Day 10 - Peepdf

Writer: Vesa Vertainen, Project Engineer, JAMK University of Applied Sciences

This Christmas we will be tweeting and blogging one useful CSIRT tool each day, thanking its makers and maintainers.

In the CinCan project we have so far dockerized dozens of tools. One of them is Peepdf, which was also introduced in an earlier blog post. Peepdf is developed and maintained by Jose Miguel Esparza, and it's a great tool to investigate PDFs' suspicious elements. It also has an interactive console mode, with the ability to analyse JavaScript and shellcode.

In this blog post we take steps to analyse a sample file in the cincan tools repository. First, to get information about the basic structure of the PDF, we run the cincan/peepdf with docker:

$ docker run --rm -v $(pwd):/data cincan/peepdf /data/samples/testfile.pdf -f

File: testfile.pdf
MD5: 78f981873db5f6b9a4051c81e8ab7788
SHA1: cbd14368ea99d737826e955b44336cb8e15bc7e4
SHA256: c9da6cafc33f5126180f2a6ae3d7b091c20e2056bae8ede164542cd519dc1194
Size: 1172 bytes
Version: 1.1
Binary: False
Linearized: False
Encrypted: False
Updates: 0
Objects: 7
Streams: 1
URIs: 0
Comments: 0
Errors: 0

Version 0:
    Catalog: 1
    Info: No
    Objects (7): [1, 2, 3, 4, 5, 6, 7]
    Streams (1): [5]
        Encoded (0): []
    Objects with JS code (1): [7]
    Suspicious elements:
        /OpenAction (1): [1]
        /JS (1): [7]
        /JavaScript (1): [7]

In addition to the basic information fields, Peepdf prints out the elements, that it considers suspicious. In this case the suspicious elements are JavaScript, and the OpenAction function, which could mean that some action is performed at the opening of the document.

To inspect more, we need to use the Peepdf's interactive console, which has many useful commands. With option -C we can run commands from the interactive console. This time,instead of docker, we'll use the cincan command line tool to inspect object 7:

$ cincan run cincan/peepdf samples/testfile.pdf -f -C "object 7"

cincan/peepdf: <= samples/testfile.pdf
cincan/peepdf: => .python-eggs/PyV8-1.0_dev-py2.7-linux-x86_64.egg-tmp/_PyV8.so

<< /Type /Action
/S /JavaScript
/JS var saN7a15C0miNg = new Array();var D4y50fxM45 = 24;var aDv3N7 = 1;var H0hohO = 0;function y3aR(){while (D4y50fxM45 > H0hohO) {D4y50fxM45-=aDv3N7;} neX7xM4S=("\x43\x69\x6e\x43\x61\x6e\x20\x43\x68\x72\x69\x73\x74\x6d\x61\x73\x21"); return neX7xM4S;}h4pP1 = new y3aR
 >>

The code looks a bit difficult to interpret, but fortunately Peepdf has several commands for JavaScript to help us out. Let's use the js_beautify command to make it clearer:

$ cincan run cincan/peepdf samples/testfile.pdf -f -C "js_beautify object 7"

var saN7a15C0miNg = new Array();
var D4y50fxM45 = 24;
var aDv3N7 = 1;
var H0hohO = 0;

function y3aR() {
    while (D4y50fxM45 > H0hohO) {
        D4y50fxM45 -= aDv3N7;
    }
    neX7xM4S = ("CinCan Christmas!");
    return neX7xM4S;
}
h4pP1 = new y3aR

Learn more

There's a lot more you can do with Peepdf. Check out more great examples at eternal-todo.com

Peepdf at GitHub: https://github.com/jesparza/peepdf/wiki

This, and many other tools are downloadable at CinCan’s Gitlab repository, and the Docker hub.