Thursday, September 22, 2011

PDFExaminer command line scanner

Our command line version of the PDF Examiner is pretty popular for those will a lot of malware PDFs process locally. It's a commercial product, and includes a year of our CVE identification updates. It's a PHP library and utility that can be easily customized, designed for detection from the command line where the visual walk through by object is not required. The command line version can optionally store extracted PDF objects to file in their decoded form for hex viewing the detected objects with exploits.

$ php pdfex.php 3d1fc4deb5705c750df6930550c2fc16.pdf is_malware
1

$ php pdfex.php 3d1fc4deb5705c750df6930550c2fc16.pdf summary
19.0@993: suspicious.obfuscation using unescape
19.0@993: suspicious.string heap spray shellcode
19.0@993: suspicious.obfuscation using substr
19.0@993: suspicious.obfuscation using substring
19.0@993: suspicious.obfuscation using util.byteToChar
24.0@3857: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
2.0@5114: flash.exploit CVE-2011-0609
2.0@5114: suspicious.string heap spray shellcode
2.0@5114: suspicious.flash Embedded Flash
30.0@4064: suspicious.flash Adobe Shockwave Flash in a PDF define obj type



$ php pdfex.php 3d1fc4deb5705c750df6930550c2fc16.pdf
Array
(
[exploit] => 1
[hits] => 4
[completed] => 1
[is_malware] => 1
[summary] => 19.0@993: suspicious.obfuscation using unescape
19.0@993: suspicious.string heap spray shellcode
19.0@993: suspicious.obfuscation using substr
19.0@993: suspicious.obfuscation using substring
19.0@993: suspicious.obfuscation using util.byteToChar
24.0@3857: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
2.0@5114: flash.exploit CVE-2011-0609
2.0@5114: suspicious.string heap spray shellcode
2.0@5114: suspicious.flash Embedded Flash
30.0@4064: suspicious.flash Adobe Shockwave Flash in a PDF define obj type

[severity] => 70
[engine] => 56
)

1 comment: