I recently had to complete some work with inspecting a PDF file for malicious content. This was an interesting experience so I thought I’d share the approach I took to review the file from a sandboxed environment:
1. Start with using a service such as virustotal.com, scanii.com, metadefender.com to scan the file
2. Use Adobe Acrobat to browse the internal PDF structure. Launch the PreFlight Tool (Print Production > Preflight) and then under Options select Browse Internal PDF Structure.
3. Use an Adobe PDF meta data application to inspect the file. Here are some I used that were quite helpful:
peepdf.py – PeePDF is a Python based tool to explore PDF files
pdfid.py – PDFID is a Python based tool to scan the file looking for certain PDF keywords. For e.g., does the file contain JavaScript or execute an action when opened
pdf-parser.py – PDF-Parser is a Python based tool to parse a PDF document and identify the fundamental elements used in the file.
PDFUX – A collection of web based PDF utilities, including an inspector.
Additional Reading:
- Checking a PDF for exploits
- Viewing PDF objects
- PDF Tools from Didier Stevens
- Best tool tool for inspecting PDF files?
- PDF malware analysis
Additional Tools: