pdfalyzer 1.16.0__py3-none-any.whl → 1.16.2__py3-none-any.whl

CHANGELOG.md

@@ -1,5 +1,11 @@
 # NEXT RELEASE
 
+### 1.16.2
+* Add two more PDF related YARA rules
+
+### 1.16.1
+* Configure a `Changelog` link for `pypi` to display
+
 # 1.16.0
 * Upgrade `PyPDF2` 2.x to `pypdf` 5.0.1 (new name, same package)
 * Add `--image-quality` option to `combine_pdfs` tool

pdfalyzer/helpers/filesystem_helper.py

@@ -3,7 +3,7 @@ Some helpers for stuff with the local filesystem.
 """
 import re
 from pathlib import Path
-from typing import Union
+from typing import Optional, Union
 
 from yaralyzer.output.rich_console import console
 
@@ -45,7 +45,7 @@ def do_all_files_exist(file_paths: list[Union[str, Path]]) -> bool:
     return all_files_exist
 
 
-def extract_page_number(file_path: Union[str, Path]) -> int|None:
+def extract_page_number(file_path: Union[str, Path]) -> Optional[int]:
     """Extract the page number from the end of a filename if it exists."""
     match = NUMBERED_PAGE_REGEX.match(str(file_path))
     return int(match.group(1)) if match else None
@@ -56,7 +56,7 @@ def file_size_in_mb(file_path: Union[str, Path], decimal_places: int = 2) -> flo
     return round(Path(file_path).stat().st_size / 1024.0 / 1024.0, decimal_places)
 
 
-def set_max_open_files(num_filehandles: int = DEFAULT_MAX_OPEN_FILES) -> tuple[int | None, int | None]:
+def set_max_open_files(num_filehandles: int = DEFAULT_MAX_OPEN_FILES) -> tuple[Optional[int], Optional[int]]:
     """
     Sets the OS level max open files to at least 'num_filehandles'. Current value can be seen with 'ulimit -a'.
     Required when you might be opening more than DEFAULT_MAX_OPEN_FILES file handles simultaneously

pdfalyzer/helpers/rich_text_helper.py

@@ -1,8 +1,7 @@
 """
 Functions for miscellaneous Rich text/string operations.
 """
-from functools import partial
-from typing import List
+from typing import List, Union
 
 from pypdf.generic import PdfObject
 from rich.console import Console
@@ -17,7 +16,7 @@ from pdfalyzer.output.styles.node_colors import get_label_style, get_class_style
 pdfalyzer_console = Console(color_system='256')
 
 
-def print_highlighted(msg: str|Text, **kwargs) -> None:
+def print_highlighted(msg: Union[str, Text], **kwargs) -> None:
     """Print 'msg' with Rich highlighting."""
     pdfalyzer_console.print(msg, highlight=True, **kwargs)
 

pdfalyzer/util/argument_parser.py

@@ -4,7 +4,7 @@ from collections import namedtuple
 from functools import partial, update_wrapper
 from importlib.metadata import version
 from os import getcwd, path
-from typing import List
+from typing import List, Optional
 
 from rich_argparse_plus import RichHelpFormatterPlus
 from rich.prompt import Confirm
@@ -254,7 +254,7 @@ def ask_to_proceed() -> None:
         exit_with_error()
 
 
-def exit_with_error(error_message: str|None = None) -> None:
+def exit_with_error(error_message: Optional[str] = None) -> None:
     """Print 'error_message' and exit with status code 1."""
     if error_message:
         print_highlighted(Text('').append('ERROR', style='bold red').append(f': {error_message}'))

pdfalyzer/yara_rules/PDF.yara

@@ -1030,17 +1030,46 @@ rule malware_MaldocinPDF {
         labs_reference = "N/A"
         labs_pivot     = "N/A"
         samples        = "ef59d7038cfd565fd65bae12588810d5361df938244ebad33b71882dcf683058"
-
     strings:
         $docfile2 = "<w:WordDocument>" ascii nocase
         $xlsfile2 = "<x:ExcelWorkbook>" ascii nocase
         $mhtfile0 = "mime" ascii nocase
         $mhtfile1 = "content-location:" ascii nocase
         $mhtfile2 = "content-type:" ascii nocase
-
      condition:
         (uint32(0) == 0x46445025) and
         (1 of ($mhtfile*)) and
         ( (1 of ($docfile*)) or
           (1 of ($xlsfile*)) )
 }
+
+
+rule EXPLOIT_PDFJS_CVE_2024_4367 {
+    meta:
+        description = "Detects PDFs that exploit CVE-2024-4367"
+        author = "spaceraccoon, Eugene Lim"
+        blog_reference = "https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/"
+        reference = "https://github.com/spaceraccoon/detect-cve-2024-4367"
+        date = "2024-05-23"
+        modified = "2024-05-23"
+        score = 75
+        id = "bb000216-17b5-41eb-a144-2982131fbf45"
+    strings:
+        $re1 = /\/FontMatrix\s+\[\.\-\d\s]*\(/
+    condition:
+        any of them
+}
+
+
+rule QakbotPDF {
+    meta:
+        description = "This is a rule to detect Qakbot"
+        hash = "ce0b6e49d017a570bdaa463e51893014a7378fb4586e33fabbc6c4832c355663"
+        filename = "Necessitatibus.pdf"
+        author = "Motawkkel Abdulrhman AKA RY0D4N"
+        reference = "https://github.com/xRY0D4N/Yara-Rules/blob/main/Qakbot/rule.yar"
+    strings:
+        $url = "/URI (http://gurtek.com.tr/exi/exi.php)" nocase ascii wide
+    condition:
+        $url
+}

