pdfalyzer 1.16.5__tar.gz → 1.16.7__tar.gz
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of pdfalyzer might be problematic. Click here for more details.
- {pdfalyzer-1.16.5 → pdfalyzer-1.16.7}/CHANGELOG.md +8 -0
- {pdfalyzer-1.16.5 → pdfalyzer-1.16.7}/PKG-INFO +5 -7
- {pdfalyzer-1.16.5 → pdfalyzer-1.16.7}/README.md +1 -0
- {pdfalyzer-1.16.5 → pdfalyzer-1.16.7}/pdfalyzer/detection/yaralyzer_helper.py +19 -15
- {pdfalyzer-1.16.5 → pdfalyzer-1.16.7}/pdfalyzer/yara_rules/PDF.yara +900 -178
- {pdfalyzer-1.16.5 → pdfalyzer-1.16.7}/pdfalyzer/yara_rules/PDF_binary_stream.yara +1 -3
- pdfalyzer-1.16.7/pdfalyzer/yara_rules/didier_stevens.yara +248 -0
- pdfalyzer-1.16.7/pdfalyzer/yara_rules/pdf_malware.yara +2996 -0
- {pdfalyzer-1.16.5 → pdfalyzer-1.16.7}/pyproject.toml +7 -7
- {pdfalyzer-1.16.5 → pdfalyzer-1.16.7}/LICENSE +0 -0
- {pdfalyzer-1.16.5 → pdfalyzer-1.16.7}/pdfalyzer/__init__.py +0 -0
- {pdfalyzer-1.16.5 → pdfalyzer-1.16.7}/pdfalyzer/__main__.py +0 -0
- {pdfalyzer-1.16.5 → pdfalyzer-1.16.7}/pdfalyzer/binary/binary_scanner.py +0 -0
- {pdfalyzer-1.16.5 → pdfalyzer-1.16.7}/pdfalyzer/config.py +0 -0
- {pdfalyzer-1.16.5 → pdfalyzer-1.16.7}/pdfalyzer/decorators/document_model_printer.py +0 -0
- {pdfalyzer-1.16.5 → pdfalyzer-1.16.7}/pdfalyzer/decorators/indeterminate_node.py +0 -0
- {pdfalyzer-1.16.5 → pdfalyzer-1.16.7}/pdfalyzer/decorators/pdf_object_properties.py +0 -0
- {pdfalyzer-1.16.5 → pdfalyzer-1.16.7}/pdfalyzer/decorators/pdf_tree_node.py +0 -0
- {pdfalyzer-1.16.5 → pdfalyzer-1.16.7}/pdfalyzer/decorators/pdf_tree_verifier.py +0 -0
- {pdfalyzer-1.16.5 → pdfalyzer-1.16.7}/pdfalyzer/detection/constants/binary_regexes.py +0 -0
- {pdfalyzer-1.16.5 → pdfalyzer-1.16.7}/pdfalyzer/detection/constants/javascript_reserved_keywords.py +0 -0
- {pdfalyzer-1.16.5 → pdfalyzer-1.16.7}/pdfalyzer/detection/javascript_hunter.py +0 -0
- {pdfalyzer-1.16.5 → pdfalyzer-1.16.7}/pdfalyzer/font_info.py +0 -0
- {pdfalyzer-1.16.5 → pdfalyzer-1.16.7}/pdfalyzer/helpers/dict_helper.py +0 -0
- {pdfalyzer-1.16.5 → pdfalyzer-1.16.7}/pdfalyzer/helpers/filesystem_helper.py +0 -0
- {pdfalyzer-1.16.5 → pdfalyzer-1.16.7}/pdfalyzer/helpers/number_helper.py +0 -0
- {pdfalyzer-1.16.5 → pdfalyzer-1.16.7}/pdfalyzer/helpers/pdf_object_helper.py +0 -0
- {pdfalyzer-1.16.5 → pdfalyzer-1.16.7}/pdfalyzer/helpers/rich_text_helper.py +0 -0
- {pdfalyzer-1.16.5 → pdfalyzer-1.16.7}/pdfalyzer/helpers/string_helper.py +0 -0
- {pdfalyzer-1.16.5 → pdfalyzer-1.16.7}/pdfalyzer/output/character_mapping.py +0 -0
- {pdfalyzer-1.16.5 → pdfalyzer-1.16.7}/pdfalyzer/output/layout.py +0 -0
- {pdfalyzer-1.16.5 → pdfalyzer-1.16.7}/pdfalyzer/output/pdfalyzer_presenter.py +0 -0
- {pdfalyzer-1.16.5 → pdfalyzer-1.16.7}/pdfalyzer/output/styles/node_colors.py +0 -0
- {pdfalyzer-1.16.5 → pdfalyzer-1.16.7}/pdfalyzer/output/styles/rich_theme.py +0 -0
- {pdfalyzer-1.16.5 → pdfalyzer-1.16.7}/pdfalyzer/output/tables/decoding_stats_table.py +0 -0
- {pdfalyzer-1.16.5 → pdfalyzer-1.16.7}/pdfalyzer/output/tables/font_summary_table.py +0 -0
- {pdfalyzer-1.16.5 → pdfalyzer-1.16.7}/pdfalyzer/output/tables/pdf_node_rich_table.py +0 -0
