pdfalyzer 1.16.3__py3-none-any.whl → 1.16.5__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of pdfalyzer might be problematic. Click here for more details.
- CHANGELOG.md +6 -0
- pdfalyzer/yara_rules/PDF.yara +14 -5
- {pdfalyzer-1.16.3.dist-info → pdfalyzer-1.16.5.dist-info}/METADATA +4 -2
- {pdfalyzer-1.16.3.dist-info → pdfalyzer-1.16.5.dist-info}/RECORD +7 -7
- {pdfalyzer-1.16.3.dist-info → pdfalyzer-1.16.5.dist-info}/LICENSE +0 -0
- {pdfalyzer-1.16.3.dist-info → pdfalyzer-1.16.5.dist-info}/WHEEL +0 -0
- {pdfalyzer-1.16.3.dist-info → pdfalyzer-1.16.5.dist-info}/entry_points.txt +0 -0
CHANGELOG.md
CHANGED
pdfalyzer/yara_rules/PDF.yara
CHANGED
|
@@ -26,7 +26,6 @@ rule Cobaltgang_PDF_Metadata_Rev_A
|
|
|
26
26
|
author = "Palo Alto Networks Unit 42"
|
|
27
27
|
date = "2018-10-25"
|
|
28
28
|
reference = "https://researchcenter.paloaltonetworks.com/2018/10/unit42-new-techniques-uncover-attribute-cobalt-gang-commodity-builders-infrastructure-revealed/"
|
|
29
|
-
|
|
30
29
|
strings:
|
|
31
30
|
$ = "<xmpMM:DocumentID>uuid:31ac3688-619c-4fd4-8e3f-e59d0354a338" ascii wide
|
|
32
31
|
condition:
|
|
@@ -293,7 +292,6 @@ rule suspicious_embed : PDF
|
|
|
293
292
|
version = "0.1"
|
|
294
293
|
ref = "https://feliam.wordpress.com/2010/01/13/generic-pdf-exploit-hider-embedpdf-py-and-goodbye-av-detection-012010/"
|
|
295
294
|
weight = 2
|
|
296
|
-
|
|
297
295
|
strings:
|
|
298
296
|
$magic = { 25 50 44 46 }
|
|
299
297
|
|
|
@@ -330,7 +328,6 @@ rule invalid_XObject_js : PDF
|
|
|
330
328
|
ref = "https://blogs.adobe.com/ReferenceXObjects/"
|
|
331
329
|
version = "0.1"
|
|
332
330
|
weight = 2
|
|
333
|
-
|
|
334
331
|
strings:
|
|
335
332
|
$magic = { 25 50 44 46 }
|
|
336
333
|
$ver = /%PDF-1\.[4-9]/
|
|
@@ -526,7 +523,6 @@ rule blackhole2_pdf : EK PDF{
|
|
|
526
523
|
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
|
|
527
524
|
weight = 6
|
|
528
525
|
tag = "attack.initial"
|
|
529
|
-
|
|
530
526
|
strings:
|
|
531
527
|
$string0 = "/StructTreeRoot 5 0 R/Type/Catalog>>"
|
|
532
528
|
$string1 = "0000036095 00000 n"
|
|
@@ -558,7 +554,6 @@ rule XDP_embedded_PDF : PDF
|
|
|
558
554
|
version = "0.1"
|
|
559
555
|
ref = "http://blog.9bplus.com/av-bypass-for-malicious-pdfs-using-xdp"
|
|
560
556
|
weight = 1
|
|
561
|
-
|
|
562
557
|
strings:
|
|
563
558
|
$s1 = "<pdf xmlns="
|
|
564
559
|
$s2 = "<chunk>"
|
|
@@ -1073,3 +1068,17 @@ rule QakbotPDF {
|
|
|
1073
1068
|
condition:
|
|
1074
1069
|
$url
|
|
1075
1070
|
}
|
|
1071
|
+
|
|
1072
|
+
|
|
1073
|
+
rule GIFTEDCROOK {
|
|
1074
|
+
meta:
|
|
1075
|
+
date = "2025-06-29"
|
|
1076
|
+
description = "Find GIFTEDCROOK PDFs"
|
|
1077
|
+
hash = "1974709f9af31380f055f86040ef90c71c68ceb2e14825509babf902b50a1a4b"
|
|
1078
|
+
reference = "https://arcticwolf.com/resources/blog/giftedcrook-strategic-pivot-from-browser-stealer-to-data-exfiltration-platform/"
|
|
1079
|
+
strings:
|
|
1080
|
+
$str0 = "https://mega.nz/file"
|
|
1081
|
+
condition:
|
|
1082
|
+
uint32(0) == 0x25504446 and
|
|
1083
|
+
all of them
|
|
1084
|
+
}
|
|
@@ -1,10 +1,10 @@
|
|
|
1
1
|
Metadata-Version: 2.1
|
|
2
2
|
Name: pdfalyzer
|
|
3
|
-
Version: 1.16.
|
|
3
|
+
Version: 1.16.5
|
|
4
4
|
Summary: A PDF analysis toolkit. Scan a PDF with relevant YARA rules, visualize its inner tree-like data structure in living color (lots of colors), force decodes of suspicious font binaries, and more.
