You might also see: pdf-parser

You might also see: make-pdf-javascript

Description

PDFiD is a python-based script written by Didier Stevens that scans a file to look for certain PDF keywords, allowing you to identify PDF documents that contain (for example) JavaScript or execute an action when opened. PDFiD will also handle name obfuscation.

Installation

$ cd /data/src/
$ wget http://didierstevens.com/files/software/pdfid_v0_1_2.zip
$ unzip pdfid_v0_1_2.zip
$ chmod +x pdfid.py

Usage

Syntax

Usage: pdfid.py [options] [pdf-file|zip-file|url]

Options

--version

show program's version number and exit

-h, --help

show this help message and exit

-s, --scan

scan the given directory

-a, --all

display all the names

-e, --extra

display extra data, like dates

-f, --force

force the scan of the file, even without proper %PDF header

-d, --disarm

disable JavaScript and auto launch

Example

$ ./pdfid.py ../jsunpack-n-read-only/samples/pdf-thisCreator.file
PDFiD 0.1.2 ../jsunpack-n-read-only/samples/pdf-thisCreator.file
PDF Header: %PDF-1.0
obj                    9
endobj                 9
stream                 2
endstream              2
xref                   0
trailer                1
startxref              0
/Page                  1
/Encrypt               0
/ObjStm                0
/JS                    1
/JavaScript            2
/AA                    0
/OpenAction            0
/AcroForm              0
/JBIG2Decode           0
/RichMedia             0
/Launch                0
/EmbeddedFile          0
/XFA                   0
/Colors > 2^24         0

The example above highlights that the PDF file contains Javascript. You can then use pdf-parser to extract the javascript it contains.

For a description of the objects, refer to this page

Comments