Malicious PDF files are frequently used as part of targeted and mass-scale computer attacks. Being able to analyze PDFs to understand the associated threats is an increasingly important skill for security incident responders and digital forensic analysts. Here are 6 free tools you can install on your system and use for this purpose.
Analyzing a PDF file involves examining, decoding and extracting contents of suspicious PDF objects that may be used to exploit a vulnerability in Adobe Reader and execute malicious payload. There is an increasing number of tools that are designed to assist with this process, including the following:
- PDF Tools by Didier Stevens is the classic toolkit that established the foundation for our understanding of the PDF analysis process. It includes pdfid.py to quickly scan the PDF for risky objects and, most usefully, pdf-parser.py to examine their contents.
- MalObjClass by Brandon Dixon provides a Python framework for building a JSON object the represents components of a PDF file. This capability allows programmers to easily parse, examine and decode malicious PDF objects. The tool even includes the ability to scan the file with VirusTotal.
If you know of other tools that work well for analyzing malicious PDF files and that can be installed locally, please leave a comment.
My other articles related to PDF file analysis:
- Analyzing Suspicious PDF Files With PDF Stream Dumper
- How to Extract Flash Objects from Malicious PDF Files
- Analyzing Malicious Documents Cheat Sheet
- 6 Hex Editors for Malware Analysis
If you’re you’d like to learn how to analyze malicious PDFs, check out the Reverse-Engineering Malware course I teach at SANS Institute.
Update: For another excellent free PDF analysis tool, take a look at my follow-up post Analyzing Suspicious PDF Files With Peepdf.