OFFICE MAL SCANNER
OfficeMalScanner is a MS Office forensic tool to scan for malicious traces, like shellcode heuristics, PE-files or embedded OLE streams.
The tool will look for several strings and API calls to guess if the document is likely to be malicious:
-
FS:[30h]
-
FS:[00h]
-
API-Hashing signature
-
API-Name GetSystemDirectory string
-
API-Name CloseHandle string
-
API-Name VirtualAlloc string
-
API-Name GetProcAddr string
-
API-Name LoadLibrary string
-
Function prolog signature
-
CALL next/POP signature
OFFVIS
The Microsoft Office Visualization Tool (OffVis) allows IT professionals, security researchers and malware protection vendors to better understand the Microsoft Office binary file format in order to deconstruct .doc-, .xls- and .ppt-based targeted attacks. The unique, easy-to-use tool offers a comprehensive view of any Microsoft Office binary file format sample simply by hovering a cursor over it. The tool then graphically shows important data structures and records for Microsoft Office Word, Microsoft Office PowerPoint and Microsoft Office Excel. Users can then browse and click through each record.
CRYPTAM
Detect embedded executables and exploits in Office documents and PDF - Word, Powerpoint, Excel, and RTF. Embed the lightweight command line fast detection engine into your email or network security solution. Automatically extract encrypted embedded executables to feed into your existing sandbox bypassing the need to maintain different sandboxes for each document format reader version.
PDF EXAMINER
Examine PDF objects using only a web-browser safely from any operating system. Collaborate and share via an internal private network. Process individual PDFs via the webinterface or a directory of PDFs from the command line. Embed the lightweight command line fast detection engine into your email or network security solution.
PDF TOOLS
pdf-parser.py
This tool will parse a PDF document to identify the fundamental elements used in the analyzed file. It will not render a PDF document. The code of the parser is quick-and-dirty, I’m not recommending this as text book case for PDF parsers, but it gets the job done.
pdfid.py
This tool is not a PDF parser, but it will scan a file to look for certain PDF keywords, allowing you to identify PDF documents that contain (for example) JavaScript or execute an action when opened. PDFiD will also handle name obfuscation.
PDF X-RAY
PDF X-RAY differs from all other tools because it doesn't focus on the single file. Instead it compares the file you upload against thousands of malicious PDF files in our repository. These checks look for similar data structures within the PDF you upload and ones that have been reviewed by analysts. Using this feature we can begin to see shared coded samples among malicious files or trends due to malicious author coding styles. The tool is still in beta, but I wanted to release it to the public to see what users thought. In my opinion the API is the most useful as you can begin to integrate rich PDF analysis into other tools and services with little or no cost.
PDF X-RAY LITE
PDF X-RAY is great, but there are times when all you have access to is a system you can't mess with, but need to do analysis on. PDF X-RAY Lite solves this by removing the backend and keeping it straight command line. For extra convenience a new reporting method is built into the malobjclass. This report switch allows you to get a bare-bones report so you can see the PDF in a visual form. Please note that this report is very basic and is only meant for reference.
PEEPDF
peepdf is a Python tool to explore PDF files in order to find out if the file can be harmful or not. The aim of this tool is to provide all the necessary components that a security researcher could need in a PDF analysis without using 3 or 4 tools to make all the tasks. With peepdf it's possible to see all the objects in the document showing the suspicious elements, supports all the most used filters and encodings, it can parse different versions of a file, object streams and encrypted files. With the installation of PyV8 and Pylibemu it provides Javascript and shellcode analysis wrappers too. Apart of this it's able to create new PDF files and to modify/obfuscate existent ones.
ORIGAMI
origami is a Ruby framework designed to parse, analyze, and forge PDF documents. This is NOT a PDF rendering library. It aims at providing a scripting tool to generate and analyze malicious PDF files. As well, it can be used to create on-the-fly customized PDFs, or to inject (evil) code into already existing documents.
-
Create PDF documents from scratch.
-
Parse existing documents, modify them and recompile them.
-
Explore documents at the object level, going deep into the document structure, uncompressing PDF object streams and desobfuscating names and strings.
-
High-level operations, such as encryption/decryption, signature, file attachments...
-
A GTK interface to quickly browse into the document contents.
PDF STREAMDUMPER
This is a free tool for the analysis of malicious PDF documents. This tool has been made possible through the use of a mountain of open source code. Thank you to all of the authors involved.
Has specialized tools for dealing with obsfuscated javascript, low level pdf headers and objects, and shellcode. In terms of shellcode analysis, it has an integrated interface for libemu sctest, an updated build of iDefense sclog, and a shellcode_2_exe feature.
-
Javascript tools include integration with JS Beautifier for code formatting, the ability to run portions of the script live for live deobsfuscation, toolbox classes to handle extra canned functionality, as well as a pretty stable refactoring engine that will parse a script and replace all the screwy random function and variable names with logical sanitized versions for readability.
-
Tool also supports unescaping/formatting manipulated pdf headers, as well as being able to decode filter chains (multiple filters applied to the same stream object.)