pdfalyzer 1.16.9__py3-none-any.whl → 1.16.11__py3-none-any.whl

.pdfalyzer.example

@@ -0,0 +1,66 @@
+# If you place a filed called '.pdfalyzer' in your home dir or the current dir environment variables specified
+# in that .pdfalyzer file will be added to the environment each time pdfalyzer is invoked. (See the `dotenv`
+# package for more details.) This file contains environment variables you can place in .pdfalyzer to configure
+# the application above and beyond providing command line options.  Useful if you want to permanently
+# configure options you tend to reuse (e.g. '--maximize-width') so you can stop remembering to type them.
+#
+# Almost all of the yaralyzer (yes, you read that right - The Pdfalyzer uses The Yaralyzer for all
+# kinds of backend functionality) command line options can be configured in this file by capitalizing them and
+# prefixing 'YARALYZER'. e.g. to configure the --maximize-width option for every invocation, you would set:
+# YARALYZER_MAXIMIZE_WIDTH=True
+#
+# Note that many of these options are actually configuring the yaralyzer, which is a separate tool leveraged
+# by the Pdfalyzer to actually do the work of finding patterns. More info can be found at
+# https://github.com/michelcrypt4d4mus/yaralyzer
+
+
+
+# Expand the width of the output to the fit the display window (same as the --maximize-width options)
+#    YARALYZER_MAXIMIZE_WIDTH=True
+
+# yara-python internal options passed through to yara.set_config() as the stack_size and max_match_data arguments
+#    YARALYZER_STACK_SIZE=10485760
+#    YARALYZER_MAX_MATCH_LENGTH=10737418240
+
+# Suppress all PDF binary regex matching/scanning/etc
+#    YARALYZER_SUPPRESS_DECODES_TABLE=False
+
+# Suppress the display of the table showing the the encoding assessments given by `chardet.detect()`
+# about a particular chunk of binary data. (The most important data in the chardet confidence table is
+# redunandant anyways. Only the low likelihood encodings are hidden from the usef)
+#    YARALYZER_SUPPRESS_CHARDET_TABLE=False
+# Minimum confidence to display an encoding in the chardet results table
+#    YARALYZER_MIN_CHARDET_CONFIDENCE=2.0
+
+# Configure how many bytes before and after any binary data should be included in scans and visualizations
+#    YARALYZER_SURROUNDING_BYTES=64
+
+# Size thresholds (in bytes) under/over which pdfalyzer will NOT make attempts to decode a match.
+# Longer byte sequences are for obvious reasons slower to decode by force.
+# It may feel counterintuitive but larger chunks of random binary are also harder to examine and
+# (in my experience) less likely to be maningful. Consider it - two frontslash characters 20,000 lines apart
+# are more likely to be random than those same frontslashes when placed nearer to each other and
+# in the vicinity of lot of computerized sigils of internet power like `.', `+bacd*?`,. and other regexes.*
+# Keeping the max value number low will do more to affect the speed of the app than ay anything else you
+# can easily configure..
+#
+#    YARALYZER_MIN_DECODE_LENGTH=1
+#    YARALYZER_MAX_DECODE_LENGTH=256
+
+# Directory to write application logs to. Must be an absolute path, not a relative one.
+# These logs are not normally written to a file and the default log level means that the standard behavior
+# is to more or less discard them. Be aware that if you configure this variable a few things will change:
+#
+#   1. Logs WILL NOT be written to STDOUT. They will stream ONLY to files in the configured directory.
+#      This is true even with the -D option.
+#   2. The default log_level will be decreased from WARN (extremely spartan) to INFO (fairly verbose).
+#      The -D option, which sets the log level to DEBUG, will be respected whether or not
+#      YARALYZER_LOG_DIR is configured.
+#
+#     YARALYZER_LOG_DIR=/path/to/pdfalyzer/log_dir/
+
+# Log level
+#     YARALYZER_LOG_LEVEL='INFO'
+
+# Path to directory containing Didier Stevens's pdf-parser.py. Only required for extracting binary streams to files.
+#     PDFALYZER_PDF_PARSER_PY_PATH=/path/to/pdfparserdotpy/

CHANGELOG.md

@@ -1,5 +1,14 @@
 # NEXT RELEASE
 
+### 1.16.11
+* Fix typo in `combine_pdfs` help
+* Add some more PyPi classifiers
+* Add a `.flake8` config and fix a bunch of style issues
+
+### 1.16.10
+* Add `Environment :: Console` and `Programming Language :: Python` to pypi classifiers
+* Add `.pdfalyzer.example` to PyPi package
+
 ### 1.16.9
 * Add `Development Status :: 5 - Production/Stable` to pypi classifiers
 

pdfalyzer/__init__.py

@@ -1,7 +1,6 @@
 import code
 import sys
 from os import environ, getcwd, path
-from pathlib import Path
 
 from dotenv import load_dotenv
 from pypdf import PdfWriter
@@ -23,7 +22,7 @@ from rich.text import Text
 from yaralyzer.helpers.rich_text_helper import prefix_with_plain_text_obj
 from yaralyzer.output.file_export import invoke_rich_export
 from yaralyzer.output.rich_console import console
-from yaralyzer.util.logging import log, log_and_print
+from yaralyzer.util.logging import log_and_print
 
 from pdfalyzer.helpers.filesystem_helper import file_size_in_mb, set_max_open_files
 from pdfalyzer.helpers.rich_text_helper import print_highlighted
@@ -51,8 +50,8 @@ def pdfalyze():
         log_and_print(f"Binary stream extraction complete, files written to '{args.output_dir}'.\nExiting.\n")
         sys.exit()
 
-    # The method that gets called is related to the argument name. See 'possible_output_sections' list in argument_parser.py
-    # Analysis exports wrap themselves around the methods that actually generate the analyses
+    # The method that gets called is related to the argument name. See 'possible_output_sections' list in
+    # argument_parser.py. Analysis exports wrap themselves around the methods that actually generate the analyses.
     for (arg, method) in output_sections(args, pdfalyzer):
         if args.output_dir:
             output_basepath = PdfalyzerConfig.get_output_basepath(method)
@@ -89,7 +88,7 @@ def pdfalyzer_show_color_theme() -> None:
         if name not in ['reset', 'repr_url']
     ]
 
-    console.print(Columns(colors, column_first=True, padding=(0,3)))
+    console.print(Columns(colors, column_first=True, padding=(0, 3)))
 
 
 def combine_pdfs():
@@ -114,7 +113,11 @@ def combine_pdfs():
     for i, page in enumerate(merger.pages):
         if args.image_quality < MAX_QUALITY:
             for j, img in enumerate(page.images):
-                print_highlighted(f"  -> Reducing image #{j + 1} quality on page {i + 1} to {args.image_quality}...", style='dim')
+                print_highlighted(
+                    f"  -> Reducing image #{j + 1} quality on page {i + 1} to {args.image_quality}...",
+                    style='dim'
+                )
+
                 img.replace(img.image, quality=args.image_quality)
 
         print_highlighted(f"  -> Compressing page {i + 1}...", style='dim')

