pdfalyzer 1.16.4__tar.gz → 1.16.6__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of pdfalyzer might be problematic. Click here for more details.

Files changed (45) hide show
  1. {pdfalyzer-1.16.4 → pdfalyzer-1.16.6}/CHANGELOG.md +6 -0
  2. {pdfalyzer-1.16.4 → pdfalyzer-1.16.6}/PKG-INFO +1 -1
  3. {pdfalyzer-1.16.4 → pdfalyzer-1.16.6}/pdfalyzer/yara_rules/PDF.yara +15 -5
  4. {pdfalyzer-1.16.4 → pdfalyzer-1.16.6}/pyproject.toml +1 -1
  5. {pdfalyzer-1.16.4 → pdfalyzer-1.16.6}/LICENSE +0 -0
  6. {pdfalyzer-1.16.4 → pdfalyzer-1.16.6}/README.md +0 -0
  7. {pdfalyzer-1.16.4 → pdfalyzer-1.16.6}/pdfalyzer/__init__.py +0 -0
  8. {pdfalyzer-1.16.4 → pdfalyzer-1.16.6}/pdfalyzer/__main__.py +0 -0
  9. {pdfalyzer-1.16.4 → pdfalyzer-1.16.6}/pdfalyzer/binary/binary_scanner.py +0 -0
  10. {pdfalyzer-1.16.4 → pdfalyzer-1.16.6}/pdfalyzer/config.py +0 -0
  11. {pdfalyzer-1.16.4 → pdfalyzer-1.16.6}/pdfalyzer/decorators/document_model_printer.py +0 -0
  12. {pdfalyzer-1.16.4 → pdfalyzer-1.16.6}/pdfalyzer/decorators/indeterminate_node.py +0 -0
  13. {pdfalyzer-1.16.4 → pdfalyzer-1.16.6}/pdfalyzer/decorators/pdf_object_properties.py +0 -0
  14. {pdfalyzer-1.16.4 → pdfalyzer-1.16.6}/pdfalyzer/decorators/pdf_tree_node.py +0 -0
  15. {pdfalyzer-1.16.4 → pdfalyzer-1.16.6}/pdfalyzer/decorators/pdf_tree_verifier.py +0 -0
  16. {pdfalyzer-1.16.4 → pdfalyzer-1.16.6}/pdfalyzer/detection/constants/binary_regexes.py +0 -0
  17. {pdfalyzer-1.16.4 → pdfalyzer-1.16.6}/pdfalyzer/detection/constants/javascript_reserved_keywords.py +0 -0
  18. {pdfalyzer-1.16.4 → pdfalyzer-1.16.6}/pdfalyzer/detection/javascript_hunter.py +0 -0
  19. {pdfalyzer-1.16.4 → pdfalyzer-1.16.6}/pdfalyzer/detection/yaralyzer_helper.py +0 -0
  20. {pdfalyzer-1.16.4 → pdfalyzer-1.16.6}/pdfalyzer/font_info.py +0 -0
  21. {pdfalyzer-1.16.4 → pdfalyzer-1.16.6}/pdfalyzer/helpers/dict_helper.py +0 -0
  22. {pdfalyzer-1.16.4 → pdfalyzer-1.16.6}/pdfalyzer/helpers/filesystem_helper.py +0 -0
  23. {pdfalyzer-1.16.4 → pdfalyzer-1.16.6}/pdfalyzer/helpers/number_helper.py +0 -0
  24. {pdfalyzer-1.16.4 → pdfalyzer-1.16.6}/pdfalyzer/helpers/pdf_object_helper.py +0 -0
  25. {pdfalyzer-1.16.4 → pdfalyzer-1.16.6}/pdfalyzer/helpers/rich_text_helper.py +0 -0
  26. {pdfalyzer-1.16.4 → pdfalyzer-1.16.6}/pdfalyzer/helpers/string_helper.py +0 -0
  27. {pdfalyzer-1.16.4 → pdfalyzer-1.16.6}/pdfalyzer/output/character_mapping.py +0 -0
  28. {pdfalyzer-1.16.4 → pdfalyzer-1.16.6}/pdfalyzer/output/layout.py +0 -0
  29. {pdfalyzer-1.16.4 → pdfalyzer-1.16.6}/pdfalyzer/output/pdfalyzer_presenter.py +0 -0
  30. {pdfalyzer-1.16.4 → pdfalyzer-1.16.6}/pdfalyzer/output/styles/node_colors.py +0 -0
  31. {pdfalyzer-1.16.4 → pdfalyzer-1.16.6}/pdfalyzer/output/styles/rich_theme.py +0 -0
  32. {pdfalyzer-1.16.4 → pdfalyzer-1.16.6}/pdfalyzer/output/tables/decoding_stats_table.py +0 -0
  33. {pdfalyzer-1.16.4 → pdfalyzer-1.16.6}/pdfalyzer/output/tables/font_summary_table.py +0 -0
  34. {pdfalyzer-1.16.4 → pdfalyzer-1.16.6}/pdfalyzer/output/tables/pdf_node_rich_table.py +0 -0
  35. {pdfalyzer-1.16.4 → pdfalyzer-1.16.6}/pdfalyzer/output/tables/stream_objects_table.py +0 -0
  36. {pdfalyzer-1.16.4 → pdfalyzer-1.16.6}/pdfalyzer/pdf_object_relationship.py +0 -0
  37. {pdfalyzer-1.16.4 → pdfalyzer-1.16.6}/pdfalyzer/pdfalyzer.py +0 -0
  38. {pdfalyzer-1.16.4 → pdfalyzer-1.16.6}/pdfalyzer/util/adobe_strings.py +0 -0
  39. {pdfalyzer-1.16.4 → pdfalyzer-1.16.6}/pdfalyzer/util/argument_parser.py +0 -0
  40. {pdfalyzer-1.16.4 → pdfalyzer-1.16.6}/pdfalyzer/util/debugging.py +0 -0
  41. {pdfalyzer-1.16.4 → pdfalyzer-1.16.6}/pdfalyzer/util/exceptions.py +0 -0
  42. {pdfalyzer-1.16.4 → pdfalyzer-1.16.6}/pdfalyzer/util/pdf_parser_manager.py +0 -0
  43. {pdfalyzer-1.16.4 → pdfalyzer-1.16.6}/pdfalyzer/yara_rules/PDF_binary_stream.yara +0 -0
  44. {pdfalyzer-1.16.4 → pdfalyzer-1.16.6}/pdfalyzer/yara_rules/__init.py__ +0 -0
  45. {pdfalyzer-1.16.4 → pdfalyzer-1.16.6}/pdfalyzer/yara_rules/lprat.static_file_analysis.yara +0 -0
{pdfalyzer-1.16.4 → pdfalyzer-1.16.6}/CHANGELOG.md RENAMED
@@ -1,5 +1,11 @@
1
1
  # NEXT RELEASE
2
2
 
3
+ ### 1.16.6
4
+ * Add the creator hash to GIFTEDCROOK rule
5
+
6
+ ### 1.16.5
7
+ * Add YARA rule for GIFTEDCROOK infostealer PDFs
8
+
3
9
  ### 1.16.4
4
10
  * Bump `PyPDF` to 5.7.0
5
11
 
{pdfalyzer-1.16.4 → pdfalyzer-1.16.6}/PKG-INFO RENAMED
@@ -1,6 +1,6 @@
1
1
  Metadata-Version: 2.1
2
2
  Name: pdfalyzer
3
- Version: 1.16.4
3
+ Version: 1.16.6
4
4
  Summary: A PDF analysis toolkit. Scan a PDF with relevant YARA rules, visualize its inner tree-like data structure in living color (lots of colors), force decodes of suspicious font binaries, and more.
