pdfalyzer 1.16.4__py3-none-any.whl → 1.16.6__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of pdfalyzer might be problematic. Click here for more details.
- CHANGELOG.md +6 -0
- pdfalyzer/yara_rules/PDF.yara +15 -5
- {pdfalyzer-1.16.4.dist-info → pdfalyzer-1.16.6.dist-info}/METADATA +1 -1
- {pdfalyzer-1.16.4.dist-info → pdfalyzer-1.16.6.dist-info}/RECORD +7 -7
- {pdfalyzer-1.16.4.dist-info → pdfalyzer-1.16.6.dist-info}/LICENSE +0 -0
- {pdfalyzer-1.16.4.dist-info → pdfalyzer-1.16.6.dist-info}/WHEEL +0 -0
- {pdfalyzer-1.16.4.dist-info → pdfalyzer-1.16.6.dist-info}/entry_points.txt +0 -0
CHANGELOG.md
CHANGED
pdfalyzer/yara_rules/PDF.yara
CHANGED
|
@@ -26,7 +26,6 @@ rule Cobaltgang_PDF_Metadata_Rev_A
|
|
|
26
26
|
author = "Palo Alto Networks Unit 42"
|
|
27
27
|
date = "2018-10-25"
|
|
28
28
|
reference = "https://researchcenter.paloaltonetworks.com/2018/10/unit42-new-techniques-uncover-attribute-cobalt-gang-commodity-builders-infrastructure-revealed/"
|
|
29
|
-
|
|
30
29
|
strings:
|
|
31
30
|
$ = "<xmpMM:DocumentID>uuid:31ac3688-619c-4fd4-8e3f-e59d0354a338" ascii wide
|
|
32
31
|
condition:
|
|
@@ -293,7 +292,6 @@ rule suspicious_embed : PDF
|
|
|
293
292
|
version = "0.1"
|
|
294
293
|
ref = "https://feliam.wordpress.com/2010/01/13/generic-pdf-exploit-hider-embedpdf-py-and-goodbye-av-detection-012010/"
|
|
295
294
|
weight = 2
|
|
296
|
-
|
|
297
295
|
strings:
|
|
298
296
|
$magic = { 25 50 44 46 }
|
|
299
297
|
|
|
@@ -330,7 +328,6 @@ rule invalid_XObject_js : PDF
|
|
|
330
328
|
ref = "https://blogs.adobe.com/ReferenceXObjects/"
|
|
331
329
|
version = "0.1"
|
|
332
330
|
weight = 2
|
|
333
|
-
|
|
334
331
|
strings:
|
|
335
332
|
$magic = { 25 50 44 46 }
|
|
336
333
|
$ver = /%PDF-1\.[4-9]/
|
|
@@ -526,7 +523,6 @@ rule blackhole2_pdf : EK PDF{
|
|
|
526
523
|
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
|
|
527
524
|
weight = 6
|
|
528
525
|
tag = "attack.initial"
|
|
529
|
-
|
|
530
526
|
strings:
|
|
531
527
|
$string0 = "/StructTreeRoot 5 0 R/Type/Catalog>>"
|
|
532
528
|
$string1 = "0000036095 00000 n"
|
|
@@ -558,7 +554,6 @@ rule XDP_embedded_PDF : PDF
|
|
|
558
554
|
version = "0.1"
|
|
559
555
|
ref = "http://blog.9bplus.com/av-bypass-for-malicious-pdfs-using-xdp"
|
|
560
556
|
weight = 1
|
|
561
|
-
|
|
562
557
|
strings:
|
|
563
558
|
$s1 = "<pdf xmlns="
|
|
564
559
|
$s2 = "<chunk>"
|
|
@@ -1073,3 +1068,18 @@ rule QakbotPDF {
|
|
|
1073
1068
|
condition:
|
|
1074
1069
|
$url
|
|
1075
1070
|
}
|
|
1071
|
+
|
|
1072
|
+
|
|
1073
|
+
rule GIFTEDCROOK {
|
|
1074
|
+
meta:
|
|
1075
|
+
date = "2025-06-29"
|
|
1076
|
+
description = "Find GIFTEDCROOK PDFs"
|
|
1077
|
+
hash = "1974709f9af31380f055f86040ef90c71c68ceb2e14825509babf902b50a1a4b"
|
|
1078
|
+
reference = "https://arcticwolf.com/resources/blog/giftedcrook-strategic-pivot-from-browser-stealer-to-data-exfiltration-platform/"
|
|
1079
|
+
strings:
|
|
1080
|
+
$mega_link = "https://mega.nz/file" nocase
|
|
1081
|
+
$creator = "FEFF005700720069007400650072"
|
|
1082
|
+
condition:
|
|
1083
|
+
uint32(0) == 0x25504446 and
|
|
1084
|
+
any of them
|
|
1085
|
+
}
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
Metadata-Version: 2.1
|
|
2
2
|
Name: pdfalyzer
|
|
3
|
-
Version: 1.16.