pdfalyzer/binary/binary_scanner.py

@@ -12,8 +12,8 @@ from yaralyzer.decoding.bytes_decoder import BytesDecoder
 from yaralyzer.encoding_detection.character_encodings import BOMS
 from yaralyzer.helpers.bytes_helper import hex_string, print_bytes
 from yaralyzer.helpers.string_helper import escape_yara_pattern
-from yaralyzer.output.rich_console import BYTES_NO_DIM, console, console_width
 from yaralyzer.output.regex_match_metrics import RegexMatchMetrics
+from yaralyzer.output.rich_console import BYTES_NO_DIM, console, console_width
 from yaralyzer.yara.yara_rule_builder import HEX, REGEX, safe_label
 from yaralyzer.yaralyzer import Yaralyzer
 from yaralyzer.util.logging import log
@@ -21,7 +21,7 @@ from yaralyzer.util.logging import log
 from pdfalyzer.config import PdfalyzerConfig
 from pdfalyzer.decorators.pdf_tree_node import PdfTreeNode
 from pdfalyzer.detection.constants.binary_regexes import (BACKTICK, DANGEROUS_PDF_KEYS_TO_HUNT_ONLY_IN_FONTS,
-     DANGEROUS_PDF_KEYS_TO_HUNT_ONLY_IN_FONTS, DANGEROUS_STRINGS, FRONTSLASH, GUILLEMET, QUOTE_PATTERNS)
+     DANGEROUS_STRINGS, FRONTSLASH, GUILLEMET, QUOTE_PATTERNS)
 from pdfalyzer.helpers.string_helper import generate_hyphen_line
 from pdfalyzer.output.layout import print_headline_panel, print_section_sub_subheader
 from pdfalyzer.util.adobe_strings import CONTENTS, CURRENTFILE_EEXEC, FONT_FILE_KEYS
@@ -36,7 +36,7 @@ class BinaryScanner:
         self.stream_length = len(_bytes)
 
         if label is None and isinstance(owner, PdfTreeNode):
-             self.label = owner.__rich__()
+            self.label = owner.__rich__()
 
         self.suppression_notice_queue = []
         self.regex_extraction_stats = defaultdict(lambda: RegexMatchMetrics())
@@ -86,8 +86,12 @@ class BinaryScanner:
                 print_headline_panel(msg, style='dim')
                 continue
 
+            print_section_sub_subheader(
+                f"Forcing Decode of {quote_type.capitalize()} Quoted Strings",
+                style=BYTES_NO_DIM
+            )
+
             quote_pattern = QUOTE_PATTERNS[quote_type]
-            print_section_sub_subheader(f"Forcing Decode of {quote_type.capitalize()} Quoted Strings", style=BYTES_NO_DIM)
             yaralyzer = self._quote_yaralyzer(quote_pattern, quote_type)
             self.process_yara_matches(yaralyzer, f"{quote_type}_quoted")
 
@@ -135,7 +139,7 @@ class BinaryScanner:
     def process_yara_matches(self, yaralyzer: Yaralyzer, pattern: str, force: bool = False) -> None:
         """Decide whether to attempt to decode the matched bytes, track stats. force param ignores min/max length."""
         for bytes_match, decoder in yaralyzer.match_iterator():
-            log.debug(f"Trackings stats for match: {pattern}, bytes_match: {bytes_match}, is_decodable: {bytes_match.is_decodable()}")
+            log.debug(f"Trackings match stats for {pattern}, bytes_match: {bytes_match}, is_decodable: {bytes_match.is_decodable()}")  # noqa: E501
 
             # Send suppressed decodes to a queue and track the reason for the suppression in the stats
             if not (bytes_match.is_decodable() or force):
@@ -145,7 +149,7 @@ class BinaryScanner:
             # Print out any queued suppressed notices before printing non suppressed matches
             self._print_suppression_notices()
             console.print(decoder)
-            self.regex_extraction_stats[pattern].tally_match(decoder) # TODO: This call must come after print(decoder)
+            self.regex_extraction_stats[pattern].tally_match(decoder)  # TODO: This call must come after print(decoder)
 
         self._print_suppression_notices()
 
@@ -167,12 +171,12 @@ class BinaryScanner:
             return self._pattern_yaralyzer(quote_pattern, REGEX, label, label)
 
     def _pattern_yaralyzer(
-            self,
-            pattern: str,
-            pattern_type: str,
-            rules_label: Optional[str] = None,
-            pattern_label: Optional[str] = None
-        ) -> Yaralyzer:
+        self,
+        pattern: str,
+        pattern_type: str,
+        rules_label: Optional[str] = None,
+        pattern_label: Optional[str] = None
+    ) -> Yaralyzer:
         """Build a yaralyzer to scan self.bytes"""
         return Yaralyzer.for_patterns(
             patterns=[escape_yara_pattern(pattern)],

pdfalyzer/config.py

@@ -1,3 +1,7 @@
+"""
+PdfalyzerConfig object holds the unification of configuration options parsed from the command line
+as well as those set by environment variables and/or a .pdfalyzer file.
+"""
 import importlib.resources
 from argparse import Namespace
 from os import environ, pardir, path

pdfalyzer/decorators/pdf_object_properties.py

@@ -16,13 +16,14 @@ from pdfalyzer.util.adobe_strings import *
 
 class PdfObjectProperties:
     """Simple class to extract critical features of a PdfObject."""
+
     def __init__(
-            self,
-            pdf_object: PdfObject,
-            address: str,
-            idnum: int,
-            indirect_object: Optional[IndirectObject] = None
-        ):
+        self,
+        pdf_object: PdfObject,
+        address: str,
+        idnum: int,
+        indirect_object: Optional[IndirectObject] = None
+    ):
         self.idnum = idnum
         self.obj = pdf_object
         self.indirect_object = indirect_object
@@ -57,7 +58,7 @@ class PdfObjectProperties:
         else:
             self.first_address = address
 
-        log.debug(f"Node ID: {self.idnum}, type: {self.type}, subtype: {self.sub_type}, " + \
+        log.debug(f"Node ID: {self.idnum}, type: {self.type}, subtype: {self.sub_type}, " +
                   f"label: {self.label}, first_address: {self.first_address}")
 
     @classmethod
@@ -80,11 +81,11 @@ class PdfObjectProperties:
 
     @classmethod
     def to_table_row(
-            cls,
-            reference_key: str,
-            obj: PdfObject,
-            is_single_row_table: bool = False
-        ) -> List[Union[Text, str]]:
+        cls,
+        reference_key: str,
+        obj: PdfObject,
+        is_single_row_table: bool = False
+    ) -> List[Union[Text, str]]:
         """PDF object property at reference_key becomes a formatted 3-tuple for use in Rich tables."""
         with_resolved_refs = cls.resolve_references(reference_key, obj)
 

pdfalyzer/decorators/pdf_tree_node.py

@@ -6,7 +6,7 @@ Child/parent relationships should be set using the add_child() and set_parent()
 methods and not set directly. (TODO: this could be done better with anytree
 hooks)
 """
-from typing import Callable, List, Optional, Set
+from typing import Callable, List, Optional
 
 from anytree import NodeMixin, SymlinkNode
 from pypdf.errors import PdfReadError
@@ -163,11 +163,14 @@ class PdfTreeNode(NodeMixin, PdfObjectProperties):
                 return None
         else:
             address = refs_to_this_node[0].address
+
             # If other node's label doesn't start with a NON_STANDARD_ADDRESS string
-            #   and any of the relationships pointing at this node use something other than a
-            #       NON_STANDARD_ADDRESS_NODES string to refer here, print a warning about multiple refs.
-            if not (is_prefixed_by_any(from_node.label, NON_STANDARD_ADDRESS_NODES) or \
-                        all(ref.address in NON_STANDARD_ADDRESS_NODES for ref in refs_to_this_node)):
+            # AND any of the relationships pointing at this node use something other than a
+            #     NON_STANDARD_ADDRESS_NODES string to refer here,
+            # then print a warning about multiple refs.
+            if not (is_prefixed_by_any(from_node.label, NON_STANDARD_ADDRESS_NODES)
+                    or
+                    all(ref.address in NON_STANDARD_ADDRESS_NODES for ref in refs_to_this_node)):
                 refs_to_this_node_str = "\n   ".join([f"{i + 1}. {r}" for i, r in enumerate(refs_to_this_node)])
                 msg = f"Multiple refs from {from_node} to {self}:\n   {refs_to_this_node_str}"
                 log.warning(msg + f"\nCommon address of refs: {address}")

pdfalyzer/decorators/pdf_tree_verifier.py

@@ -37,7 +37,10 @@ class PdfTreeVerifier:
             log.warning(f"Methodd doesn't check revisions but this doc is generation {self.pdfalyzer.max_generation}")
 