5
5
  Home-page: https://github.com/michelcrypt4d4mus/pdfalyzer
6
6
  License: GPL-3.0-or-later
{pdfalyzer-1.16.4 → pdfalyzer-1.16.6}/pdfalyzer/yara_rules/PDF.yara RENAMED
@@ -26,7 +26,6 @@ rule Cobaltgang_PDF_Metadata_Rev_A
26
26
  author = "Palo Alto Networks Unit 42"
27
27
  date = "2018-10-25"
28
28
  reference = "https://researchcenter.paloaltonetworks.com/2018/10/unit42-new-techniques-uncover-attribute-cobalt-gang-commodity-builders-infrastructure-revealed/"
29
-
30
29
  strings:
31
30
  $ = "<xmpMM:DocumentID>uuid:31ac3688-619c-4fd4-8e3f-e59d0354a338" ascii wide
32
31
  condition:
@@ -293,7 +292,6 @@ rule suspicious_embed : PDF
293
292
  version = "0.1"
294
293
  ref = "https://feliam.wordpress.com/2010/01/13/generic-pdf-exploit-hider-embedpdf-py-and-goodbye-av-detection-012010/"
295
294
  weight = 2
296
-
297
295
  strings:
298
296
  $magic = { 25 50 44 46 }
299
297
 
@@ -330,7 +328,6 @@ rule invalid_XObject_js : PDF
330
328
  ref = "https://blogs.adobe.com/ReferenceXObjects/"
331
329
  version = "0.1"
332
330
  weight = 2
333
-
334
331
  strings:
335
332
  $magic = { 25 50 44 46 }
336
333
  $ver = /%PDF-1\.[4-9]/
@@ -526,7 +523,6 @@ rule blackhole2_pdf : EK PDF{
526
523
  yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
527
524
  weight = 6
528
525
  tag = "attack.initial"
529
-
530
526
  strings:
531
527
  $string0 = "/StructTreeRoot 5 0 R/Type/Catalog>>"
532
528
  $string1 = "0000036095 00000 n"
@@ -558,7 +554,6 @@ rule XDP_embedded_PDF : PDF
558
554
  version = "0.1"
559
555
  ref = "http://blog.9bplus.com/av-bypass-for-malicious-pdfs-using-xdp"
560
556
  weight = 1
561
-
562
557
  strings:
563
558
  $s1 = "<pdf xmlns="
564
559
  $s2 = "<chunk>"
@@ -1073,3 +1068,18 @@ rule QakbotPDF {
1073
1068
  condition:
1074
1069
  $url
1075
1070
  }
1071
+
1072
+
1073
+ rule GIFTEDCROOK {
1074
+ meta:
1075
+ date = "2025-06-29"
1076
+ description = "Find GIFTEDCROOK PDFs"
1077
+ hash = "1974709f9af31380f055f86040ef90c71c68ceb2e14825509babf902b50a1a4b"
1078
+ reference = "https://arcticwolf.com/resources/blog/giftedcrook-strategic-pivot-from-browser-stealer-to-data-exfiltration-platform/"
1079
+ strings:
1080
+ $mega_link = "https://mega.nz/file" nocase
1081
+ $creator = "FEFF005700720069007400650072"
1082
+ condition:
1083
+ uint32(0) == 0x25504446 and
1084
+ any of them
1085
+ }
{pdfalyzer-1.16.4 → pdfalyzer-1.16.6}/pyproject.toml RENAMED
@@ -1,6 +1,6 @@
1
1
  [tool.poetry]
2
2
  name = "pdfalyzer"
3
- version = "1.16.4"
3
+ version = "1.16.6"
4
4
  description = "A PDF analysis toolkit. Scan a PDF with relevant YARA rules, visualize its inner tree-like data structure in living color (lots of colors), force decodes of suspicious font binaries, and more."
5
5
  authors = ["Michel de Cryptadamus <michel@cryptadamus.com>"]
6
6
  license = "GPL-3.0-or-later"
{pdfalyzer-1.16.4 → pdfalyzer-1.16.6}/LICENSE RENAMED
File without changes
{pdfalyzer-1.16.4 → pdfalyzer-1.16.6}/README.md RENAMED
File without changes