|
|
5
5
|
Home-page: https://github.com/michelcrypt4d4mus/pdfalyzer
|
|
6
6
|
License: GPL-3.0-or-later
|
|
7
|
-
Keywords: ascii art,binary,color,font,encoding,malicious pdf,malware,malware analysis,pdf,threat assessment,visualization,yara
|
|
7
|
+
Keywords: ascii art,binary,color,font,encoding,maldoc,malicious pdf,malware,malware analysis,pdf,pdfs,pdf analysis,threat assessment,visualization,yara
|
|
8
8
|
Author: Michel de Cryptadamus
|
|
9
9
|
Author-email: michel@cryptadamus.com
|
|
10
10
|
Requires-Python: >=3.9,<4.0
|
|
@@ -271,6 +271,8 @@ scripts/install_t1utils.sh
|
|
|
271
271
|
* [A Curious Exploration of Malicious PDF Documents](https://www.scitepress.org/Papers/2020/89923/89923.pdf) by Julian Lindenhofer, Rene Offenthaler and Martin Pirker, 2020. Overview of all the possible execution paths that can lead to a PDF executing JavaScript, opening loca/remote files, or making web requests.
|
|
272
272
|
* [Malicious PDF Generator](https://github.com/jonaslejon/malicious-pdf) is a well maintained GitHub project that does what it says on the tin.
|
|
273
273
|
* [PDF is Broken, and so is this file](https://blog.trailofbits.com/2021/02/02/pdf-is-broken-a-justctf-challenge/) is a 2021 report on what happens when you challenge cybersecurity teams to turn PDFs into weapons. (Among other things they managed to create a PDF that launches a webserver when you open it.)
|
|
274
|
+
* [linuxPDF](https://github.com/ading2210/linuxpdf) is a project that managed to embed an entire linux operating system inside a PDF document. The related [DoomPDF](https://github.com/ading2210/doompdf) managed to embed the classic video game Doom in a PDF.
|
|
275
|
+
* [horrifying-pdf-experiments](https://github.com/osnr/horrifying-pdf-experiments) is a repo of horrifying things you can do with PDFs.
|
|
274
276
|
|
|
275
277
|
|
|
276
278
|
## Did The World Really Need Another PDF Tool?
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
CHANGELOG.md,sha256=
|
|
1
|
+
CHANGELOG.md,sha256=XA_LQ-cJ5RnKVbcXLvgSQZyn5KMUKUSez7UWPcdLG8s,11953
|
|
2
2
|
LICENSE,sha256=OXLcl0T2SZ8Pmy2_dmlvKuetivmyPd5m1q-Gyd-zaYY,35149
|
|
3
3
|
pdfalyzer/__init__.py,sha256=q8qSdGdyUYmTYGOp_d2bRCCFASnlVt4wa-DlBikD5-M,5362
|
|
4
4
|
pdfalyzer/__main__.py,sha256=Ko_AoAyYMLIe_cmhiUSl6twheLZrGyT8aOSJ2CP7EZY,43
|
|
@@ -36,12 +36,12 @@ pdfalyzer/util/argument_parser.py,sha256=hC0CLZPIXerP9Z0WZYE4Vj8wEPLwo3KpA-iRio6
|
|
|
36
36
|
pdfalyzer/util/debugging.py,sha256=nE64VUQbdu2OQRC8w8-AJkMtBOy8Kf3mjozuFslfWsw,156
|
|
37
37
|
pdfalyzer/util/exceptions.py,sha256=XLFFTdx1n6i_VCmvuzvIOCa-djJvGEitfo9lhy3zq0k,98
|
|
38
38
|
pdfalyzer/util/pdf_parser_manager.py,sha256=FVRYAYsCd0y5MAm--qvXnwCZnDtB3x85FdJtb-gpyw4,3109
|
|
39
|
-
pdfalyzer/yara_rules/PDF.yara,sha256=
|
|
39
|
+
pdfalyzer/yara_rules/PDF.yara,sha256=b2Bk2x6aIpbO3KiFqAA38VVbbsXgEWdWaC1fr9kRhDI,40126
|
|
40
40
|
pdfalyzer/yara_rules/PDF_binary_stream.yara,sha256=oWRPLe5yQiRFMvi3BTHNTlB6T7NcAuxKn0C9OSvgJSM,804
|
|
41
41
|
pdfalyzer/yara_rules/__init.py__,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
|
|
42
42
|
pdfalyzer/yara_rules/lprat.static_file_analysis.yara,sha256=i0CwRH8pBx_QshKFTQtr1CP5n378EZelsF2FxMY2y5A,21859
|
|
43
|
-
pdfalyzer-1.16.
|
|
44
|
-
pdfalyzer-1.16.
|
|
45
|
-
pdfalyzer-1.16.
|
|
46
|
-
pdfalyzer-1.16.
|
|
47
|
-
pdfalyzer-1.16.
|
|
43
|
+
pdfalyzer-1.16.5.dist-info/LICENSE,sha256=OXLcl0T2SZ8Pmy2_dmlvKuetivmyPd5m1q-Gyd-zaYY,35149
|
|
44
|
+
pdfalyzer-1.16.5.dist-info/METADATA,sha256=b73ndsRbnTaRQAK-ih5uSFujKe2ILhmHOinyBSj3igk,26231
|
|
45
|
+
pdfalyzer-1.16.5.dist-info/WHEEL,sha256=d2fvjOD7sXsVzChCqf0Ty0JbHKBaLYwDbGQDwQTnJ50,88
|
|
46
|
+
pdfalyzer-1.16.5.dist-info/entry_points.txt,sha256=aZurgt-Xg3pojS7oTRI4hNLpK1hO4kTfChf0x2eQoD8,147
|
|
47
|
+
pdfalyzer-1.16.5.dist-info/RECORD,,
|
|
File without changes
|
|
File without changes
|
|
File without changes
|