         # We expect to see all ordinals up to the number of nodes /Trailer claims exist as obj. IDs.
-        missing_node_ids = [i for i in range(1, self.pdfalyzer.pdf_size) if self.pdfalyzer.find_node_by_idnum(i) is None]
+        missing_node_ids = [
+            i for i in range(1, self.pdfalyzer.pdf_size)
+            if self.pdfalyzer.find_node_by_idnum(i) is None
+        ]
 
         for idnum in missing_node_ids:
             ref = IndirectObject(idnum, self.pdfalyzer.max_generation, self.pdfalyzer.pdf_reader)
@@ -57,13 +60,13 @@ class PdfTreeVerifier:
                 log.error(f"Cannot find ref {ref} in PDF!")
                 continue
             elif isinstance(obj, (NumberObject, NameObject)):
-                log.info(f"Obj {idnum} is a {type(obj)} w/value {obj}; if relationshipd by /Length etc. this is a nonissue but maybe worth doublechecking")
+                log.info(f"Obj {idnum} is a {type(obj)} w/value {obj}; if relationshipd by /Length etc. this is a nonissue but maybe worth doublechecking")  # noqa: E501
                 continue
             elif not isinstance(obj, dict):
-                log.error(f"Obj {idnum} ({obj}) of type {type(obj)} isn't dict, cannot determine if it should be in tree")
+                log.error(f"Obj {idnum} ({obj}) of type {type(obj)} isn't dict, cannot determine if it should be in tree")  # noqa: E501
                 continue
             elif TYPE not in obj:
-                msg = f"Obj {idnum} has no {TYPE} and is not in tree. Either a loose node w/no data or an error in pdfalyzer."
+                msg = f"Obj {idnum} has no {TYPE} and is not in tree. Either a loose node w/no data or an error in pdfalyzer."  # noqa: E501
                 msg += f"\nHere's the contents for you to assess:\n{obj}"
                 log.warning(msg)
                 continue

pdfalyzer/detection/constants/binary_regexes.py

@@ -36,13 +36,13 @@ PARENTHESES = 'parentheses'
 
 QUOTE_PATTERNS = {
     BACKTICK: '`.+`',
-    BRACKET: '\\[.+\\]',  # { 91 [-] 93 }
-    CURLY_BRACKET: '{.+}',  # { 123 [-] 125 }
-    DOUBLE_LESS_THAN: '<<.+>>', # Hex { 60 60 [-] 62 62 }
+    BRACKET: '\\[.+\\]',         # { 91 [-] 93 }
+    CURLY_BRACKET: '{.+}',       # { 123 [-] 125 }
+    DOUBLE_LESS_THAN: '<<.+>>',  # Hex { 60 60 [-] 62 62 }
     ESCAPED_SINGLE: "\\'.+\\'",
     ESCAPED_DOUBLE: '\\".+\\"',
-    FRONTSLASH: '/.+/',  # { 47 [-] 47 }
-    GUILLEMET: 'AB [-] BB',  # Guillemet quotes are not ANSI so require byte pattern
-    LESS_THAN: '<.+>',  # Hex { 60 [-] 62 }
-    PARENTHESES: '\\(.+\\)', # Hex { 28 [-] 29 }
+    FRONTSLASH: '/.+/',          # { 47 [-] 47 }
+    GUILLEMET: 'AB [-] BB',      # Guillemet quotes are not ANSI so require byte pattern
+    LESS_THAN: '<.+>',           # Hex { 60 [-] 62 }
+    PARENTHESES: '\\(.+\\)',     # Hex { 28 [-] 29 }
 }

pdfalyzer/detection/yaralyzer_helper.py

@@ -8,8 +8,6 @@ from typing import Optional, Union
 from yaralyzer.config import YaralyzerConfig
 from yaralyzer.yaralyzer import Yaralyzer
 
-from pdfalyzer.config import PdfalyzerConfig
-
 YARA_RULES_DIR = files('pdfalyzer').joinpath('yara_rules')
 
 YARA_RULES_FILES = [
@@ -38,7 +36,7 @@ def _build_yaralyzer(scannable: Union[bytes, str], label: Optional[str] = None)
             with as_file(YARA_RULES_DIR.joinpath(YARA_RULES_FILES[2])) as yara2:
                 with as_file(YARA_RULES_DIR.joinpath(YARA_RULES_FILES[3])) as yara3:
                     with as_file(YARA_RULES_DIR.joinpath(YARA_RULES_FILES[4])) as yara4:
-                        # If there is a custom yara_rules argument file use that instead of the files in the yara_rules/ dir
+                        # If there is a custom yara_rules arg, use that instead of the files in the yara_rules/ dir
                         rules_paths = YaralyzerConfig.args.yara_rules_files or []
 
                         if not YaralyzerConfig.args.no_default_yara_rules:

pdfalyzer/font_info.py

@@ -2,7 +2,6 @@
 Unify font information spread across a bunch of PdfObjects (Font, FontDescriptor,
 and FontFile) into a single class.
 """
-
 from pypdf._cmap import build_char_map, prepare_cm
 from pypdf.generic import IndirectObject, PdfObject
 from rich.text import Text
@@ -11,9 +10,9 @@ from yaralyzer.util.logging import log
 
 from pdfalyzer.binary.binary_scanner import BinaryScanner
 from pdfalyzer.output.character_mapping import print_character_mapping, print_prepared_charmap
-from pdfalyzer.output.tables.font_summary_table import font_summary_table
 from pdfalyzer.output.layout import print_section_subheader
 from pdfalyzer.output.styles.node_colors import get_label_style
+from pdfalyzer.output.tables.font_summary_table import font_summary_table
 from pdfalyzer.util.adobe_strings import (FONT, FONT_DESCRIPTOR, FONT_FILE, FONT_LENGTHS, RESOURCES,
      SUBTYPE, TO_UNICODE, TYPE, W, WIDTHS)
 
@@ -143,19 +142,19 @@ class FontInfo:
         console.line()
 
     # TODO: currently unused
-    def preview_bytes_at_advertised_lengths(self):
-        """Show the bytes at the boundaries provided by /Length1, /Length2, and /Length3, if they exist"""
-        lengths = self.lengths or []
+    # def preview_bytes_at_advertised_lengths(self):
+    #     """Show the bytes at the boundaries provided by /Length1, /Length2, and /Length3, if they exist"""
+    #     lengths = self.lengths or []
 
-        if self.lengths is None or len(lengths) <= 1:
-            console.print("No length demarcations to preview.", style='grey.dark')
+    #     if self.lengths is None or len(lengths) <= 1:
+    #         console.print("No length demarcations to preview.", style='grey.dark')
 
-        for i, demarcation in enumerate(lengths[1:]):
-            console.print(f"{self.font_file} at /Length{i} ({demarcation}):")
-            print(f"\n  Stream before: {self.stream_data[demarcation - FONT_SECTION_PREVIEW_LEN:demarcation + 1]}")
-            print(f"\n  Stream after: {self.stream_data[demarcation:demarcation + FONT_SECTION_PREVIEW_LEN]}")
+    #     for i, demarcation in enumerate(lengths[1:]):
+    #         console.print(f"{self.font_file} at /Length{i} ({demarcation}):")
+    #         print(f"\n  Stream before: {self.stream_data[demarcation - FONT_SECTION_PREVIEW_LEN:demarcation + 1]}")
+    #         print(f"\n  Stream after: {self.stream_data[demarcation:demarcation + FONT_SECTION_PREVIEW_LEN]}")
 
-        print(f"\nfinal bytes back from {self.stream_data.lengths[2]} + 10: {self.stream_data[-10 - -f.lengths[2]:]}")
+    #     print(f"\nfinal bytes back from {self.stream_data.lengths[2]} + 10: {self.stream_data[-10 - -f.lengths[2]:]}")
 
     def __str__(self) -> str:
         return self.display_title

pdfalyzer/helpers/filesystem_helper.py

@@ -15,7 +15,7 @@ OPEN_FILES_BUFFER = 30        # we might have some files open already so we need
 PDF_EXT = '.pdf'
 
 # TODO: this kind of type alias is not supported until Python 3.12
-#type StrOrPath = Union[str, Path]
+# type StrOrPath = Union[str, Path]
 
 
 def with_pdf_extension(file_path: Union[str, Path]) -> str:
@@ -92,11 +92,11 @@ def set_max_open_files(num_filehandles: int = DEFAULT_MAX_OPEN_FILES) -> tuple[O
             resource.setrlimit(resource.RLIMIT_NOFILE, (soft, hard))
         except (ValueError, resource.error):
             try:
-               hard = soft
-               print_highlighted(f"Retrying setting max open files (soft, hard)=({soft}, {hard})", style='yellow')
-               resource.setrlimit(resource.RLIMIT_NOFILE, (soft, hard))
+                hard = soft
+                print_highlighted(f"Retrying setting max open files (soft, hard)=({soft}, {hard})", style='yellow')
+                resource.setrlimit(resource.RLIMIT_NOFILE, (soft, hard))
             except Exception:
-               print_highlighted('Failed to set max open files / ulimit, giving up!', style='error')
-               soft,hard = resource.getrlimit(resource.RLIMIT_NOFILE)
+                print_highlighted('Failed to set max open files / ulimit, giving up!', style='error')
+                soft, hard = resource.getrlimit(resource.RLIMIT_NOFILE)
 
     return (soft, hard)

pdfalyzer/helpers/pdf_object_helper.py

@@ -6,7 +6,6 @@ from typing import List, Optional
 from pypdf.generic import IndirectObject, PdfObject
 
 from pdfalyzer.pdf_object_relationship import PdfObjectRelationship
-from pdfalyzer.util.adobe_strings import *
 
 
 def pdf_object_id(pdf_object) -> Optional[int]:
@@ -20,6 +19,7 @@ def does_list_have_any_references(_list) -> bool:
 
 
 def _sort_pdf_object_refs(refs: List[PdfObjectRelationship]) -> List[PdfObjectRelationship]:
+    """Sort a list of PdfObjectRelationship objects by their to_obj's idnum. Only used by pytest."""
     return sorted(refs, key=lambda ref: ref.to_obj.idnum)
 
 

pdfalyzer/helpers/rich_text_helper.py

@@ -1,13 +1,11 @@
 """
-Functions for miscellaneous Rich text/string operations.
+Functions for miscellaneous Rich text/string pretty printing operations.
 """
 from typing import List, Union
 
 from pypdf.generic import PdfObject
 from rich.console import Console
-from rich.highlighter import RegexHighlighter, JSONHighlighter
 from rich.text import Text
-from yaralyzer.output.rich_console import console
 
 from pdfalyzer.helpers.pdf_object_helper import pypdf_class_name
 from pdfalyzer.output.styles.node_colors import get_label_style, get_class_style_italic
@@ -22,11 +20,11 @@ def print_highlighted(msg: Union[str, Text], **kwargs) -> None:
 
 
 def quoted_text(
-        _string: str,
-        style: str = '',
-        quote_char_style: str = 'white',
-        quote_char: str = "'"
-    ) -> Text:
+    _string: str,
+    style: str = '',
+    quote_char_style: str = 'white',
+    quote_char: str = "'"
+) -> Text:
     """Wrap _string in 'quote_char'. Style 'quote_char' with 'quote_char_style'."""
     quote_char_txt = Text(quote_char, style=quote_char_style)
     txt = quote_char_txt + Text(_string, style=style) + quote_char_txt

pdfalyzer/output/character_mapping.py

@@ -8,6 +8,7 @@ from yaralyzer.helpers.bytes_helper import print_bytes
 from yaralyzer.output.rich_console import console
 from yaralyzer.util.logging import log
 
+# from pdfalyzer.font_info import FontInfo  # Causes circular import
 from pdfalyzer.helpers.rich_text_helper import quoted_text
 from pdfalyzer.helpers.string_helper import pp
 from pdfalyzer.output.layout import print_headline_panel, subheading_width
@@ -17,7 +18,7 @@ CHARMAP_TITLE_PADDING = (1, 0, 0, 2)
 CHARMAP_PADDING = (0, 2, 0, 10)
 
 
-def print_character_mapping(font: 'FontInfo') -> None:
+def print_character_mapping(font: 'FontInfo') -> None:  # noqa: F821
     """Prints the character mapping extracted by PyPDF._charmap in tidy columns"""
     if font.character_mapping is None or len(font.character_mapping) == 0:
         log.info(f"No character map found in {font}")
@@ -37,7 +38,7 @@ def print_character_mapping(font: 'FontInfo') -> None:
     console.line()
 
 
-def print_prepared_charmap(font: 'FontInfo'):
+def print_prepared_charmap(font: 'FontInfo'):  # noqa: F821
     """Prints the prepared_charmap returned by PyPDF."""
     if font.prepared_char_map is None:
         log.info(f"No prepared_charmap found in {font}")

pdfalyzer/output/layout.py

@@ -1,5 +1,5 @@
 """
-Methods to help with the design of the output
+Methods to help with the formatting of the output tables, headers, panels, etc.
 """
 from rich import box
 from rich.padding import Padding

pdfalyzer/output/pdfalyzer_presenter.py

@@ -23,11 +23,13 @@ from pdfalyzer.detection.yaralyzer_helper import get_bytes_yaralyzer, get_file_y
 from pdfalyzer.helpers.string_helper import pp
 from pdfalyzer.output.layout import (print_fatal_error_panel, print_section_header, print_section_subheader,
      print_section_sub_subheader)
+from pdfalyzer.output.tables.decoding_stats_table import build_decoding_stats_table
 from pdfalyzer.output.tables.pdf_node_rich_table import generate_rich_tree, get_symlink_representation
 from pdfalyzer.output.tables.stream_objects_table import stream_objects_table
-from pdfalyzer.output.tables.decoding_stats_table import build_decoding_stats_table
 from pdfalyzer.pdfalyzer import Pdfalyzer
-from pdfalyzer.util.adobe_strings import *
+# from pdfalyzer.util.adobe_strings import *
+
+INTERNAL_YARA_ERROR_MSG = "Internal YARA error! YARA's error codes can be checked here: https://github.com/VirusTotal/yara/blob/master/libyara/include/yara/error.h"  # noqa: E501
 
 
 class PdfalyzerPresenter:
@@ -91,7 +93,6 @@ class PdfalyzerPresenter:
           2. Check for (and force decode) dangerous PDF instructions like /JavaScript and /OpenAction
           3. Check for (and force decode) any BOMs (byte order marks)
           4. Check for (and force decode) any sequences of bytes between quotes
-
         """
         print_section_header(f'Binary Stream Analysis / Extraction')
         console.print(self._stream_objects_table())
@@ -109,6 +110,7 @@ class PdfalyzerPresenter:
                 log.warning(msg)
                 node_stream_bytes = node_stream_bytes.encode()
 
