This will convert it from pdf to ps and back to pdf.
If you are on linux something as simple as: pdf2ps input.pdf - | ps2pdf - output.pdf I imagine that this is what pdfid -d is supposed to do, but considering that I know nothing about the tool that would be something best directed to the author. You can also try to find a way to remove any javascript from the PDF before viewing. If you are worried you can always try to open it in a virtual machine, or find a PDF reader that doesn't process javascript. If it came from a reputable source and you have no reason to distrust it, I would probably just open it. Do you have any reason to distrust this PDF file?.If none of those options appeal to you I would try to look at this as a risk/benefit analysis: Then again you might have to find another tool or attempt it yourself. Since the tool in question is already parsing a PDF file, it may be possible to get that information out of said tool. The best way to find out would be to try to extract the javascript in question and see what it actually does without running it.
That being said, it is possible this document contains malicious javascript. From my perspective, the biggest problem I see is a research who perhaps doesn't understand the difference between correlation and causation. Do I therefore disable javascript in my browser or avoid pages with javascript? Obviously not. Here is an equally true statement: "Every malicious website I have seen contains javascript". He doesn't state that himself, but he does state the very useless qualifier that "every malicious PDF file I have seen contains javascript/actions". Considering that both javascript and actions are a part of the Adobe standard for PDF files, it seems crazy to assume that just because a PDF file contains javascript/actions that it might be malicious. Perhaps someone who is more of a PDF expert can come by and give some better information, but from what I have seen so far it doesn't seem like his tool is actually very helpful for trying to decide if a particular PDF file contains malicious javascript. I put that title in quotes simply because I know nothing about him, other than the fact that he claims to be a security researcher and likes putting his name on his website. Here is also nice cheat-sheet for analyzing malicious documents.Īlso take a look of ' How can I tell if a PDF file I was sent contains malware?'Īfter a little looking it appears that the tool you are using to investigate this PDF document is standalone python(?) tool written by a "security researcher". One alternative to using JavaScript is to embed Flash objects in the PDF instead.įrom PDF document: The Rise of PDF Malware
#CHECK PDF INFO CODE#
The PDF specification supports JavaScript programming and makes a number of JavaScript functions available to programmers in the form of APIs.ĭue to its flexibility and ease of use, JavaScript is widely used in malicious PDFs, and it is used to exploit a vulnerable JavaScript API and to setup the PDF reader program’s memory with malicious code (aka heap spray).Īlthough the majority of malicious PDFs observed in the wild use JavaScript, either for the exploit or to set up the memory for further exploitation, we have observed other techniques used as well. What differences between JS and JavaScript, AA and OpenAction if they show the same thing?Īnalyzing malicious PDF can sometimes be very tricky, attackers are becoming more and more creative in a way of infecting people.īut let's make this simple, here are some examples which will indicate that PDF is malicious. All malicious PDF documents with JavaScript I’ve seen in the wild had an automatic action to launch the JavaScript without user interaction. AA and /OpenAction indicate an automatic action to be performed when the page/document is viewed. Of course, you can also find JavaScript in PDF documents without malicious intend. Almost all malicious PDF documents that I’ve found in the wild contain JavaScript (to exploit a JavaScript vulnerability and/or to execute a heap spray). JS and /JavaScript indicate that the PDF document contains JavaScript.
#CHECK PDF INFO HOW TO#
Which of these (AA, ObjStm, XFA, etc) are really dangerous? Yeah, I read here about the values of these items, but still don't know how to react to them.But antiviruses do not always find what's wrong, right? I also checked the file with virustotal, where it says that the file is clean. When checking the file via pdfid, I get this: PDF Header:% PDF-1.6
0 kommentar(er)
