Astuce rapide avec mlab.sh : analyser un PDF suspect en 3 étapes ⬇️ 1. Tu vas sur mlab.sh 2. Tu uploades ton PDF (max 25 Mo) 3. Tu laisses tourner l’analyse pour récupérer : - la structure du fichier, - les objets et streams, - les patterns suspects (via PDFiD), - les éléments à creuser côté macros/embeds. Idéal pour un premier tri avant de lancer des analyses plus lourdes ou un sandbox. Tu utilises quoi aujourd’hui pour faire ton pré-tri sur les fichiers malveillants potentiels ? #cybersecurity #dfir #pdf #malware #soc

Applications: 1768: Analyze Cobalt Strike beacons amsiscan: Scan input with AmsiScanBuffer AnalyzePESig: Analyze digital signature of PE file apc-b: Send beacon frames with AirPcap apc-channel: AirPcap channel hopper apc-pr-log: AirPcap probe requests logger Ariad: Tool (driver) to prevent inserted USB sticks from executing code avr-teensy-pdf-dropper: WinAVR PoC to program Teensy to drop PDF file base64dump: Extract base64 strings from file BinaryTools: simple binary tools: reverse (reverses a file) and middle (extract sequence from file) bpmtk: Basic Process Manipulation Tool Kit BruteForceEnigma: C# program to bruteforce ENIGMA encoded text byte-stats: Calculate byte statistics CASToggle: Utility providing more control over .NET CAS enforcement Challenger: Small program for simple reverse-engineering challenges cipher-tool: tool to encode and decode with simple ciphers cisco-calculate-ssh-fingerprint: Calculate the SSH fingerprint of a Cisco IOS device ClipboardTransformer: Clipboard utility cmd-dll: ReactOS cmd.exe transformed into a dll count: count unique items CounterHeapSpray: Process hardening tool, my PoC for Microsoft BlueHat Prize Contest CreateCertGUI: Generate your own OpenSSL certificate cut-bytes: Cut a section of bytes out of a file decode-vbe: Decode VBE files decompress_rtf: Tool to decompress compressed RTF defuzzer: Generate the original file by combining fuzzed files. disinformational-tweets: Python program to Tweet (obsolete) disitool: Tool to work with Windows executables digital signatures DumpStrings: 010 Editor Script to dump strings (integrated since version 4) EICARgen: Program to generate an EICAR file (EICAR AV test file) emldump: Analyze MIME files EnforcePermanentDEP: Enable permanent DEP in the loading process (Windows XP) extractscripts: Utility to check HTML file and generate a separate file for each script in the HTML file file-magic: Essentialy a wrapper for file (libmagic) file2vbscript: Embeds executable into vbscript script FileGen: Command-line program to create test files of different lengths FileScanner: Tool to scan files for patterns find-file-in-file: Check if a file is embedded inside another file, even non-contiguous format-bytes: This is essentialy a wrapper for the struct module fuzzer: 010 Editor Script implementing a simple fuzzer hash: This is essentialy a wrapper for the hashlib module headtail: Output head and tail of input HeapLocker: Process hardening tool, a bit like EMET, but open source hex-to-bin: convert hexadecimal to binary InstalledPrograms: List installed programs with Excel/VBA InteractiveSieve: GUI tool to visualize and analyze logs, data, … by “sifting” jpegdump: JPEG file analysis tool js-1.5-mod: SpiderMonkey JavaScript interpreter modifications js-1.7.0-mod: SpiderMonkey JavaScript interpreter modifications js-unicode-escape: 010 Editor Script to convert bytes to a Unicode escape encoded string for JavaScript js-unicode-unescape: 010 Editor Script to convert a Unicode escape encoded string to bytes keihash: Calculate SSH Key Exchange Init (KEI) hash: KEIHash ListModules: Analyze digital signature of all executables in processes ListSharesSecurityWithWMI-VS2001: C# example for share security enumeration with WMI LNKTemplate: 010 Editor Template for LNK file format LoadDLLViaAppInit: DLL to load other DLLs via appinit registry key LockIfNotHot: Automatically lock Windows computer when user walks away, requires IR thermometer lookup-tools: IP-address and hosts lookup tools LowerMyRights: Restricts the rights of an existing process make-pdf: Set of Python programs to generate all kinds of PDF files md5_authenticode: MD5 Authenticode collision PoC MIFAREACR122: Python program to read and write 1K MIFARE RFID tags with ACR122 contactless reader/writer MovingXORSelection: 010 