PEEPDF : A One Stop Tool for PDF Document Forensic Analysis

Peepdf is a tool for the forensic analysis of pdf documents. Most social engineering attacks use a malicious PDF document embedded with java scripts & shell-codes.

It can analyze suspicious objects & data streams within a PDF document. With some extensions installed, a security researcher can analyze the java-scripts & shell-codes in detail. Precisely some of the top features of peepdf are :

1. Analyses a PDF document
2. Extracts data objects & streams
3. Extracts metadata
4. Extracts data from encoded & encrypted files also
5. XML outputs provided
6. Interactive Console

A security researcher can use this tool either to check for hidden shell codes or java scripts or even standard vulnerabilities like CVE-2013-2729 etc. Another use is obviously for Cyber Forensics.

It can extract all metadata & data streams inside the document so that a Forensic investigator can use this for pattern matching purposes or to analyze the shellcode or simply to extract the metadata & detect the presence of malicious code and use it as evidence.

Options – Peepdf

Syntax: peepdf <options> PDF-FILE

-h, --help show this help message and exit
-i, --interactive Sets console mode.
-s SCRIPTFILE, --load-script=SCRIPTFILE  Loads the commands stored in the specified file and execute them.
-f, --force-mode Sets force parsing mode to ignore errors.
-l, --loose-mode Sets loose parsing mode to catch malformed objects.
-u, --update Updates peepdf with the latest files from the repository.
-g, --grinch-mode Avoids colorized output in the interactive console.
-v, --version Shows program's version number.
-x, --xml Shows the document information in XML format.

Lab 1: Install Spidermonkey & Pylibemu

In this lab, we’ll install 3 additional packages in order to be able to analyze javascript & shellcode. The packages are:

1. libemu – basic x86 emulation and shellcode detection
2. Pylibemu – Python Wrapper for the libemu library
3. Spidermonkey – Javascript Engine

Step 1: Install Libemu

First, we have to install required dependencies & python files.

apt-get install autoconf libemu python-dev python-lxml python-pyrex

Clone the package from Git. Make sure to have git-core installed. Kali comes with git pre-installed.

git clone git://git.carnivore.it/libemu.git

Configure & Install libemu from git.

cd libemu/
autoreconf -v -i
./configure --enable-python-bindings --prefix=/opt/libemu
make -j4
make install
ldconf -n /opt/libemu/lib

Step 2:  Install Pylibemu

Again clone from git

git clone https://github.com/buffer/pylibemu.git

Install pylibemu

echo "/opt/libemu/lib" > /etc/ld.so.conf.d/pylibemu.conf
python setup.py build
python setup.py install

Step 3: Install Spidermonkey

apt-get install python-pyrex
svn checkout http://python-spidermonkey.googlecode.com/svn/trunk/ python-spidermonkey
cd python-spidermonkey
python setup.py build
python setup.py install
ldconfig

Execute peepdf and see if packages are correctly installed. Just try any PDF file against it.

peepdf evil.pdf <replace with yous>

If the add-ons are not properly installed, a message would come up first saying the packages are not installed when peepdf is executed.

In the next labs, we will get deeper into the usage of peepdf.

References

Libemu Installation References
http://blog.xanda.org/2012/05/16/installation-of-libemu-and-pylibemu-on-ubuntu/
http://www.makethenmakeinstall.com/2013/03/install-thug-on-kali-linux/

Pylibemu Installation References
https://forums.kali.org/archive/index.php/t-2658.html

Spidermonkey Installation References
https://forums.kali.org/archive/index.php/t-2658.html