{pdfalyzer-1.16.0.dist-info → pdfalyzer-1.16.2.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: pdfalyzer
-Version: 1.16.0
+Version: 1.16.2
 Summary: A PDF analysis toolkit. Scan a PDF with relevant YARA rules, visualize its inner tree-like data structure in living color (lots of colors), force decodes of suspicious font binaries, and more.
 Home-page: https://github.com/michelcrypt4d4mus/pdfalyzer
 License: GPL-3.0-or-later
@@ -23,6 +23,7 @@ Requires-Dist: python-dotenv (>=0.21.0,<0.22.0)
 Requires-Dist: rich (>=12.5.1,<13.0.0)
 Requires-Dist: rich-argparse-plus (>=0.3.1,<0.4.0)
 Requires-Dist: yaralyzer (>=0.9.4,<0.10.0)
+Project-URL: Changelog, https://github.com/michelcrypt4d4mus/pdfalyzer/blob/master/CHANGELOG.md
 Project-URL: Documentation, https://github.com/michelcrypt4d4mus/pdfalyzer
 Project-URL: Repository, https://github.com/michelcrypt4d4mus/pdfalyzer
 Description-Content-Type: text/markdown

{pdfalyzer-1.16.0.dist-info → pdfalyzer-1.16.2.dist-info}/RECORD

@@ -1,4 +1,4 @@
-CHANGELOG.md,sha256=ojqG5GrSc6nAN3pkuRMfS2qWhrk_OcFk3kMafbnjqXI,11710
+CHANGELOG.md,sha256=4PUZoK_K_Cv6O9xmyt0mOyra3Yu3xlSXNNVO78VPsPY,11825
 LICENSE,sha256=OXLcl0T2SZ8Pmy2_dmlvKuetivmyPd5m1q-Gyd-zaYY,35149
 pdfalyzer/__init__.py,sha256=q8qSdGdyUYmTYGOp_d2bRCCFASnlVt4wa-DlBikD5-M,5362
 pdfalyzer/__main__.py,sha256=Ko_AoAyYMLIe_cmhiUSl6twheLZrGyT8aOSJ2CP7EZY,43
@@ -15,10 +15,10 @@ pdfalyzer/detection/javascript_hunter.py,sha256=_wT2vkKTMlm_RGCjYsmwcmV-ag1qep3E
 pdfalyzer/detection/yaralyzer_helper.py,sha256=_l9eJQUtMlo9RhY5h8Xq9gBLxzn1VgJsCA1nCsFDGvo,1999
 pdfalyzer/font_info.py,sha256=0NQ6g4q3pTdirwGjJhur8HkXQlC732cR7IhilO33g2A,6663
 pdfalyzer/helpers/dict_helper.py,sha256=2TP0_EJBouaWD6jfnAekrEZ4M5eHKL8Tm61FgXZtBAg,303
-pdfalyzer/helpers/filesystem_helper.py,sha256=wHlFz4DFzPAJt2OzMRrhsjL-O3gLJ02JhuwBRwkE958,4089
+pdfalyzer/helpers/filesystem_helper.py,sha256=1clV0mqKFJUJC4xU2q_ApklpHCqCclxJAVJwRp93OF0,4110
 pdfalyzer/helpers/number_helper.py,sha256=8IlRmaOVLJsUV18VLvWRZU8SzRxL0XZjrY3sjmk2Ro4,292
 pdfalyzer/helpers/pdf_object_helper.py,sha256=Ija6cWKfFQRXCfZv2ezU1V2v0KFDn9f4ayeX8eG9GmI,1102
-pdfalyzer/helpers/rich_text_helper.py,sha256=s5ytOme8CZCIWAsiPHFlIi6q0KN5qZPBb0OrtTfRkq4,2254
+pdfalyzer/helpers/rich_text_helper.py,sha256=j4zs41T94vjkr9e86ZVQRKYiUBjoZyZMdVJ4d4uiON8,2239
