In addition to providing the tools for analyzing PDF documents, we also wanted to provide some indication about how likely it is that a given PDF file is malicious. Adding such a scoring system in peepdf was one of the projects of Honeynet Google Summer of Code (GSoC) 2015 program, and the student Rohit Dua did a great job.
A Beta version was presented during Black Hat Europe Arsenal 2015 last November, where Jose Miguel Esparza introduced the new functionalities: actually the scoring is based on different indicators like
Number of pages
Number of stream filters
Broken/Missing cross reference table
Malformed elements: garbage bytes, missing tags…
Encryption with default password
Big streams and strings
Objects not referenced from the Catalog
Here’s a screenshot of the scoring system in action:
Besides that, a new command was created to show the individual score assigned to the different indicators and give more details about how the global score was calculated. This command is called “score” and this is an example of its output:
Sounds interesting? Go and try it out yourself:
We also love to hear your feedback. Just shoot us an email via peepdf [AT] eternal-todo [DOT] com or via Github.