- {pdfalyzer-1.16.5 → pdfalyzer-1.16.7}/pdfalyzer/output/tables/stream_objects_table.py +0 -0
- {pdfalyzer-1.16.5 → pdfalyzer-1.16.7}/pdfalyzer/pdf_object_relationship.py +0 -0
- {pdfalyzer-1.16.5 → pdfalyzer-1.16.7}/pdfalyzer/pdfalyzer.py +0 -0
- {pdfalyzer-1.16.5 → pdfalyzer-1.16.7}/pdfalyzer/util/adobe_strings.py +0 -0
- {pdfalyzer-1.16.5 → pdfalyzer-1.16.7}/pdfalyzer/util/argument_parser.py +0 -0
- {pdfalyzer-1.16.5 → pdfalyzer-1.16.7}/pdfalyzer/util/debugging.py +0 -0
- {pdfalyzer-1.16.5 → pdfalyzer-1.16.7}/pdfalyzer/util/exceptions.py +0 -0
- {pdfalyzer-1.16.5 → pdfalyzer-1.16.7}/pdfalyzer/util/pdf_parser_manager.py +0 -0
- {pdfalyzer-1.16.5 → pdfalyzer-1.16.7}/pdfalyzer/yara_rules/__init.py__ +0 -0
- {pdfalyzer-1.16.5 → pdfalyzer-1.16.7}/pdfalyzer/yara_rules/lprat.static_file_analysis.yara +0 -0
|
@@ -1,5 +1,13 @@
|
|
|
1
1
|
# NEXT RELEASE
|
|
2
2
|
|
|
3
|
+
### 1.16.7
|
|
4
|
+
* Lots of new PDF related YARA rules
|
|
5
|
+
* Upgrade `yaralyzer` to 1.0.3
|
|
6
|
+
* Upgrade `pypdf` to 5.9.0
|
|
7
|
+
|
|
8
|
+
### 1.16.6
|
|
9
|
+
* Add the creator hash to GIFTEDCROOK rule
|
|
10
|
+
|
|
3
11
|
### 1.16.5
|
|
4
12
|
* Add YARA rule for GIFTEDCROOK infostealer PDFs
|
|
5
13
|
|
|
@@ -1,10 +1,10 @@
|
|
|
1
1
|
Metadata-Version: 2.1
|
|
2
2
|
Name: pdfalyzer
|
|
3
|
-
Version: 1.16.
|
|
3
|
+
Version: 1.16.7
|
|
4
4
|
Summary: A PDF analysis toolkit. Scan a PDF with relevant YARA rules, visualize its inner tree-like data structure in living color (lots of colors), force decodes of suspicious font binaries, and more.
|
|
5
5
|
Home-page: https://github.com/michelcrypt4d4mus/pdfalyzer
|
|
6
6
|
License: GPL-3.0-or-later
|
|
7
|
-
Keywords: ascii art,binary,color,
|
|
7
|
+
Keywords: ascii art,binary,color,cybersecurity,DFIR,encoding,font,infosec,maldoc,malicious pdf,malware,malware analysis,pdf,pdfs,pdf analysis,threat assessment,visualization,yara
|
|
8
8
|
Author: Michel de Cryptadamus
|
|
9
9
|
Author-email: michel@cryptadamus.com
|
|
10
10
|
Requires-Python: >=3.9,<4.0
|
|
@@ -18,11 +18,8 @@ Classifier: Topic :: Scientific/Engineering :: Visualization
|
|
|
18
18
|
Classifier: Topic :: Security
|
|
19
19
|
Requires-Dist: anytree (>=2.8,<3.0)
|
|
20
20
|
Requires-Dist: chardet (>=5.0.0,<6.0.0)
|
|
21
|
-
Requires-Dist: pypdf (>=5.0
|
|
22
|
-
Requires-Dist:
|
|
23
|
-
Requires-Dist: rich (>=12.5.1,<13.0.0)
|
|
24
|
-
Requires-Dist: rich-argparse-plus (>=0.3.1,<0.4.0)
|
|
25
|
-
Requires-Dist: yaralyzer (>=0.9.4,<0.10.0)
|
|
21
|
+
Requires-Dist: pypdf (>=5.9.0,<6.0.0)
|
|
22
|
+
Requires-Dist: yaralyzer (>=1.0.3,<2.0.0)
|
|
26
23
|
Project-URL: Changelog, https://github.com/michelcrypt4d4mus/pdfalyzer/blob/master/CHANGELOG.md
|
|
27
24
|
Project-URL: Documentation, https://github.com/michelcrypt4d4mus/pdfalyzer
|
|
28
25
|
Project-URL: Repository, https://github.com/michelcrypt4d4mus/pdfalyzer
|
|
@@ -263,6 +260,7 @@ scripts/install_t1utils.sh
|
|
|
263
260
|
* [Adobe Type 2 Charstring Format](https://adobe-type-tools.github.io/font-tech-notes/pdfs/5177.Type2.pdf) - Describes the newer Type 2 font operators which are also used in some multiple-master Type 1 fonts.
|
|
264
261
|
|
|
265
262
|
### Other Stuff
|
|
263
|
+
* [Didier Stevens's PDF tools](http://blog.didierstevens.com/programs/pdf-tools/)
|
|
266
264
|
* [Didier Stevens's free book about malicious PDFs](https://blog.didierstevens.com/2010/09/26/free-malicious-pdf-analysis-e-book/) - The master of the malicious PDFs wrote a whole book about how to analyze them. It's an old book but the PDF spec was last changed in 2008 so it's still relevant.
|
|
267
265
|
* [Analyzing Malicious PDFs Cheat Sheet](https://zeltser.com/media/docs/analyzing-malicious-document-files.pdf) - Like it says on the tin. If that link fails there's a copy [here in the repo](doc/analyzing-malicious-document-files.pdf).
|
|
268
266
|
* [T1Utils Github Repo](https://github.com/kohler/t1utils) - Suite of tools for manipulating Type1 fonts.
|
|
@@ -233,6 +233,7 @@ scripts/install_t1utils.sh
|
|
|
233
233
|
* [Adobe Type 2 Charstring Format](https://adobe-type-tools.github.io/font-tech-notes/pdfs/5177.Type2.pdf) - Describes the newer Type 2 font operators which are also used in some multiple-master Type 1 fonts.
|
|
234
234
|
|
|
235
235
|
### Other Stuff
|
|
236
|
+
* [Didier Stevens's PDF tools](http://blog.didierstevens.com/programs/pdf-tools/)
|
|
236
237
|
* [Didier Stevens's free book about malicious PDFs](https://blog.didierstevens.com/2010/09/26/free-malicious-pdf-analysis-e-book/) - The master of the malicious PDFs wrote a whole book about how to analyze them. It's an old book but the PDF spec was last changed in 2008 so it's still relevant.
|
|
237
238
|
* [Analyzing Malicious PDFs Cheat Sheet](https://zeltser.com/media/docs/analyzing-malicious-document-files.pdf) - Like it says on the tin. If that link fails there's a copy [here in the repo](doc/analyzing-malicious-document-files.pdf).
|
|
238
239
|
* [T1Utils Github Repo](https://github.com/kohler/t1utils) - Suite of tools for manipulating Type1 fonts.
|
|
@@ -13,9 +13,11 @@ from pdfalyzer.config import PdfalyzerConfig
|
|
|
13
13
|
YARA_RULES_DIR = files('pdfalyzer').joinpath('yara_rules')
|
|
14
14
|
|
|
15
15
|
YARA_RULES_FILES = [
|
|
16
|
+
'didier_stevens.yara',
|
|
16
17
|
'lprat.static_file_analysis.yara',
|
|
17
18
|
'PDF.yara',
|
|
18
19
|
'PDF_binary_stream.yara',
|
|
20
|
+
'pdf_malware.yara',
|
|
19
21
|
]
|
|
20
22
|
|
|
21
23
|
|
|
@@ -34,18 +36,20 @@ def _build_yaralyzer(scannable: Union[bytes, str], label: Optional[str] = None)
|
|
|
34
36
|
with as_file(YARA_RULES_DIR.joinpath(YARA_RULES_FILES[0])) as yara0:
|
|
35
37
|
with as_file(YARA_RULES_DIR.joinpath(YARA_RULES_FILES[1])) as yara1:
|
|
36
38
|
with as_file(YARA_RULES_DIR.joinpath(YARA_RULES_FILES[2])) as yara2:
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
39
|
+
with as_file(YARA_RULES_DIR.joinpath(YARA_RULES_FILES[3])) as yara3:
|
|
40
|
+
with as_file(YARA_RULES_DIR.joinpath(YARA_RULES_FILES[4])) as yara4:
|
|
41
|
+
# If there is a custom yara_rules argument file use that instead of the files in the yara_rules/ dir
|
|
42
|
+
rules_paths = YaralyzerConfig.args.yara_rules_files or []
|
|
43
|
+
|
|
44
|
+
if not YaralyzerConfig.args.no_default_yara_rules:
|
|
45
|
+
rules_paths += [str(y) for y in [yara0, yara1, yara2, yara3, yara4]]
|
|
46
|
+
|
|
47
|
+
try:
|
|
48
|
+
return Yaralyzer.for_rules_files(rules_paths, scannable, label)
|
|
49
|
+
except ValueError as e:
|
|
50
|
+
# TODO: use YARA_FILE_DOES_NOT_EXIST_ERROR_MSG variable
|
|
51
|
+
if "it doesn't exist" in str(e):
|
|
52
|
+
print(str(e))
|
|
53
|
+
exit(1)
|
|
54
|
+
else:
|
|
55
|
+
raise e
|