Peepdf is a tool for the forensic analysis of pdf documents. Most social engineering attacks use a malicious PDF document embedded with java scripts & shell-codes.
It can analyze suspicious objects & data streams within a PDF document. With some extensions installed, a security researcher can analyze the java-scripts & shell-codes in detail. Precisely some of the top features of peepdf are :
- Analyses a PDF document
- Extracts data objects & streams
- Extracts metadata
- Extracts data from encoded & encrypted files also
- XML outputs provided
- Interactive Console
A security researcher can use this tool either to check for hidden shell codes or java scripts or even standard vulnerabilities like CVE-2013-2729 etc. Another use is obviously for Cyber Forensics.
It can extract all metadata & data streams inside the document so that a Forensic investigator can use this for pattern matching purposes or to analyze the shellcode or simply to extract the metadata & detect the presence of malicious code and use it as evidence.
Options – Peepdf
Syntax: peepdf <options> PDF-FILE
-h, --help show this help message and exit -i, --interactive Sets console mode. -s SCRIPTFILE, --load-script=SCRIPTFILE Loads the commands stored in the specified file and execute them. -f, --force-mode Sets force parsing mode to ignore errors. -l, --loose-mode Sets loose parsing mode to catch malformed objects. -u, --update Updates peepdf with the latest files from the repository. -g, --grinch-mode Avoids colorized output in the interactive console. -v, --version Shows program's version number. -x, --xml Shows the document information in XML format.
Lab 1: Install Spidermonkey & Pylibemu
In this lab, we’ll install 3 additional packages in order to be able to analyze javascript & shellcode. The packages are:
- libemu – basic x86 emulation and shellcode detection
- Pylibemu – Python Wrapper for the libemu library
- Spidermonkey – Javascript Engine
Step 1: Install Libemu
First, we have to install required dependencies & python files.
apt-get install autoconf libemu python-dev python-lxml python-pyrex
Clone the package from Git. Make sure to have git-core installed. Kali comes with git pre-installed.
git clone git://git.carnivore.it/libemu.git
Configure & Install libemu from git.
cd libemu/ autoreconf -v -i ./configure --enable-python-bindings --prefix=/opt/libemu make -j4 make install ldconf -n /opt/libemu/lib
Step 2: Install Pylibemu
Again clone from git
git clone https://github.com/buffer/pylibemu.git
Install pylibemu
echo "/opt/libemu/lib" > /etc/ld.so.conf.d/pylibemu.conf python setup.py build python setup.py install
Step 3: Install Spidermonkey
apt-get install python-pyrex svn checkout http://python-spidermonkey.googlecode.com/svn/trunk/ python-spidermonkey cd python-spidermonkey python setup.py build python setup.py install ldconfig
Execute peepdf and see if packages are correctly installed. Just try any PDF file against it.
peepdf evil.pdf <replace with yous>