pdfalyzer 1.14.8__tar.gz → 1.14.9__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of pdfalyzer might be problematic. Click here for more details.

Files changed (44) hide show
  1. {pdfalyzer-1.14.8 → pdfalyzer-1.14.9}/CHANGELOG.md +3 -0
  2. {pdfalyzer-1.14.8 → pdfalyzer-1.14.9}/PKG-INFO +1 -1
  3. {pdfalyzer-1.14.8 → pdfalyzer-1.14.9}/pdfalyzer/yara_rules/PDF.yara +36 -0
  4. {pdfalyzer-1.14.8 → pdfalyzer-1.14.9}/pyproject.toml +1 -1
  5. {pdfalyzer-1.14.8 → pdfalyzer-1.14.9}/LICENSE +0 -0
  6. {pdfalyzer-1.14.8 → pdfalyzer-1.14.9}/README.md +0 -0
  7. {pdfalyzer-1.14.8 → pdfalyzer-1.14.9}/pdfalyzer/__init__.py +0 -0
  8. {pdfalyzer-1.14.8 → pdfalyzer-1.14.9}/pdfalyzer/__main__.py +0 -0
  9. {pdfalyzer-1.14.8 → pdfalyzer-1.14.9}/pdfalyzer/binary/binary_scanner.py +0 -0
  10. {pdfalyzer-1.14.8 → pdfalyzer-1.14.9}/pdfalyzer/config.py +0 -0
  11. {pdfalyzer-1.14.8 → pdfalyzer-1.14.9}/pdfalyzer/decorators/document_model_printer.py +0 -0
  12. {pdfalyzer-1.14.8 → pdfalyzer-1.14.9}/pdfalyzer/decorators/indeterminate_node.py +0 -0
  13. {pdfalyzer-1.14.8 → pdfalyzer-1.14.9}/pdfalyzer/decorators/pdf_object_properties.py +0 -0
  14. {pdfalyzer-1.14.8 → pdfalyzer-1.14.9}/pdfalyzer/decorators/pdf_tree_node.py +0 -0
  15. {pdfalyzer-1.14.8 → pdfalyzer-1.14.9}/pdfalyzer/decorators/pdf_tree_verifier.py +0 -0
  16. {pdfalyzer-1.14.8 → pdfalyzer-1.14.9}/pdfalyzer/detection/constants/binary_regexes.py +0 -0
  17. {pdfalyzer-1.14.8 → pdfalyzer-1.14.9}/pdfalyzer/detection/constants/javascript_reserved_keywords.py +0 -0
  18. {pdfalyzer-1.14.8 → pdfalyzer-1.14.9}/pdfalyzer/detection/javascript_hunter.py +0 -0
  19. {pdfalyzer-1.14.8 → pdfalyzer-1.14.9}/pdfalyzer/detection/yaralyzer_helper.py +0 -0
  20. {pdfalyzer-1.14.8 → pdfalyzer-1.14.9}/pdfalyzer/font_info.py +0 -0
  21. {pdfalyzer-1.14.8 → pdfalyzer-1.14.9}/pdfalyzer/helpers/dict_helper.py +0 -0
  22. {pdfalyzer-1.14.8 → pdfalyzer-1.14.9}/pdfalyzer/helpers/number_helper.py +0 -0
  23. {pdfalyzer-1.14.8 → pdfalyzer-1.14.9}/pdfalyzer/helpers/pdf_object_helper.py +0 -0
  24. {pdfalyzer-1.14.8 → pdfalyzer-1.14.9}/pdfalyzer/helpers/rich_text_helper.py +0 -0
  25. {pdfalyzer-1.14.8 → pdfalyzer-1.14.9}/pdfalyzer/helpers/string_helper.py +0 -0
  26. {pdfalyzer-1.14.8 → pdfalyzer-1.14.9}/pdfalyzer/output/character_mapping.py +0 -0
  27. {pdfalyzer-1.14.8 → pdfalyzer-1.14.9}/pdfalyzer/output/layout.py +0 -0
