When I was struggling and scratching head on how to analysis malicious pdf, I found that a tool developed by bobby help my problem. PDF_streams_inflater is a tools for extracting and decompressing zlib compressed streams from PDF documents. This tools available for different platform like Linux, Window and Mac.
This tools also available for python script
#!/usr/bin/env python
# -*- coding : utf-8 -*-
# xxx_pdf.py
# Binjo @ 2008-10-10 16:41:08
#-------------------------------------------------------------------------------
import sys, os, zlib
def main():
"""TODO
"""
fh = open( sys.argv[1], 'rb' )
xx = fh.read()
fh.close()
while True:
yy = []
pos = xx.find( 'FlateDecode' )
if pos == -1: break
xx = xx[pos+12:]
sop = xx.find( 'stream' )
yy = xx[sop+7:xx.find('endstream')]
print "\nhoooooooooooooo \n%s" % zlib.decompress(yy)
#-------------------------------------------------------------------------------
if __name__ == '__main__':
main()
#-------------------------------------------------------------------------------
# EOF
Reference:
http://www.woodmann.com/forum/archive/index.php/t-12097.html
Tools:
(Win32) http://www.mc-antivirus-test.com/modules/PDdownloads/singlefile.php?cid=6&lid=25
(Mac) http://www.mc-antivirus-test.com/modules/PDdownloads/singlefile.php?cid=7&lid=27
(Linux) http://www.mc-antivirus-test.com/modules/PDdownloads/singlefile.php?cid=5&lid=26
0 comments:
Post a Comment