Editor Script to perform a moving XOR of the current selection msoffcrypto-crack: Crack MS Office document password my-shellcode: My shellcode collection MyEFSService: PoC for Malicious Cryptography blogpost MySafeModeService: PoC for Playing with Safe Mode blogpost NAFT: Network Appliance Forensic Toolkit NetworkMashup: Network utilities (ping, DNS) written in Excel/VBA NewPasswordStats: Password auditing password filter nmap-xml-script-output: nmap xml script output parser nocalcpoc: No calc PoC nsrl: NSRL tool numbers-to-hex: convert decimal numbers into hex numbers numbers-to-string: convert numbers into a string oledump: Analyze OLE files (Compound Binary Files) OllyStepNSearch: Plugin for OllyDbg password-history-analysis: Program to analyze password history Paste: paste does the opposite of clip, read the clipboard and write it to stdout pcap-rename: program to rename pcap files with a timestamp pdf-parser: PDF analysis program pdfid: PDF triage program PDFTemplate: 010 Editor Template for PDF file format pdftool: Tool to process PDFs pecheck: wrapper for pefile peid-userdb-to-yara-rules: Convert PeID userdb to YARA rules PFTemplate: 010 Editor Template for PF file format psurveil: Photo Surveillance for N800 python-per-line: Program to evaluate a Python expression for each line in the provided text file(s) re-search: Program to use Python’s re.findall on files regedit-dll: ReactOS regedit.exe transformed into a dll rtfdump: Analyze RTF files RTStego: Rainbow table steganography runasil: Launches program with a low integrity level RunInsideLimitedJob: Start program and run it inside a limited job SE_ASLR: Force ASLR on Windows Explorer Shell Extensions search-and-replace-with-wildcards: 010 Editor Script for search and replace with wildcards SelectMyParent: Launch a program and select its parent SendtoCLI: GUI tool for CLI commands setdllcharacteristics: Tool to set DEP, ASLR, … flags of a Windows executable sets: Set operations on 2 files: union, intersection, subtraction, exclusive or shellcode2vba: Convert shellcode to VBA shellcode2vbscript: Convert shellcode to VBA ShellCodeLibLoader: ShellCode With a C-Compiler ShellCodeMemoryModule: Generates DLL-loading shellcode from memory shift: 010 Editor Script to shift bytes in a file or selection simple-shellcode-generator: Python program to generate 32-bit shellcode (assembler code) simple_ip_stats: Process PCAP files to calculate IP data statistics simple_tcp_stats: Process PCAP files to calculate TCP data statistics SimpleEncoder: 010 Editor Script to encode current selection by shifting characters split: Split a text file into X number of files (2 by default) strings: Strings command in Python Suspender: DLL that suspends its host process TaskManager: Windows Task Manager written in Excel/VBA TestIntegrityCheckFlag: Test program for Using DLLCHARACTERISTICS’ FORCE_INTEGRITY Flag blogpost translate: Python script to perform bitwise operations on files (like XOR, ROL/ROR, …) ultraedit_scripts: Collection of UltraEdit scripts UndeletableSafebootKey: Tool to generate an undeletable Safeboot registry key USBVirusScan: Launch a program, like an AV scanner, each time USB removable storage is plugged-in UserAssist: Decode the UserAssist registry data virtualwill: HTML program to store your will VirusAlert: C# PoC program that monitors the event log for virus alerts and displays customized messages for the user virustotal-search: Search VirusTotal for provided hashes virustotal-submit: Submit files to VirusTotal for scanning vs: Python program to take surveillance pictures from IP-cameras what-is-new: Tool to monitor new items whoami: Firefox addon to identify your profile WMFTemplate: 010 Editor Template for WMF file format wmi-sc: WMI script for Security Center data wsrradial: wi-spy radial WiFi plotting tool wsrtool: wi-spy wsr files tool xmldump: This is essentially a wrapper for xml.etree.ElementTree xor-kpa: XOR known-plaintext attack XORSearch: Bruteforce a file for XOR, ROL, ROT, SHIFT, … encoding and search for a string XORSelection: 010 Editor Script to encode current selection with XOR XORStrings: Bruteforce a file for XOR, ROL, ROT, SHIFT, … encoding and dump strings zipdump: ZIP dump utility ZIPEncryptFTP: Zip files, encrypt ZIP file, upload via FTP zoneidentifier: Manage Zone.Identifier ADS

