PyPI - pdfalyzer - Versions diffs - 1.16.1__tar.gz → 1.16.3__tar.gz - Mend

pdfalyzer 1.16.1tar.gz → 1.16.3tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (45) hide show

{pdfalyzer-1.16.1 → pdfalyzer-1.16.3}/CHANGELOG.md RENAMED Viewed

@@ -1,5 +1,11 @@
 # NEXT RELEASE
+### 1.16.3
+* Fix typo in help
+### 1.16.2
+* Add two more PDF related YARA rules
 ### 1.16.1
 * Configure a `Changelog` link for `pypi` to display

{pdfalyzer-1.16.1 → pdfalyzer-1.16.3}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: pdfalyzer
-Version: 1.16.1
+Version: 1.16.3
 Summary: A PDF analysis toolkit. Scan a PDF with relevant YARA rules, visualize its inner tree-like data structure in living color (lots of colors), force decodes of suspicious font binaries, and more.
 Home-page: https://github.com/michelcrypt4d4mus/pdfalyzer
 License: GPL-3.0-or-later

{pdfalyzer-1.16.1 → pdfalyzer-1.16.3}/pdfalyzer/helpers/filesystem_helper.py RENAMED Viewed

@@ -3,7 +3,7 @@ Some helpers for stuff with the local filesystem.
 """
 import re
 from pathlib import Path
-from typing import Union
+from typing import Optional, Union
 from yaralyzer.output.rich_console import console
@@ -45,7 +45,7 @@ def do_all_files_exist(file_paths: list[Union[str, Path]]) -> bool:
     return all_files_exist
-def extract_page_number(file_path: Union[str, Path]) -> int|None:
+def extract_page_number(file_path: Union[str, Path]) -> Optional[int]:
     """Extract the page number from the end of a filename if it exists."""
     match = NUMBERED_PAGE_REGEX.match(str(file_path))
     return int(match.group(1)) if match else None
@@ -56,7 +56,7 @@ def file_size_in_mb(file_path: Union[str, Path], decimal_places: int = 2) -> flo
     return round(Path(file_path).stat().st_size / 1024.0 / 1024.0, decimal_places)
-def set_max_open_files(num_filehandles: int = DEFAULT_MAX_OPEN_FILES) -> tuple[int | None, int | None]:
+def set_max_open_files(num_filehandles: int = DEFAULT_MAX_OPEN_FILES) -> tuple[Optional[int], Optional[int]]:
     """
     Sets the OS level max open files to at least 'num_filehandles'. Current value can be seen with 'ulimit -a'.
     Required when you might be opening more than DEFAULT_MAX_OPEN_FILES file handles simultaneously

{pdfalyzer-1.16.1 → pdfalyzer-1.16.3}/pdfalyzer/helpers/rich_text_helper.py RENAMED Viewed

@@ -1,8 +1,7 @@
 """
 Functions for miscellaneous Rich text/string operations.
 """
-from functools import partial
-from typing import List
+from typing import List, Union
 from pypdf.generic import PdfObject
 from rich.console import Console
@@ -17,7 +16,7 @@ from pdfalyzer.output.styles.node_colors import get_label_style, get_class_style
 pdfalyzer_console = Console(color_system='256')
-def print_highlighted(msg: str|Text, **kwargs) -> None:
+def print_highlighted(msg: Union[str, Text], **kwargs) -> None:
     """Print 'msg' with Rich highlighting."""
     pdfalyzer_console.print(msg, highlight=True, **kwargs)

{pdfalyzer-1.16.1 → pdfalyzer-1.16.3}/pdfalyzer/util/argument_parser.py RENAMED Viewed

@@ -4,7 +4,7 @@ from collections import namedtuple
 from functools import partial, update_wrapper
 from importlib.metadata import version
 from os import getcwd, path
-from typing import List
+from typing import List, Optional
 from rich_argparse_plus import RichHelpFormatterPlus
 from rich.prompt import Confirm
@@ -80,7 +80,7 @@ select.add_argument('-r', '--rich', action='store_true',
                     help='show much larger / more detailed tree visualization (one row per PDF object property)')
 select.add_argument('-f', '--fonts', action='store_true',
-                    help="show info about fonts included character mappings for embedded font binaries")
+                    help="show info about fonts including character mappings for embedded font binaries")
 select.add_argument('-y', '--yara', action='store_true',
                     help="scan the PDF with the included malicious PDF YARA rules and/or your custom YARA rules")
@@ -254,7 +254,7 @@ def ask_to_proceed() -> None:
         exit_with_error()
-def exit_with_error(error_message: str|None = None) -> None:
+def exit_with_error(error_message: Optional[str] = None) -> None:
     """Print 'error_message' and exit with status code 1."""
     if error_message:
         print_highlighted(Text('').append('ERROR', style='bold red').append(f': {error_message}'))

{pdfalyzer-1.16.1 → pdfalyzer-1.16.3}/pdfalyzer/yara_rules/PDF.yara RENAMED Viewed

@@ -1030,17 +1030,46 @@ rule malware_MaldocinPDF {
         labs_reference = "N/A"
         labs_pivot     = "N/A"
         samples        = "ef59d7038cfd565fd65bae12588810d5361df938244ebad33b71882dcf683058"
     strings:
         $docfile2 = "<w:WordDocument>" ascii nocase
         $xlsfile2 = "<x:ExcelWorkbook>" ascii nocase
         $mhtfile0 = "mime" ascii nocase
         $mhtfile1 = "content-location:" ascii nocase
         $mhtfile2 = "content-type:" ascii nocase
      condition:
         (uint32(0) == 0x46445025) and
         (1 of ($mhtfile*)) and
         ( (1 of ($docfile*)) or
           (1 of ($xlsfile*)) )
 }
+rule EXPLOIT_PDFJS_CVE_2024_4367 {
+    meta:
+        description = "Detects PDFs that exploit CVE-2024-4367"
+        author = "spaceraccoon, Eugene Lim"
+        blog_reference = "https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/"
+        reference = "https://github.com/spaceraccoon/detect-cve-2024-4367"
+        date = "2024-05-23"
+        modified = "2024-05-23"
+        score = 75
+        id = "bb000216-17b5-41eb-a144-2982131fbf45"
+    strings:
+        $re1 = /\/FontMatrix\s+\[\.\-\d\s]*\(/
+    condition:
+        any of them
+}
+rule QakbotPDF {
+    meta:
+        description = "This is a rule to detect Qakbot"
+        hash = "ce0b6e49d017a570bdaa463e51893014a7378fb4586e33fabbc6c4832c355663"
+        filename = "Necessitatibus.pdf"
+        author = "Motawkkel Abdulrhman AKA RY0D4N"
+        reference = "https://github.com/xRY0D4N/Yara-Rules/blob/main/Qakbot/rule.yar"
+    strings:
+        $url = "/URI (http://gurtek.com.tr/exi/exi.php)" nocase ascii wide
+    condition:
+        $url
+}

{pdfalyzer-1.16.1 → pdfalyzer-1.16.3}/pyproject.toml RENAMED Viewed

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "pdfalyzer"
-version = "1.16.1"
+version = "1.16.3"
 description = "A PDF analysis toolkit. Scan a PDF with relevant YARA rules, visualize its inner tree-like data structure in living color (lots of colors), force decodes of suspicious font binaries, and more."
 authors = ["Michel de Cryptadamus <michel@cryptadamus.com>"]
 license = "GPL-3.0-or-later"