forensics – peepdf

peepdf is a Python tool to explore PDF files in order to find out if the file can be harmful or not. The aim of this tool is to provide all the necessary components that a security researcher could need in a PDF analysis without using 3 or 4 tools to make all the tasks. With peepdf it’s possible to see all the objects in the document showing the suspicious elements, supports all the most used filters and encodings, it can parse different versions of a file, object streams and encrypted files. With the installation of Spidermonkey and Libemu it provides Javascript and shellcode analysis wrappers too. Apart of this it’s able to create new PDF files and to modify existent ones.

backtrack 5r3

root@bt:/pentest/forensics/peepdf# ./ /root/pdf_file.pdf
Warning: Spidermonkey is not installed!!

File: pdf_file.pdf
MD5: 2ae6d182bf60a037465d7dbdf6dba67b
SHA1: 7ee85da0ecb76a051318bdf163433c56a642e283
Size: 85698 bytes
Version: 1.3
Binary: True
Linearized: False
Encrypted: False
Updates: 0
Objects: 20
Streams: 3
Comments: 0
Errors: 0

Version 0:
Catalog: 20
Info: 1
Objects (20): [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20]
Streams (3): [3, 6, 17]
Encoded (3): [3, 6, 17]
Suspicious elements:
/Names: [11, 20]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s