+            console.line()
             print_section_subheader(f"{escape(str(node))} Summary and Analysis", style=f"{BYTES_HIGHLIGHT} reverse")
             binary_scanner = BinaryScanner(node_stream_bytes, node)
             console.print(bytes_hashes_table(binary_scanner.bytes))
@@ -130,9 +132,9 @@ class PdfalyzerPresenter:
 
         try:
             self.yaralyzer.yaralyze()
-        except yara.Error as e:
+        except yara.Error:
             console.print_exception()
-            print_fatal_error_panel("Internal YARA error! YARA's error codes can be checked here: https://github.com/VirusTotal/yara/blob/master/libyara/include/yara/error.h")
+            print_fatal_error_panel(INTERNAL_YARA_ERROR_MSG)
             return
 
         YaralyzerConfig.args.standalone_mode = False

pdfalyzer/output/tables/decoding_stats_table.py

@@ -1,9 +1,13 @@
+"""
+Helper functions for building a table that summarizes the decoding attempts made on binary data.
+"""
 from numbers import Number
 
 from rich.table import Table
 from rich.text import Text
 from yaralyzer.helpers.rich_text_helper import CENTER, na_txt, prefix_with_plain_text_obj
 
+from pdfalyzer.binary.binary_scanner import BinaryScanner
 from pdfalyzer.helpers.rich_text_helper import pct_txt
 from pdfalyzer.output.layout import generate_subtable, half_width, pad_header
 
@@ -13,7 +17,8 @@ NOT_FOUND_MSG = Text('(not found)', style='grey.dark_italic')
 REGEX_SUBTABLE_COLS = ['Metric', 'Value']
 DECODES_SUBTABLE_COLS = ['Encoding', '#', 'Decoded', '#', 'Forced', '#', 'Failed']
 
-def build_decoding_stats_table(scanner: 'BinaryScanner') -> Table:
+
+def build_decoding_stats_table(scanner: BinaryScanner) -> Table:
     """Diplay aggregate results on the decoding attempts we made on subsets of scanner.bytes"""
     stats_table = _new_decoding_stats_table(scanner.label.plain if scanner.label else '')
     regexes_not_found_in_stream = []

pdfalyzer/output/tables/stream_objects_table.py

@@ -1,7 +1,6 @@
 """
 Build a rich table to show the sizes of embedded streams.
 """
-
 from typing import List
 
 from rich.table import Table

pdfalyzer/pdf_object_relationship.py

@@ -14,12 +14,12 @@ INCOMPARABLE_PROPS = ['from_obj', 'to_obj']
 
 class PdfObjectRelationship:
     def __init__(
-            self,
-            from_node: 'PdfTreeNode',
-            to_obj: IndirectObject,
-            reference_key: str,
-            address: str
-        ) -> None:
+        self,
+        from_node: 'PdfTreeNode',
+        to_obj: IndirectObject,
+        reference_key: str,
+        address: str
+    ) -> None:
         """
         In the case of easy key/value pairs the reference_key and the address are the same but
         for more complicated references the address will be the reference_key plus sub references.
@@ -53,12 +53,12 @@ class PdfObjectRelationship:
 
     @classmethod
     def build_node_references(
-            cls,
-            from_node: 'PdfTreeObject',
-            from_obj: Optional[PdfObject] = None,
-            ref_key: Optional[Union[str, int]] = None,
-            address: Optional[str] = None
-        ) -> List['PdfObjectRelationship']:
+        cls,
+        from_node: 'PdfTreeObject',
+        from_obj: Optional[PdfObject] = None,
+        ref_key: Optional[Union[str, int]] = None,
+        address: Optional[str] = None
+    ) -> List['PdfObjectRelationship']:
         """
         Builds list of relationships 'from_node.obj' contains referencing other PDF objects.
         Initially called with single arg from_node. Other args are employed when recursable

pdfalyzer/pdfalyzer.py

@@ -77,7 +77,7 @@ class Pdfalyzer:
         nodes_to_walk_next = [self._add_relationship_to_pdf_tree(r) for r in node.references_to_other_nodes()]
         node.all_references_processed = True
 
-        for next_node in [n for n in nodes_to_walk_next if not (n is None or n.all_references_processed) ]:
+        for next_node in [n for n in nodes_to_walk_next if not (n is None or n.all_references_processed)]:
             if not next_node.all_references_processed:
                 self.walk_node(next_node)
 
@@ -105,7 +105,7 @@ class Pdfalyzer:
 
     def stream_nodes(self) -> List[PdfTreeNode]:
         """List of actual nodes (not SymlinkNodes) containing streams sorted by PDF object ID"""
-        stream_filter = lambda node: node.contains_stream() and not isinstance(node, SymlinkNode)
+        stream_filter = lambda node: node.contains_stream() and not isinstance(node, SymlinkNode)  # noqa: E731
         return sorted(findall(self.pdf_tree, stream_filter), key=lambda r: r.idnum)
 
     def _add_relationship_to_pdf_tree(self, relationship: PdfObjectRelationship) -> Optional[PdfTreeNode]:
@@ -114,7 +114,7 @@ class Pdfalyzer:
         placed in the PDF node processing queue.
         """
         log.info(f'Assessing relationship {relationship}...')
-        was_seen_before = (relationship.to_obj.idnum in self.nodes_encountered) # Must come before _build_or_find()
+        was_seen_before = (relationship.to_obj.idnum in self.nodes_encountered)  # Must come before _build_or_find()
         from_node = relationship.from_node
         to_node = self._build_or_find_node(relationship.to_obj, relationship.address)
         self.max_generation = max([self.max_generation, relationship.to_obj.generation or 0])
@@ -133,7 +133,7 @@ class Pdfalyzer:
                 from_node.set_parent(to_node)
             elif to_node.parent is not None:
                 # Some StructElem nodes I have seen use /P or /K despire not being the real parent/child
-                if relationship.from_node.type.startswith(STRUCT_ELEM):# reference_key != relationship.address:
+                if relationship.from_node.type.startswith(STRUCT_ELEM):
                     log.info(f"{relationship} fail: {to_node} parent is already {to_node.parent}")
                 else:
                     log.warning(f"{relationship} fail: {to_node} parent is already {to_node.parent}")
@@ -173,7 +173,6 @@ class Pdfalyzer:
 
     def _resolve_indeterminate_nodes(self) -> None:
         """Place all indeterminate nodes in the tree."""
-        #set_log_level('INFO')
         indeterminate_nodes = [self.nodes_encountered[idnum] for idnum in self.indeterminate_ids]
         indeterminate_nodes_string = "\n   ".join([f"{node}" for node in indeterminate_nodes])
         log.info(f"Resolving {len(indeterminate_nodes)} indeterminate nodes: {indeterminate_nodes_string}")

pdfalyzer/util/adobe_strings.py

@@ -1,7 +1,6 @@
 """
 String constants specified in the Adobe specs for PDFs, fonts, etc.
 """
-
 from pypdf.constants import (CatalogDictionary, ImageAttributes, PageAttributes,
      PagesAttributes, Resources)
 
@@ -117,20 +116,20 @@ NON_TREE_REFERENCES = [
 
 # Some PdfObjects can't be properly placed in the tree until the entire tree is parsed
 INDETERMINATE_REF_KEYS = [
-    ANNOTS,  # At least when it appears in a page
+    ANNOTS,     # At least when it appears in a page
     COLOR_SPACE,
     D,
     DEST,
     EXT_G_STATE,
-    FIELDS,   # At least for  /AcroForm
+    FIELDS,     # At least for  /AcroForm
     FIRST,
     FONT,
     NAMES,
     OPEN_ACTION,
-    P,   # At least for widgets...
+    P,          # At least for widgets...
     RESOURCES,
     XOBJECT,
-    UNLABELED, # TODO: this might be wrong? maybe this is where the /Resources actually live?
+    UNLABELED,  # TODO: this might be wrong? maybe this is where the /Resources actually live?
 ]
 
