pdfalyzer VS DidierStevensSuite

Direct link to the folder with 3 .yara files compiling a bunch of YARA rule sources. Looking for anything not represented here, or even ideas for such.

The Pdfalyzer is a command line tool (paralyze) as well as a library for working with, visualizing, and scanning the contents of a PDF. Motivation for the project was personal: I got hacked by a PDF that turned out to be hiding its maleficent instructions inside the font binary where it was missed by modern malware scanners (twitter thread) (more details)

A few weeks ago I made a post here about a PDF that evaded all malware detection and caused a security breach, almost certainly through PDF instructions hidden inside of an Adobe Type1 Font binary stream embedded within a PDF. At the time I posted a link to a tool I wrote called The Pdfalyzer that diagrams a PDF's internal and scans for various suspect content.

I dramatically scaled up the binary data scouring and visualization in the pdfalyzer... can rip through every backtick/frontslash/single or double quoted/etc etc set of bytes in the binaries and try a bunch of aggressive approaches to force decode them.

The tool is the the pdfalyzer; I just open sourced it. Meant to fill in some gaps around pdf-parser.py and the rest of Didier Stevens's malicious PDF toolkit. Makes pretty charts, previews binary data, and (most importantly) digs through PDF font binaries for potentially executable stuff. Example output can be seen at the GitHub link.

Didier Stevens is a famous security researcher, but his instructions on how to scan pdf's require the terminal & many commands. I am hostile to this in general as I think it can all be implemented in a simple one click scan tool, instead. Which is what I am looking for. Here are all his relevant links & antivirus/anti-malware projects & tutorials: https://github.com/DidierStevens/DidierStevensSuite

This tool was built to fill a gap in the PDF assessment landscape. Didier Stevens's pdfid.py and pdf-parser.py are still the best game in town when it comes to PDF analysis tools but they lack in the visualization department and also don't give you much to work with as far as giving you a data model you can write your own code around. Peepdf seemed promising but turned out to be in a buggy, out of date, and more or less unfixable state. And neither of them offered much in the way of tooling for embedded binary analysis. Thus I felt the world might be slightly improved if I strung together a couple of more stable/well known/actively maintained open source projects (AnyTree, PyPDF2, and Rich) into this tool.

OK then. So I won't accidentally miss any, I've made a little script to find them. It uses oledump.py which, as the name suggests is a Python script to dump OLE files. Here is oledump.py on Github. Excel stores its macros in an OLE file names xl/vbaProject.bin inside the .xlsm file, and oledump knows how to find that, list the streams in them, and extract the macros from the streams that contain them.

You can install emldump and programmatically extract all attachments

Didier Stevens Suite - He has a tool for everything.