As anyone who knows anything about IT security will tell you, PDF’s are increasingly being used as an attack vector to compromise computers. This is unfortunate because many users will have been educated that while files that end in .exe, .pif, .scr etc are evil, files that end in .pdf are generally safe to open. As we’re learning, this is not the case, and specially crafted PDF files can be used to cause just as much havoc as an exe or pif file.
It is also unfortunate that Adobe Reader, probably the most popular PDF reader out there, hasn’t really made it easy to manage updates in the past, especially in the corporate environment. This means there are many systems out there which are still running old, exploitable versions of the Reader. Come on Adobe, learn from Microsoft (now there’s something I didn’t think I ever say!)
PDFiD is simple to use, just run the script with the filename you wish to analyse as a parameter. The output is clear and concise and, while the author does admit there is the possibility of false positives, it is an exellent way to begin analyzing PDF’s that you don’t entirely trust.
I highly recommend any security conscious sysadmins add this tool to their toolkit, as the number of PDF exploits are likely to continue rising for the forseeable future. PDFiD can be downloaded from Didier Stevens website at http://blog.didierstevens.com/programs/pdf-tools.
Oh, and my users suspicious PDF? Turns out it was just another 419 spammer, this time putting his generous offer to make us all millionaires into a PDF attachment.