 INDETERMINATE_PREFIXES = [p for p in INDETERMINATE_REF_KEYS if len(p) > 2]

pdfalyzer/util/argument_parser.py

@@ -1,5 +1,8 @@
+"""
+Parse command line arguments for pdfalyzer and construct the PdfalyzerConfig object.
+"""
 import sys
-from argparse import ArgumentError, ArgumentParser, Namespace
+from argparse import ArgumentParser, Namespace
 from collections import namedtuple
 from functools import partial, update_wrapper
 from importlib.metadata import version
@@ -89,9 +92,9 @@ select.add_argument('-c', '--counts', action='store_true',
                     help='show counts of some of the properties of the objects in the PDF')
 
 select.add_argument('-s', '--streams',
-                    help="scan all the PDF's decoded/decrypted streams for sus content as well as any YARA rule matches. " + \
-                         "brute force is involved; output is verbose. a single OBJ_ID can be optionally provided to " + \
-                         "limit the output to a single internal object. try '-s -- [OTHERARGS]' if you run into an " + \
+                    help="scan all the PDF's decoded/decrypted streams for sus content as well as any YARA rule matches. " +
+                         "brute force is involved; output is verbose. a single OBJ_ID can be optionally provided to " +
+                         "limit the output to a single internal object. try '-s -- [OTHERARGS]' if you run into an " +
                          "argument position related piccadilly.",
                     nargs='?',
                     const=ALL_STREAMS,
@@ -99,7 +102,7 @@ select.add_argument('-s', '--streams',
                     type=int)
 
 select.add_argument('--extract-quoted',
-                    help="extract and force decode all bytes found between this kind of quotation marks " + \
+                    help="extract and force decode all bytes found between this kind of quotation marks " +
                          "(requires --streams. can be specified more than once)",
                     choices=list(QUOTE_PATTERNS.keys()),
                     dest='extract_quoteds',
@@ -144,7 +147,7 @@ def parse_arguments():
         args.output_dir = args.output_dir or getcwd()
         file_prefix = (args.file_prefix + '__') if args.file_prefix else ''
         args.file_suffix = ('_' + args.file_suffix) if args.file_suffix else ''
-        args.output_basename =  f"{file_prefix}{path.basename(args.file_to_scan_path)}"
+        args.output_basename = f"{file_prefix}{path.basename(args.file_to_scan_path)}"
     elif args.output_dir:
         log.warning('--output-dir provided but no export option was chosen')
 
@@ -200,8 +203,8 @@ MAX_QUALITY = 10
 
 combine_pdfs_parser = ArgumentParser(
     description="Combine multiple PDFs into one.",
-    epilog="If all PDFs end in a number (e.g. 'xyz_1.pdf', 'xyz_2.pdf', etc. sort the files as if those were" \
-           " page numebrs prior to merging.",
+    epilog="If all PDFs end in a number (e.g. 'xyz_1.pdf', 'xyz_2.pdf', etc. sort the files as if those were" +
+           " page numbers prior to merging.",
     formatter_class=RichHelpFormatterPlus)
 
 combine_pdfs_parser.add_argument('pdfs',

pdfalyzer/util/debugging.py

@@ -1,7 +1,7 @@
+
 import logging
 
 
 # Starting pdb.set_trace() this way kind of sucks because yr locals are messed up
 def debugger():
     import pdb; pdb.set_trace(locals())
-

{pdfalyzer-1.16.9.dist-info → pdfalyzer-1.16.11.dist-info}/METADATA

@@ -1,19 +1,24 @@
 Metadata-Version: 2.1
 Name: pdfalyzer
-Version: 1.16.9
-Summary: A PDF analysis toolkit. Scan a PDF with relevant YARA rules, visualize its inner tree-like data structure in living color (lots of colors), force decodes of suspicious font binaries, and more.
+Version: 1.16.11
+Summary: PDF analysis tool. Scan a PDF with YARA rules, visualize its inner tree-like data structure in living color (lots of colors), force decodes of suspicious font binaries, and more.
 Home-page: https://github.com/michelcrypt4d4mus/pdfalyzer
 License: GPL-3.0-or-later
-Keywords: ascii art,binary,color,cybersecurity,DFIR,encoding,font,infosec,maldoc,malicious pdf,malware,malware analysis,pdf,pdfs,pdf analysis,threat assessment,visualization,yara
+Keywords: ascii art,binary,color,cybersecurity,DFIR,encoding,font,infosec,maldoc,malicious pdf,malware,malware analysis,pdf,pdfs,pdf analysis,pypdf,threat assessment,visualization,yara
 Author: Michel de Cryptadamus
 Author-email: michel@cryptadamus.com
 Requires-Python: >=3.9.2,<4.0.0
 Classifier: Development Status :: 5 - Production/Stable
+Classifier: Environment :: Console
 Classifier: Intended Audience :: Information Technology
 Classifier: License :: OSI Approved :: GNU General Public License v3 or later (GPLv3+)
+Classifier: Programming Language :: Python
 Classifier: Programming Language :: Python :: 3
 Classifier: Programming Language :: Python :: 3.10
 Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Programming Language :: Python :: 3.9
 Classifier: Topic :: Artistic Software
 Classifier: Topic :: Scientific/Engineering :: Visualization
 Classifier: Topic :: Security
@@ -304,12 +309,6 @@ These are the naming conventions at play in The Pdfalyzer code base:
 * [`PyPDF` documentation](https://pypdf.readthedocs.io/en/stable/) (latest is 4.x or something so these are the relevant docs for `pdfalyze`)
 
 
-# TODO
-* Highlight decodes with a lot of Javascript keywords
-* https://github.com/mandiant/flare-floss (https://github.com/mandiant/flare-floss/releases/download/v2.1.0/floss-v2.1.0-linux.zip)
-* https://github.com/1Project/Scanr/blob/master/emulator/emulator.py
-
-
 [^1]: The official Adobe PDF specification calls this tree the PDF's "logical structure", which is a good example of nomenclature that does not help those who see it understand anything about what is being described. I can forgive them given that they named this thing back in the 80s, though it's a good example of why picking good names for things at the beginning is so important.
 
 [^2]: An exception will be raised if there's any issue placing a node while parsing or if there are any nodes not reachable from the root of the tree at the end of parsing. If there are no exceptions then all internal PDF objects are guaranteed to exist in the tree except in these situations when warnings will be printed:

