analyzing-pdf-malware-with-pdfid

# Analyzing PDF Malware with PDFiD ## When to Use - A suspicious PDF attachment has been flagged by email security or reported by a user - You need to determine if a PDF contains embedded JavaScript, shellcode, or exploit code - Triaging PDF documents before opening them in a sandbox or analysis environment - Extracting embedded executables, scripts, or URLs from malicious PDF objects - Analyzing PDF exploit kits targeting Adobe Reader or other PDF viewer vulnerabilities **Do not use** for analyzing the rendered visual content of a PDF; this is for structural analysis of the PDF file format for malicious objects. ## Prerequisites - Python 3.8+ with Didier Stevens' PDF tools installed (`pip install pdfid pdf-parser`) - peepdf installed for interactive PDF analysis (`pip install peepdf`) - pdftotext from poppler-utils for extracting text content safely - YARA with PDF-specific rules for malware family identification - Isolated analysis VM without a PDF reader installed (prevent accidental opening) - CyberChef for decoding embedded Base64, hex, or deflate streams ## Workflow ### Step 1: Initial Triage with PDFiD Scan the PDF for suspicious keywords and structures: ```bash # Run PDFiD to identify suspicious elements pdfid suspect.pdf # Expected output analysis: # /JS - JavaScript (HIGH risk) # /JavaScript - JavaScript object (HIGH risk) # /AA - Auto-Action triggered on open (HIGH risk) # /OpenAction - Action on document open (HIGH risk) # /Launch...