 pdfalyzer/helpers/string_helper.py,sha256=75EDEFw3UWHvWF32WtvZVBbqYY3ozO4y30dtH2qVMX0,2278
 pdfalyzer/output/character_mapping.py,sha256=MtC3jKdtMaugi5038fne0T_SFSo9QU4lZl_s7bW7gzI,2092
 pdfalyzer/output/layout.py,sha256=E58T9Tl6BYZTDsj6ouMr1J5SSUiXa7timUNxnOI2IzI,2149
@@ -32,16 +32,16 @@ pdfalyzer/output/tables/stream_objects_table.py,sha256=nzCTci8Kqs8Pyghad3L5KWHDd
 pdfalyzer/pdf_object_relationship.py,sha256=ug-338eoXFdD4YtDWPdzcfxP2fQDQa-GE8I3m3a01TA,5339
 pdfalyzer/pdfalyzer.py,sha256=6JflqQJb2crXXaVA6DHHgWB45w2MBFB3pqE3AlZO5WI,11013
 pdfalyzer/util/adobe_strings.py,sha256=F1MOBtSyIuF5HPmzWDr8MgnLyVodOsZSy4AFFCMHq_Y,5033
-pdfalyzer/util/argument_parser.py,sha256=_8bhYkrw_lH9ce-ZnagcCtn9iqjeUW4dbbyQicB5hqE,11902
+pdfalyzer/util/argument_parser.py,sha256=zVblR_lkqfjbfF7nvRjnQCEkYdA14tpLIpBno-CocIg,11917
 pdfalyzer/util/debugging.py,sha256=nE64VUQbdu2OQRC8w8-AJkMtBOy8Kf3mjozuFslfWsw,156
 pdfalyzer/util/exceptions.py,sha256=XLFFTdx1n6i_VCmvuzvIOCa-djJvGEitfo9lhy3zq0k,98
 pdfalyzer/util/pdf_parser_manager.py,sha256=FVRYAYsCd0y5MAm--qvXnwCZnDtB3x85FdJtb-gpyw4,3109
-pdfalyzer/yara_rules/PDF.yara,sha256=fBMKYmJgBLiCq-kpVzsTP9zUJEBep6yi_QVKmC-FdY0,38611
+pdfalyzer/yara_rules/PDF.yara,sha256=ht4J7auMYwzGXD5c0E9fTq7MFo0ep375lva3E2XCsl8,39670
 pdfalyzer/yara_rules/PDF_binary_stream.yara,sha256=oWRPLe5yQiRFMvi3BTHNTlB6T7NcAuxKn0C9OSvgJSM,804
 pdfalyzer/yara_rules/__init.py__,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 pdfalyzer/yara_rules/lprat.static_file_analysis.yara,sha256=i0CwRH8pBx_QshKFTQtr1CP5n378EZelsF2FxMY2y5A,21859
-pdfalyzer-1.16.0.dist-info/LICENSE,sha256=OXLcl0T2SZ8Pmy2_dmlvKuetivmyPd5m1q-Gyd-zaYY,35149
-pdfalyzer-1.16.0.dist-info/METADATA,sha256=IEEZrNEL7fdybwE9t7PasjPu-0XQkglaS_vfIfbLBGU,25716
-pdfalyzer-1.16.0.dist-info/WHEEL,sha256=d2fvjOD7sXsVzChCqf0Ty0JbHKBaLYwDbGQDwQTnJ50,88
-pdfalyzer-1.16.0.dist-info/entry_points.txt,sha256=aZurgt-Xg3pojS7oTRI4hNLpK1hO4kTfChf0x2eQoD8,147
-pdfalyzer-1.16.0.dist-info/RECORD,,
+pdfalyzer-1.16.2.dist-info/LICENSE,sha256=OXLcl0T2SZ8Pmy2_dmlvKuetivmyPd5m1q-Gyd-zaYY,35149
+pdfalyzer-1.16.2.dist-info/METADATA,sha256=ET2EJiWpis1oN1jVenh4VXQZTMhAeHi5qLgn03q94g4,25812
+pdfalyzer-1.16.2.dist-info/WHEEL,sha256=d2fvjOD7sXsVzChCqf0Ty0JbHKBaLYwDbGQDwQTnJ50,88
+pdfalyzer-1.16.2.dist-info/entry_points.txt,sha256=aZurgt-Xg3pojS7oTRI4hNLpK1hO4kTfChf0x2eQoD8,147
+pdfalyzer-1.16.2.dist-info/RECORD,,