  28. {pdfalyzer-1.14.8 → pdfalyzer-1.14.9}/pdfalyzer/output/pdfalyzer_presenter.py +0 -0
  29. {pdfalyzer-1.14.8 → pdfalyzer-1.14.9}/pdfalyzer/output/styles/node_colors.py +0 -0
  30. {pdfalyzer-1.14.8 → pdfalyzer-1.14.9}/pdfalyzer/output/styles/rich_theme.py +0 -0
  31. {pdfalyzer-1.14.8 → pdfalyzer-1.14.9}/pdfalyzer/output/tables/decoding_stats_table.py +0 -0
  32. {pdfalyzer-1.14.8 → pdfalyzer-1.14.9}/pdfalyzer/output/tables/font_summary_table.py +0 -0
  33. {pdfalyzer-1.14.8 → pdfalyzer-1.14.9}/pdfalyzer/output/tables/pdf_node_rich_table.py +0 -0
  34. {pdfalyzer-1.14.8 → pdfalyzer-1.14.9}/pdfalyzer/output/tables/stream_objects_table.py +0 -0
  35. {pdfalyzer-1.14.8 → pdfalyzer-1.14.9}/pdfalyzer/pdf_object_relationship.py +0 -0
  36. {pdfalyzer-1.14.8 → pdfalyzer-1.14.9}/pdfalyzer/pdfalyzer.py +0 -0
  37. {pdfalyzer-1.14.8 → pdfalyzer-1.14.9}/pdfalyzer/util/adobe_strings.py +0 -0
  38. {pdfalyzer-1.14.8 → pdfalyzer-1.14.9}/pdfalyzer/util/argument_parser.py +0 -0
  39. {pdfalyzer-1.14.8 → pdfalyzer-1.14.9}/pdfalyzer/util/debugging.py +0 -0
  40. {pdfalyzer-1.14.8 → pdfalyzer-1.14.9}/pdfalyzer/util/exceptions.py +0 -0
  41. {pdfalyzer-1.14.8 → pdfalyzer-1.14.9}/pdfalyzer/util/pdf_parser_manager.py +0 -0
  42. {pdfalyzer-1.14.8 → pdfalyzer-1.14.9}/pdfalyzer/yara_rules/PDF_binary_stream.yara +0 -0
  43. {pdfalyzer-1.14.8 → pdfalyzer-1.14.9}/pdfalyzer/yara_rules/__init.py__ +0 -0
  44. {pdfalyzer-1.14.8 → pdfalyzer-1.14.9}/pdfalyzer/yara_rules/lprat.static_file_analysis.yara +0 -0
{pdfalyzer-1.14.8 → pdfalyzer-1.14.9}/CHANGELOG.md RENAMED
@@ -1,5 +1,8 @@
1
1
  # NEXT RELEASE
2
2
 
3
+ ### 1.14.9
4
+ * Add [ActiveMime YARA rule](https://blog.didierstevens.com/2023/08/29/quickpost-pdf-activemime-maldocs-yara-rule/)
5
+
3
6
  ### 1.14.8
4
7
  * Handle internal YARA errors more gracefully with error messages instead of crashes (currently seeing `ERROR_TOO_MANY_RE_FIBERS` on macOS on some files for unknown reasons that we hope will go away eventually)
5
8
 
{pdfalyzer-1.14.8 → pdfalyzer-1.14.9}/PKG-INFO RENAMED
@@ -1,6 +1,6 @@
1
1
  Metadata-Version: 2.1
2
2
  Name: pdfalyzer
3
- Version: 1.14.8
3
+ Version: 1.14.9
4
4
  Summary: A PDF analysis toolkit. Scan a PDF with relevant YARA rules, visualize its inner tree-like data structure in living color (lots of colors), force decodes of suspicious font binaries, and more.
