Our great sponsors
-
yaralyzer
Visually inspect and force decode YARA and regex matches found in both binary and text data. With Colors.
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
-
CyberChef
The Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysis
Long story short I ended up realizing that I could use YARA as a generic backend matching engine to locate these and other byte patterns and a couple of python libraries to try to detect the character encoding and/or force encodings of my choice upon the matched bytes. I ended up extracting the binary regex/YARA match/force decode part of The Pdfalyzer into a new tool that just does the matching/decoding part, which I called The Yaralyzer.
A few weeks ago I made a post here about a PDF that evaded all malware detection and caused a security breach, almost certainly through PDF instructions hidden inside of an Adobe Type1 Font binary stream embedded within a PDF. At the time I posted a link to a tool I wrote called The Pdfalyzer that diagrams a PDF's internal and scans for various suspect content.
I think you could do a lot of this with cyberchef