pdfalyzer-1.16.11.dist-info/RECORD

@@ -0,0 +1,50 @@
+.pdfalyzer.example,sha256=sh_qkUBw4hfJia_Dx2wB-fsqJInhx2sSgA7WJz3MHYo,3917
+CHANGELOG.md,sha256=ueR9OA8xj4EBFYitrcAJ6yGs1MXw7rnsCcpOdxrog0Q,12588
+LICENSE,sha256=OXLcl0T2SZ8Pmy2_dmlvKuetivmyPd5m1q-Gyd-zaYY,35149
+pdfalyzer/__init__.py,sha256=Z7KzZamL44xFAE9_t6jX1-KhWAIn5f-voTo5BK8tlg8,5394
+pdfalyzer/__main__.py,sha256=Ko_AoAyYMLIe_cmhiUSl6twheLZrGyT8aOSJ2CP7EZY,43
+pdfalyzer/binary/binary_scanner.py,sha256=h_qcflLWn4pu5NH9F84BuVSYemWQjA3kNxsmXVdz3fk,10211
+pdfalyzer/config.py,sha256=4YMDZu3-t5RSGckjN9bT5LzXyhwHXcxi4QjzVQ4-N6U,2097
+pdfalyzer/decorators/document_model_printer.py,sha256=2tjJItZltukmOD2wjGvl2IsBM7Gug59wMHGLpzGDbV0,2682
+pdfalyzer/decorators/indeterminate_node.py,sha256=ivB6dX5aN8W9m0ksXhmUcixnjYjnuE7DARalH-nMjxY,6616
+pdfalyzer/decorators/pdf_object_properties.py,sha256=D7WNZy2s03iijAf7066HN6W_R4wKwX8juo6TivQrCB0,5477
+pdfalyzer/decorators/pdf_tree_node.py,sha256=Esmdox2Z9VXUieFhC-JgHeOXzWy0ju_OsPkOJvhep9A,10952
+pdfalyzer/decorators/pdf_tree_verifier.py,sha256=I8Sd8cOEwJQrWe30n-hGVF1oZPqQD2xhckAwr69f7P8,4617
+pdfalyzer/detection/constants/binary_regexes.py,sha256=s69S7uq1v4vBy3ZkKKKt3ClNuFCuQ0ztootUxzlgfFw,1632
+pdfalyzer/detection/constants/javascript_reserved_keywords.py,sha256=CXXdWskdQa0Hs5wCci2RBVvipgZg34_cLfmkWG4Xcmg,991
+pdfalyzer/detection/javascript_hunter.py,sha256=_wT2vkKTMlm_RGCjYsmwcmV-ag1qep3EpkHmUw0nWcQ,711
+pdfalyzer/detection/yaralyzer_helper.py,sha256=VLokcqffcw1RPriWPWA9QSMbefuHm0ACPmvG8biHIl0,2287
+pdfalyzer/font_info.py,sha256=2R85iETY_1eKCeRrkqeIxfPDqXZyWfCNcHx_-aTyF0s,6682
+pdfalyzer/helpers/dict_helper.py,sha256=2TP0_EJBouaWD6jfnAekrEZ4M5eHKL8Tm61FgXZtBAg,303
+pdfalyzer/helpers/filesystem_helper.py,sha256=yAeZ8VllSdO9eudGllwd_7odUHsfoM9SseQHDGvU59k,4117
+pdfalyzer/helpers/number_helper.py,sha256=8IlRmaOVLJsUV18VLvWRZU8SzRxL0XZjrY3sjmk2Ro4,292
+pdfalyzer/helpers/pdf_object_helper.py,sha256=Ab4gKhhuEO-nKYdMYlFVo2g0ygebJsN_ZZ1tCFkVdhM,1160
+pdfalyzer/helpers/rich_text_helper.py,sha256=wTucWbrf8OuS2wVuudIH4v078NTUPQbCqU9ZJ4bDzdE,2122
+pdfalyzer/helpers/string_helper.py,sha256=75EDEFw3UWHvWF32WtvZVBbqYY3ozO4y30dtH2qVMX0,2278
+pdfalyzer/output/character_mapping.py,sha256=RWqIu1kGnB4bQS1E4ZcjMWtUqR9ehvTth7U9Nq99_zk,2189
+pdfalyzer/output/layout.py,sha256=lAJQiu76E-_5MRghpRK7zuXqkhWI7ZjsptfadXXZQF8,2183
+pdfalyzer/output/pdfalyzer_presenter.py,sha256=TUsMc2GTUDjFzIGk7Ep5ZASfXcKX_WNtZzZKbQTHcfY,8580
+pdfalyzer/output/styles/node_colors.py,sha256=rfsTAUF43K_buw21SZoP6L5c_cLy7S-xA4GUiWJsDkc,3986
+pdfalyzer/output/styles/rich_theme.py,sha256=Y8QmuINlyZNIHvf3oD0CV3w2dC49NNKtvOChvudDCT8,1983
+pdfalyzer/output/tables/decoding_stats_table.py,sha256=LJAqbaL4nUlbQD0tB65SRaTUAhF86n0QqBMYWK2-sxU,3623
+pdfalyzer/output/tables/font_summary_table.py,sha256=xfTqC7BlQd0agQf6nDDhkcJno7hru6mf9_xY1f5IDcw,2065
+pdfalyzer/output/tables/pdf_node_rich_table.py,sha256=7G-FLb_EUP50kZmYCTbo8Q6taU4xKp2QIGNOnQtYbNg,5908
+pdfalyzer/output/tables/stream_objects_table.py,sha256=PgQj8oTtW5_X8SMQb3FvCWDS-d4Zl6QiE44Qhiv7lTY,706
+pdfalyzer/pdf_object_relationship.py,sha256=tOJTp73m82oNZJB7NxvTLv167kqthH8PRbVnev_4uEk,5291
+pdfalyzer/pdfalyzer.py,sha256=Sdld8l3Eg8f9asiyD-fhwlU6dC4_tP6h8zXTKw-cUug,10956
+pdfalyzer/util/adobe_strings.py,sha256=eF4K1RhhR_qgMBT58MzCxWkqQj17OWLCNmG3SjZ9BUs,5045
+pdfalyzer/util/argument_parser.py,sha256=yfkZTQX3t5G7y0xk2x9Ef0_2V2MuukXexiclDrf_8So,11987
+pdfalyzer/util/debugging.py,sha256=hjYGxptJmal9TTaAUkkoo0oNu2tdx6ZYSyC0WjvzHh0,156
+pdfalyzer/util/exceptions.py,sha256=XLFFTdx1n6i_VCmvuzvIOCa-djJvGEitfo9lhy3zq0k,98
+pdfalyzer/util/pdf_parser_manager.py,sha256=FVRYAYsCd0y5MAm--qvXnwCZnDtB3x85FdJtb-gpyw4,3109
+pdfalyzer/yara_rules/PDF.yara,sha256=70JzPq5F6AS8F46Seu6u0j5GS1JHxkS42r7g7PVSpRg,81489
+pdfalyzer/yara_rules/PDF_binary_stream.yara,sha256=Qt0Wd7RFXYiHaT9YxTCrhC68ccmFcEG1XMNC3p5IwcI,821
+pdfalyzer/yara_rules/__init.py__,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+pdfalyzer/yara_rules/didier_stevens.yara,sha256=4XhqafU09xzYUP7LCygHHBXOpAXUblJf6Tkn37MUy0w,7253
+pdfalyzer/yara_rules/lprat.static_file_analysis.yara,sha256=i0CwRH8pBx_QshKFTQtr1CP5n378EZelsF2FxMY2y5A,21859
+pdfalyzer/yara_rules/pdf_malware.yara,sha256=jDqSTP5BQSi2I_1xZiFZdy68I4oVWDat2j08-qdfbto,91063
+pdfalyzer-1.16.11.dist-info/LICENSE,sha256=OXLcl0T2SZ8Pmy2_dmlvKuetivmyPd5m1q-Gyd-zaYY,35149
+pdfalyzer-1.16.11.dist-info/METADATA,sha256=Xa0oDRfBu_NyzjAiI4cG2tqrDxJZRx0mPErknDQcceA,26187
+pdfalyzer-1.16.11.dist-info/WHEEL,sha256=d2fvjOD7sXsVzChCqf0Ty0JbHKBaLYwDbGQDwQTnJ50,88
+pdfalyzer-1.16.11.dist-info/entry_points.txt,sha256=aZurgt-Xg3pojS7oTRI4hNLpK1hO4kTfChf0x2eQoD8,147
+pdfalyzer-1.16.11.dist-info/RECORD,,