5
5
  Home-page: https://github.com/michelcrypt4d4mus/pdfalyzer
6
6
  License: GPL-3.0-or-later
{pdfalyzer-1.14.8 → pdfalyzer-1.14.9}/pdfalyzer/yara_rules/PDF.yara RENAMED
@@ -983,3 +983,39 @@ rule PDF_JS_guillemet_close_in_Adobe_Type1_font
983
983
  $url_js_backtick_close_obj and Adobe_Type_1_Font
984
984
  }
985
985
 
986
+
987
+ rule rule_pdf_activemime {
988
+ meta:
989
+ author = "Didier Stevens"
990
+ date = "2023/08/29"
991
+ version = "0.0.1"
992
+ samples = "5b677d297fb862c2d223973697479ee53a91d03073b14556f421b3d74f136b9d,098796e1b82c199ad226bff056b6310262b132f6d06930d3c254c57bdf548187,ef59d7038cfd565fd65bae12588810d5361df938244ebad33b71882dcf683058"
993
+ description = "look for files that start with %PDF- and contain BASE64 encoded string ActiveMim (QWN0aXZlTWlt), possibly obfuscated with extra whitespace characters"
994
+ usage = "if you don't have to care about YARA performance warnings, you can uncomment string $base64_ActiveMim0 and remove all other $base64_ActiveMim## strings"
995
+ strings:
996
+ $pdf = "%PDF-"
997
+ // $base64_ActiveMim0 = /[ \t\r\n]*Q[ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
998
+ $base64_ActiveMim1 = /Q [ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
999
+ $base64_ActiveMim2 = /Q \t[ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
1000
+ $base64_ActiveMim3 = /Q \r[ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
1001
+ $base64_ActiveMim4 = /Q \n[ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
1002
+ $base64_ActiveMim5 = /Q\t [ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
1003
+ $base64_ActiveMim6 = /Q\t\t[ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
1004
+ $base64_ActiveMim7 = /Q\t\r[ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
1005
+ $base64_ActiveMim8 = /Q\t\n[ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
1006
+ $base64_ActiveMim9 = /Q\r [ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
1007
+ $base64_ActiveMim10 = /Q\r\t[ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
1008
+ $base64_ActiveMim11 = /Q\r\r[ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
1009
+ $base64_ActiveMim12 = /Q\r\n[ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
1010
+ $base64_ActiveMim13 = /Q\n [ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
1011
+ $base64_ActiveMim14 = /Q\n\t[ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
1012
+ $base64_ActiveMim15 = /Q\n\r[ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
1013
+ $base64_ActiveMim16 = /Q\n\n[ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
1014
+ $base64_ActiveMim17 = /QW [ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
1015
+ $base64_ActiveMim18 = /QW\t[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
1016
+ $base64_ActiveMim19 = /QW\r[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
1017
+ $base64_ActiveMim20 = /QW\n[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
1018
+ $base64_ActiveMim21 = /QWN[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
1019
+ condition:
1020
+ $pdf at 0 and any of ($base64_ActiveMim*)
1021
+ }
{pdfalyzer-1.14.8 → pdfalyzer-1.14.9}/pyproject.toml RENAMED
@@ -1,6 +1,6 @@
1
1
  [tool.poetry]
2
2
  name = "pdfalyzer"
3
- version = "1.14.8"
3
+ version = "1.14.9"
4
4
  description = "A PDF analysis toolkit. Scan a PDF with relevant YARA rules, visualize its inner tree-like data structure in living color (lots of colors), force decodes of suspicious font binaries, and more."
5
5
  authors = ["Michel de Cryptadamus <michel@cryptadamus.com>"]
6
6
  license = "GPL-3.0-or-later"
{pdfalyzer-1.14.8 → pdfalyzer-1.14.9}/LICENSE RENAMED
File without changes
{pdfalyzer-1.14.8 → pdfalyzer-1.14.9}/README.md RENAMED
File without changes