analyzing-malicious-pdf-with-peepdf | cybersec-toolkit

Stats

Actions

Tags

analyzing-malicious-pdf-with-peepdf | cybersec-toolkit

Analyzing Malicious PDF with peepdf

When to Use

When triaging suspicious PDF attachments from phishing emails
During malware analysis of PDF-based exploit documents
When extracting embedded JavaScript, shellcode, or executables from PDFs
For forensic examination of weaponized document artifacts
When building detection signatures for PDF-based threats

Prerequisites

Python 3.8+ with peepdf-3 installed (pip install peepdf-3)
pdfid.py and pdf-parser.py from Didier Stevens suite
Isolated analysis environment (VM or sandbox)
Optional: PyV8 for JavaScript emulation within peepdf
Optional: Pylibemu for shellcode analysis

Workflow

Triage with pdfid: Scan PDF for suspicious keywords (/JS, /JavaScript, /OpenAction, /Launch, /EmbeddedFile).
Interactive Analysis: Open PDF in peepdf interactive mode to explore object structure.
Identify Suspicious Objects: Locate objects containing JavaScript, streams, or encoded data.
Extract Content: Dump suspicious streams and decode filters (FlateDecode, ASCIIHexDecode).
Deobfuscate JavaScript: Analyze extracted JS for shellcode, heap sprays, or exploit code.
Check VirusTotal: Use peepdf vtcheck to cross-reference file hash with AV detections.
Generate IOCs: Extract URLs, domains, hashes, and shellcode signatures.

Key Concepts

Concept	Description
/OpenAction	Automatic action executed when PDF is opened
/JavaScript /JS	Embedded JavaScript code in PDF objects
/Launch	Action that launches external applications
/EmbeddedFile	File embedded within the PDF structure
FlateDecode	zlib compression filter used to hide content
Object Streams	PDF objects stored in compressed streams

Tools & Systems

Tool	Purpose
peepdf / peepdf-3	Interactive PDF analysis with JS emulation
pdfid.py	Quick triage scanning for suspicious keywords
pdf-parser.py	Deep object-level PDF parsing
VirusTotal	Hash lookup and AV detection cross-reference
CyberChef	Decode and transform extracted payloads

Output Format

Analysis Report: PDF-MAL-[DATE]-[SEQ]
File: [filename.pdf]
SHA-256: [hash]
Suspicious Keywords: [/JS, /OpenAction, etc.]
Objects with JavaScript: [Object IDs]
Extracted URLs: [List]
Shellcode Detected: [Yes/No]
Embedded Files: [Count and types]
VirusTotal Detections: [X/Y engines]
Risk Level: [Critical/High/Medium/Low]