|
|
3
|
+
Version: 1.16.6
|
|
4
4
|
Summary: A PDF analysis toolkit. Scan a PDF with relevant YARA rules, visualize its inner tree-like data structure in living color (lots of colors), force decodes of suspicious font binaries, and more.
|
|
5
5
|
Home-page: https://github.com/michelcrypt4d4mus/pdfalyzer
|
|
6
6
|
License: GPL-3.0-or-later
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
CHANGELOG.md,sha256=
|
|
1
|
+
CHANGELOG.md,sha256=3O4zIRTkJW6p49c7qcN7K5SzDzqPRbVb2Kw6DQHYXGU,12008
|
|
2
2
|
LICENSE,sha256=OXLcl0T2SZ8Pmy2_dmlvKuetivmyPd5m1q-Gyd-zaYY,35149
|
|
3
3
|
pdfalyzer/__init__.py,sha256=q8qSdGdyUYmTYGOp_d2bRCCFASnlVt4wa-DlBikD5-M,5362
|
|
4
4
|
pdfalyzer/__main__.py,sha256=Ko_AoAyYMLIe_cmhiUSl6twheLZrGyT8aOSJ2CP7EZY,43
|
|
@@ -36,12 +36,12 @@ pdfalyzer/util/argument_parser.py,sha256=hC0CLZPIXerP9Z0WZYE4Vj8wEPLwo3KpA-iRio6
|
|
|
36
36
|
pdfalyzer/util/debugging.py,sha256=nE64VUQbdu2OQRC8w8-AJkMtBOy8Kf3mjozuFslfWsw,156
|
|
37
37
|
pdfalyzer/util/exceptions.py,sha256=XLFFTdx1n6i_VCmvuzvIOCa-djJvGEitfo9lhy3zq0k,98
|
|
38
38
|
pdfalyzer/util/pdf_parser_manager.py,sha256=FVRYAYsCd0y5MAm--qvXnwCZnDtB3x85FdJtb-gpyw4,3109
|
|
39
|
-
pdfalyzer/yara_rules/PDF.yara,sha256=
|
|
39
|
+
pdfalyzer/yara_rules/PDF.yara,sha256=H5rbhqKfCeiQZWNuhzVAsAsAo2KKt3ZqIwSKnZyzOSw,40189
|
|
40
40
|
pdfalyzer/yara_rules/PDF_binary_stream.yara,sha256=oWRPLe5yQiRFMvi3BTHNTlB6T7NcAuxKn0C9OSvgJSM,804
|
|
41
41
|
pdfalyzer/yara_rules/__init.py__,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
|
|
42
42
|
pdfalyzer/yara_rules/lprat.static_file_analysis.yara,sha256=i0CwRH8pBx_QshKFTQtr1CP5n378EZelsF2FxMY2y5A,21859
|
|
43
|
-
pdfalyzer-1.16.
|
|
44
|
-
pdfalyzer-1.16.
|
|
45
|
-
pdfalyzer-1.16.
|
|
46
|
-
pdfalyzer-1.16.
|
|
47
|
-
pdfalyzer-1.16.
|
|
43
|
+
pdfalyzer-1.16.6.dist-info/LICENSE,sha256=OXLcl0T2SZ8Pmy2_dmlvKuetivmyPd5m1q-Gyd-zaYY,35149
|
|
44
|
+
pdfalyzer-1.16.6.dist-info/METADATA,sha256=yk4PH8L1Ys1lYjTYf0E24nirnrCa3Pb5ivg7-AVRMAM,26231
|
|
45
|
+
pdfalyzer-1.16.6.dist-info/WHEEL,sha256=d2fvjOD7sXsVzChCqf0Ty0JbHKBaLYwDbGQDwQTnJ50,88
|
|
46
|
+
pdfalyzer-1.16.6.dist-info/entry_points.txt,sha256=aZurgt-Xg3pojS7oTRI4hNLpK1hO4kTfChf0x2eQoD8,147
|
|
47
|
+
pdfalyzer-1.16.6.dist-info/RECORD,,
|
|
File without changes
|
|
File without changes
|
|
File without changes
|