I analyzed a suspicious PDF email attachment and discovered it was embedded with a reverse shell payload exploiting CVE-2021-28550. When opened, the PDF dropped a backdoor to the temp directory and connected back to the attacker via port 443. I used pdfid and pdf-parser to dissect the object structure and locate the embedded stream.

Day 48💃 First, I documented a few projects to update my portfolio then Malware Analysis with @CyberDefenders. Analysing malicious PDF file attack using Wireshark, CyberChef and pdfid(Kali Linux). #100DaysOfCyberSecurity

Uncover Hidden Secrets in PDF Files! 🔍 Ever wondered what’s lurking inside a PDF file without opening it? That’s where PDFiD comes to the rescue! 🛡️

omg ma avastasin uued lahedad pdfid mida lugeda ttja.ee/reklaaminoukoda

بنستخدم اداة PDFiD تحليل ملفات الـ PDF بدون فتحها. رابط الاداة github.com/rafiot/pdfid

Para el análisis desde línea de comandos uso el mítico pdfid y pdf-parser de Didier Stevens. -Taller de análisis de PDF maliciosos youtube.com/watch?v=F3rpZT0g… blog.didierstevens.com/progr…

I created a #Linux #cheatsheet for #PDF #forensic analysis. The cheatsheets included cover the following #DFIR tools: #exiftool, #pdfid, #pdfparser, and #peepdf.

forensic pdf analys for beginners pdfid Selamat Hari Pers Nasional Pers Indonesia #porensic

6️⃣ JBIG2 kodlu bir akış içeren Adobe PDF dosyaları olan ".gif" uzantılı dört farklı dosya. Bu dosyalardan ikisinin 34 karakterlik isimleri ve iki tanesinin 97 karakterlik isimleri vardı. Bu dört “.gif” dosyasındaki pdfid aracının çıktısı şuydu

Bug fix updates for my PDF tools: New blog post "Update: pdfid. py Version 0.2.8" blog.didierstevens.com/2021/… New blog post "Update: pdf-parser. py Version 0.7.5" blog.didierstevens.com/2021/…

Russians are on point. You lot - ALL guilty of #humanrightsviolations and therefore need to be tried for treason and propaganda, resulting in deaths. en.wikipedia.org/wiki/Human_… Mainstream Media are going to be held accountable. 19_pandemichttps://www.refworld.org/pdfid/4ec105562.pdf

there are new analyzers for @urlscanio, @StratosphereIPS Yara rules, @Quad9DNS resolver, @FarsightSecInc DNSDB, @DidierStevens's PDFid and more!

Yaniliyosun. Acilimi PislikKalleşKatil kelimelerin ilk harfleridir

MAL: REMnux - I have just completed this room! Check it out: tryhackme.com/room/malremnux #tryhackme #remnux # linux # malware analysis # beginner # introduction # pdfid # pdfextractor # practical #malware analysis #malware #malremnux via @tryhackme

CinCan’s #PDFiD tool shows that the PDF contains "/JS" and "/JavaScript" objects which raises 🚩🚩 because they might contain #malicious code. 2/5

CinCan ♥️ PDFiD peepdf: Find hidden #malware in your PDF files! PDF #exploiting a #vulnerability that enables JS execution is a common mechanism of infection. We'll use #CinCan’s tools #PDFiD to find suspicious objects in PDF and #peepdf to take a look at what’s inside them.1/5

-pdf-parser -peepdf -PDFStreamDumper -mlpdfobj -pdfid very useful and helpful Static analysis tools :) -Static analysis -Dynamic analysis both are very useful