grandchildren/great grandchildren/etc of this one."""
         return len(self.children) + sum([child.descendants_count() for child in self.children])
 
     def unique_labels_of_referring_nodes(self) -> List[str]:
@@ -211,7 +211,7 @@ class PdfTreeNode(NodeMixin, PdfObjectProperties):
             write_method(f"  {i + 1}. {escape(str(r))}, Descendant Count: {r.from_node.descendants_count()}")
 
     def _colored_address(self, max_length: Optional[int] = None) -> Text:
-        """Rich text version of tree_address()"""
+        """Rich text version of tree_address()."""
         text = Text('@', style='bright_white')
         return text.append(self.tree_address(max_length), style='address')
 

{pdfalyzer-1.14.8 → pdfalyzer-1.14.10}/pdfalyzer/decorators/pdf_tree_verifier.py

@@ -29,7 +29,7 @@ class PdfTreeVerifier:
             log.warning(msg)
 
     def verify_unencountered_are_untraversable(self) -> None:
-        """Make sure any PDF object IDs we can't find in tree are /ObjStm or /Xref nodes"""
+        """Make sure any PDF object IDs we can't find in tree are /ObjStm or /Xref nodes."""
         if self.pdfalyzer.pdf_size is None:
             log.warning(f"{SIZE} not found in PDF trailer; cannot verify all nodes are in tree")
             return

{pdfalyzer-1.14.8 → pdfalyzer-1.14.10}/pdfalyzer/detection/javascript_hunter.py

@@ -1,5 +1,5 @@
 """
-Count the Javascript (at least the 3+ letter words, record big matches
+Count the Javascript (at least the 3+ letter words, record big matches.
 """
 import re
 

{pdfalyzer-1.14.8 → pdfalyzer-1.14.10}/pdfalyzer/detection/yaralyzer_helper.py

@@ -1,5 +1,5 @@
 """
-Class to help with the pre-configured YARA rules in /yara.
+Class to help with the pre-configured YARA rules in the /yara directory.
 """
 from importlib.resources import as_file, files
 from sys import exit

{pdfalyzer-1.14.8 → pdfalyzer-1.14.10}/pdfalyzer/helpers/number_helper.py

@@ -1,4 +1,6 @@
-"""Some simple math helpers."""
+"""
+Some simple math helpers.
+"""
 
 
 def is_divisible_by(n: int, divisor: int) -> bool:

{pdfalyzer-1.14.8 → pdfalyzer-1.14.10}/pdfalyzer/pdf_object_relationship.py

@@ -6,7 +6,6 @@ from typing import List, Optional, Union
 from PyPDF2.generic import IndirectObject, PdfObject
 from yaralyzer.util.logging import log
 
-#from pdfalyzer.he import has_indeterminate_prefix
 from pdfalyzer.helpers.string_helper import bracketed, is_prefixed_by_any
 from pdfalyzer.util.adobe_strings import *
 

{pdfalyzer-1.14.8 → pdfalyzer-1.14.10}/pdfalyzer/yara_rules/PDF.yara

@@ -983,3 +983,64 @@ rule PDF_JS_guillemet_close_in_Adobe_Type1_font
         $url_js_backtick_close_obj and Adobe_Type_1_Font
 }
 