pdfalyzer-1.16.9.dist-info/RECORD

@@ -1,49 +0,0 @@
-CHANGELOG.md,sha256=EvbWGXHL4_rqkwzObtVhY0QL58O4gP4uE0Z9JaqSAEA,12307
-LICENSE,sha256=OXLcl0T2SZ8Pmy2_dmlvKuetivmyPd5m1q-Gyd-zaYY,35149
-pdfalyzer/__init__.py,sha256=q8qSdGdyUYmTYGOp_d2bRCCFASnlVt4wa-DlBikD5-M,5362
-pdfalyzer/__main__.py,sha256=Ko_AoAyYMLIe_cmhiUSl6twheLZrGyT8aOSJ2CP7EZY,43
-pdfalyzer/binary/binary_scanner.py,sha256=7NrXx8GB2gpb04oR2bcZJKkOXOlzn2hWpcGlcYMqSfs,10217
-pdfalyzer/config.py,sha256=oN-pVR037lt3giRsnsm4c8ku5hCW8ChFqYFi9V7w1qU,1918
-pdfalyzer/decorators/document_model_printer.py,sha256=2tjJItZltukmOD2wjGvl2IsBM7Gug59wMHGLpzGDbV0,2682
-pdfalyzer/decorators/indeterminate_node.py,sha256=ivB6dX5aN8W9m0ksXhmUcixnjYjnuE7DARalH-nMjxY,6616
-pdfalyzer/decorators/pdf_object_properties.py,sha256=I7kix5hXNguAH2VW2uINIZRHJ8xYS4JGfc6Aiakyh4c,5522
-pdfalyzer/decorators/pdf_tree_node.py,sha256=sd3a4uQMu_KQ_wvo0pjwQ8K1HI7xGgsGd47eI2IWybY,10927
-pdfalyzer/decorators/pdf_tree_verifier.py,sha256=YC56SQxp5o2zMYgsBPCzX89pCkUHdZ-MCFNIPD9XKRc,4541
-pdfalyzer/detection/constants/binary_regexes.py,sha256=eFx1VVAOzxKmlacbGgicDCp1fcKgOkQkkzeduGjqLBQ,1594
-pdfalyzer/detection/constants/javascript_reserved_keywords.py,sha256=CXXdWskdQa0Hs5wCci2RBVvipgZg34_cLfmkWG4Xcmg,991
-pdfalyzer/detection/javascript_hunter.py,sha256=_wT2vkKTMlm_RGCjYsmwcmV-ag1qep3EpkHmUw0nWcQ,711
-pdfalyzer/detection/yaralyzer_helper.py,sha256=KLGhX9qDB7eeuBbdl6mPRP1GivKkMZa79DPMTzq7b1c,2342
-pdfalyzer/font_info.py,sha256=0NQ6g4q3pTdirwGjJhur8HkXQlC732cR7IhilO33g2A,6663
-pdfalyzer/helpers/dict_helper.py,sha256=2TP0_EJBouaWD6jfnAekrEZ4M5eHKL8Tm61FgXZtBAg,303
-pdfalyzer/helpers/filesystem_helper.py,sha256=1clV0mqKFJUJC4xU2q_ApklpHCqCclxJAVJwRp93OF0,4110
-pdfalyzer/helpers/number_helper.py,sha256=8IlRmaOVLJsUV18VLvWRZU8SzRxL0XZjrY3sjmk2Ro4,292
-pdfalyzer/helpers/pdf_object_helper.py,sha256=Ija6cWKfFQRXCfZv2ezU1V2v0KFDn9f4ayeX8eG9GmI,1102
-pdfalyzer/helpers/rich_text_helper.py,sha256=j4zs41T94vjkr9e86ZVQRKYiUBjoZyZMdVJ4d4uiON8,2239
-pdfalyzer/helpers/string_helper.py,sha256=75EDEFw3UWHvWF32WtvZVBbqYY3ozO4y30dtH2qVMX0,2278
-pdfalyzer/output/character_mapping.py,sha256=MtC3jKdtMaugi5038fne0T_SFSo9QU4lZl_s7bW7gzI,2092
-pdfalyzer/output/layout.py,sha256=E58T9Tl6BYZTDsj6ouMr1J5SSUiXa7timUNxnOI2IzI,2149
-pdfalyzer/output/pdfalyzer_presenter.py,sha256=CSboSnYFlkgOfwMf3TcoTTJY6FLXJ9OulI9UieSTJeE,8492
-pdfalyzer/output/styles/node_colors.py,sha256=rfsTAUF43K_buw21SZoP6L5c_cLy7S-xA4GUiWJsDkc,3986
-pdfalyzer/output/styles/rich_theme.py,sha256=Y8QmuINlyZNIHvf3oD0CV3w2dC49NNKtvOChvudDCT8,1983
-pdfalyzer/output/tables/decoding_stats_table.py,sha256=mhQOiWhmovaC4sop38WcxStv_bIdAlQWUysAz5fW4MU,3461
-pdfalyzer/output/tables/font_summary_table.py,sha256=xfTqC7BlQd0agQf6nDDhkcJno7hru6mf9_xY1f5IDcw,2065
-pdfalyzer/output/tables/pdf_node_rich_table.py,sha256=7G-FLb_EUP50kZmYCTbo8Q6taU4xKp2QIGNOnQtYbNg,5908
-pdfalyzer/output/tables/stream_objects_table.py,sha256=nzCTci8Kqs8Pyghad3L5KWHDdIWRSrKCRNW8geA_rMo,707
-pdfalyzer/pdf_object_relationship.py,sha256=ug-338eoXFdD4YtDWPdzcfxP2fQDQa-GE8I3m3a01TA,5339
-pdfalyzer/pdfalyzer.py,sha256=6JflqQJb2crXXaVA6DHHgWB45w2MBFB3pqE3AlZO5WI,11013
-pdfalyzer/util/adobe_strings.py,sha256=F1MOBtSyIuF5HPmzWDr8MgnLyVodOsZSy4AFFCMHq_Y,5033
-pdfalyzer/util/argument_parser.py,sha256=hC0CLZPIXerP9Z0WZYE4Vj8wEPLwo3KpA-iRio6VKm0,11918
-pdfalyzer/util/debugging.py,sha256=nE64VUQbdu2OQRC8w8-AJkMtBOy8Kf3mjozuFslfWsw,156
-pdfalyzer/util/exceptions.py,sha256=XLFFTdx1n6i_VCmvuzvIOCa-djJvGEitfo9lhy3zq0k,98
-pdfalyzer/util/pdf_parser_manager.py,sha256=FVRYAYsCd0y5MAm--qvXnwCZnDtB3x85FdJtb-gpyw4,3109
-pdfalyzer/yara_rules/PDF.yara,sha256=70JzPq5F6AS8F46Seu6u0j5GS1JHxkS42r7g7PVSpRg,81489
-pdfalyzer/yara_rules/PDF_binary_stream.yara,sha256=Qt0Wd7RFXYiHaT9YxTCrhC68ccmFcEG1XMNC3p5IwcI,821
-pdfalyzer/yara_rules/__init.py__,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-pdfalyzer/yara_rules/didier_stevens.yara,sha256=4XhqafU09xzYUP7LCygHHBXOpAXUblJf6Tkn37MUy0w,7253
-pdfalyzer/yara_rules/lprat.static_file_analysis.yara,sha256=i0CwRH8pBx_QshKFTQtr1CP5n378EZelsF2FxMY2y5A,21859
-pdfalyzer/yara_rules/pdf_malware.yara,sha256=jDqSTP5BQSi2I_1xZiFZdy68I4oVWDat2j08-qdfbto,91063
-pdfalyzer-1.16.9.dist-info/LICENSE,sha256=OXLcl0T2SZ8Pmy2_dmlvKuetivmyPd5m1q-Gyd-zaYY,35149
-pdfalyzer-1.16.9.dist-info/METADATA,sha256=KfbRZuBph56FwH16RaEEfjuUf6Kxsfmb2P5QQF4rYjk,26228
-pdfalyzer-1.16.9.dist-info/WHEEL,sha256=d2fvjOD7sXsVzChCqf0Ty0JbHKBaLYwDbGQDwQTnJ50,88
-pdfalyzer-1.16.9.dist-info/entry_points.txt,sha256=aZurgt-Xg3pojS7oTRI4hNLpK1hO4kTfChf0x2eQoD8,147
-pdfalyzer-1.16.9.dist-info/RECORD,,