6 Free Local Tools for Analyzing Malicious PDF Files

Free local tools for analyzing malicious PDFs include PDF Tools by Didier Stevens for scanning and parsing, PDF Stream Dumper with unified GUI, Jsunpack-n for JavaScript extraction, Peepdf for interactive exploration, Origami Ruby framework, and MalObjClass Python library for building JSON representations.

Malicious PDF files are frequently used as part of targeted and mass-scale computer attacks. Being able to analyze PDFs to understand the associated threats is an increasingly important skill for security incident responders and digital forensic analysts. Here are 6 free tools you can install on your system and use for this purpose.

Analyzing a PDF file involves examining, decoding and extracting contents of suspicious PDF objects that may be used to exploit a vulnerability in Adobe Reader and execute malicious payload. There is an increasing number of tools that are designed to assist with this process, including the following:

PDF Tools by Didier Stevens is the classic toolkit that established the foundation for our understanding of the PDF analysis process. It includes pdfid.py to quickly scan the PDF for risky objects and, most usefully, pdf-parser.py to examine their contents.

PDF Stream Dumper by “Dave” is a powerful Windows program that combines a number of PDF analysis tools under a unified GUI. It makes it possible to explore PDF contents, decode object contents, deobfuscate JavaScript, examine shellcode, etc.

Jsunpack-n by Blake Hartstein is a command-line tool that emulates a browser when analyzing malicious websites. In addition to supporting numerous other features, the tool includes the pdf.py script for extracting JavaScript embedded in PDF files.

Peepdf by Jose Miguel Esparza is an interactive command-line tool that allows users to explore and analyze contents of PDF files. Its features include examining the file’s structure, analyzing object contents, as well as decoding embedded JavaScript and shellcode.

Origami by Guillaume Delugré and Fred Raynal is a Ruby framework for parsing, analyzing and creating PDF files. In addition to providing programmers with the ability to automate PDF interactions, it includes a the pdfscan.rb script to scan the PDF for risky objects and the extractjs.rb to extract JavaScript embedded in the file.

MalObjClass by Brandon Dixon provides a Python framework for building a JSON object the represents components of a PDF file. This capability allows programmers to easily parse, examine and decode malicious PDF objects. The tool even includes the ability to scan the file with VirusTotal.

If you know of other tools that work well for analyzing malicious PDF files and that can be installed locally, please leave a comment.

My other articles related to PDF file analysis:

If you’re you’d like to learn how to analyze malicious PDFs, check out the Reverse-Engineering Malware course

I teach at SANS Institute.

Update: For another excellent free PDF analysis tool, take a look at my follow-up post Analyzing Suspicious PDF Files With Peepdf.

About the Author

Lenny Zeltser is a cybersecurity executive with deep technical roots, product management experience, and a business mindset. As CISO at Axonius, he leads the security and IT program, focusing on trust and growth. He is also a Faculty Fellow at SANS Institute and the creator of REMnux, a popular Linux toolkit for malware analysis. Lenny shares his perspectives on security leadership and technology at zeltser.com.

Learn more →