+
+rule rule_pdf_activemime {
+    meta:
+        author = "Didier Stevens"
+        date = "2023/08/29"
+        version = "0.0.1"
+        samples = "5b677d297fb862c2d223973697479ee53a91d03073b14556f421b3d74f136b9d,098796e1b82c199ad226bff056b6310262b132f6d06930d3c254c57bdf548187,ef59d7038cfd565fd65bae12588810d5361df938244ebad33b71882dcf683058"
+        description = "look for files that start with %PDF- and contain BASE64 encoded string ActiveMim (QWN0aXZlTWlt), possibly obfuscated with extra whitespace characters"
+        usage = "if you don't have to care about YARA performance warnings, you can uncomment string $base64_ActiveMim0 and remove all other $base64_ActiveMim## strings"
+    strings:
+        $pdf = "%PDF-"
+//        $base64_ActiveMim0 = /[ \t\r\n]*Q[ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
+        $base64_ActiveMim1 = /Q  [ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
+        $base64_ActiveMim2 = /Q \t[ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
+        $base64_ActiveMim3 = /Q \r[ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
+        $base64_ActiveMim4 = /Q \n[ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
+        $base64_ActiveMim5 = /Q\t [ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
+        $base64_ActiveMim6 = /Q\t\t[ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
+        $base64_ActiveMim7 = /Q\t\r[ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
+        $base64_ActiveMim8 = /Q\t\n[ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
+        $base64_ActiveMim9 = /Q\r [ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
+        $base64_ActiveMim10 = /Q\r\t[ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
+        $base64_ActiveMim11 = /Q\r\r[ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
+        $base64_ActiveMim12 = /Q\r\n[ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
+        $base64_ActiveMim13 = /Q\n [ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
+        $base64_ActiveMim14 = /Q\n\t[ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
+        $base64_ActiveMim15 = /Q\n\r[ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
+        $base64_ActiveMim16 = /Q\n\n[ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
+        $base64_ActiveMim17 = /QW [ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
+        $base64_ActiveMim18 = /QW\t[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
+        $base64_ActiveMim19 = /QW\r[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
+        $base64_ActiveMim20 = /QW\n[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
+        $base64_ActiveMim21 = /QWN[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
+    condition:
+        $pdf at 0 and any of ($base64_ActiveMim*)
+}
+
+
+rule malware_MaldocinPDF {
+    meta:
+        author         = "Yuma Masubuchi and Kota Kino"
+        description    = "Search for embeddings of malicious Word files into a PDF file."
+        created_date   = "2023-08-15"
+        blog_reference = "https://malware.news/t/maldoc-in-pdf-detection-bypass-by-embedding-a-malicious-word-file-into-a-pdf-file/72815"
+        labs_reference = "N/A"
+        labs_pivot     = "N/A"
+        samples        = "ef59d7038cfd565fd65bae12588810d5361df938244ebad33b71882dcf683058"
+
+    strings:
+        $docfile2 = "<w:WordDocument>" ascii nocase
+        $xlsfile2 = "<x:ExcelWorkbook>" ascii nocase
+        $mhtfile0 = "mime" ascii nocase
+        $mhtfile1 = "content-location:" ascii nocase
+        $mhtfile2 = "content-type:" ascii nocase
+
+     condition:
+        (uint32(0) == 0x46445025) and
+        (1 of ($mhtfile*)) and
+        ( (1 of ($docfile*)) or
+          (1 of ($xlsfile*)) )
+}

{pdfalyzer-1.14.8 → pdfalyzer-1.14.10}/pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "pdfalyzer"
-version = "1.14.8"
+version = "1.14.10"
 description = "A PDF analysis toolkit. Scan a PDF with relevant YARA rules, visualize its inner tree-like data structure in living color (lots of colors), force decodes of suspicious font binaries, and more."
 authors = ["Michel de Cryptadamus <michel@cryptadamus.com>"]
 license = "GPL-3.0-or-later"

{pdfalyzer-1.14.8 → pdfalyzer-1.14.10}/pdfalyzer/pdfalyzer.py

@@ -13,8 +13,8 @@ from anytree import LevelOrderIter, SymlinkNode
 from anytree.search import findall, findall_by_attr
 from PyPDF2 import PdfReader
 from PyPDF2.generic import IndirectObject
-from yaralyzer.output.file_hashes_table import compute_file_hashes
 from yaralyzer.helpers.file_helper import load_binary_data
+from yaralyzer.output.file_hashes_table import compute_file_hashes
 from yaralyzer.output.rich_console import console
 from yaralyzer.util.logging import log