PDFiD: Analyzing suspicious PDFs

03 Aug

As anyone who knows anything about IT security will tell you, PDF’s are increasingly being used as an attack vector to compromise computers. This is unfortunate because many users will have been educated that while files that end in .exe, .pif, .scr etc are evil, files that end in .pdf are generally safe to open. As we’re learning, this is not the case, and specially crafted PDF files can be used to cause just as much havoc as an exe or pif file.

It is also unfortunate that Adobe Reader, probably the most popular PDF reader out there, hasn’t really made it easy to manage updates in the past, especially in the corporate environment. This means there are many systems out there which are still running old, exploitable versions of the Reader. Come on Adobe, learn from Microsoft (now there’s something I didn’t think I ever say!)

Anyway, I recently had a user contact me saying she’d received a PDF from an email address that she was not familiar with. Amazingly, she hadn’t opened the attachment (which is most unlike our users, most will happily double click anything!) and asked if I could take a look. I’d recently come across a Python script called PDFiD which can be used to analyze PDF files for suspicious strings such as Javascript or Launch that can be used to run programs outside of the PDF reader.

PDFiD is simple to use, just run the script with the filename you wish to analyse as a parameter. The output is clear and concise and, while the author does admit there is the possibility of false positives, it is an exellent way to begin analyzing PDF’s that you don’t entirely trust.

I highly recommend any security conscious sysadmins add this tool to their toolkit, as the number of PDF exploits are likely to continue rising for the forseeable future. PDFiD can be downloaded from Didier Stevens website at

Oh, and my users suspicious PDF? Turns out it was just another 419 spammer, this time putting his generous offer to make us all millionaires into a PDF attachment.

Leave a comment

Posted by on August 3, 2010 in Security


Add Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: