OFFICE MAL SCANNER
OfficeMalScanner is a MS Office forensic tool to scan for malicious traces, like shellcode heuristics, PE-files or embedded OLE streams.
The tool will look for several strings and API calls to guess if the document is likely to be malicious:
API-Name GetSystemDirectory string
API-Name CloseHandle string
API-Name VirtualAlloc string
API-Name GetProcAddr string
API-Name LoadLibrary string
Function prolog signature
CALL next/POP signature
The Microsoft Office Visualization Tool (OffVis) allows IT professionals, security researchers and malware protection vendors to better understand the Microsoft Office binary file format in order to deconstruct .doc-, .xls- and .ppt-based targeted attacks. The unique, easy-to-use tool offers a comprehensive view of any Microsoft Office binary file format sample simply by hovering a cursor over it. The tool then graphically shows important data structures and records for Microsoft Office Word, Microsoft Office PowerPoint and Microsoft Office Excel. Users can then browse and click through each record.
Detect embedded executables and exploits in Office documents and PDF - Word, Powerpoint, Excel, and RTF. Embed the lightweight command line fast detection engine into your email or network security solution. Automatically extract encrypted embedded executables to feed into your existing sandbox bypassing the need to maintain different sandboxes for each document format reader version.
Examine PDF objects using only a web-browser safely from any operating system. Collaborate and share via an internal private network. Process individual PDFs via the webinterface or a directory of PDFs from the command line. Embed the lightweight command line fast detection engine into your email or network security solution.
This tool will parse a PDF document to identify the fundamental elements used in the analyzed file. It will not render a PDF document. The code of the parser is quick-and-dirty, I’m not recommending this as text book case for PDF parsers, but it gets the job done.
PDF X-RAY differs from all other tools because it doesn't focus on the single file. Instead it compares the file you upload against thousands of malicious PDF files in our repository. These checks look for similar data structures within the PDF you upload and ones that have been reviewed by analysts. Using this feature we can begin to see shared coded samples among malicious files or trends due to malicious author coding styles. The tool is still in beta, but I wanted to release it to the public to see what users thought. In my opinion the API is the most useful as you can begin to integrate rich PDF analysis into other tools and services with little or no cost.
PDF X-RAY LITE
PDF X-RAY is great, but there are times when all you have access to is a system you can't mess with, but need to do analysis on. PDF X-RAY Lite solves this by removing the backend and keeping it straight command line. For extra convenience a new reporting method is built into the malobjclass. This report switch allows you to get a bare-bones report so you can see the PDF in a visual form. Please note that this report is very basic and is only meant for reference.
origami is a Ruby framework designed to parse, analyze, and forge PDF documents. This is NOT a PDF rendering library. It aims at providing a scripting tool to generate and analyze malicious PDF files. As well, it can be used to create on-the-fly customized PDFs, or to inject (evil) code into already existing documents.
Create PDF documents from scratch.
Parse existing documents, modify them and recompile them.
Explore documents at the object level, going deep into the document structure, uncompressing PDF object streams and desobfuscating names and strings.
High-level operations, such as encryption/decryption, signature, file attachments...
A GTK interface to quickly browse into the document contents.
This is a free tool for the analysis of malicious PDF documents. This tool has been made possible through the use of a mountain of open source code. Thank you to all of the authors involved.
Tool also supports unescaping/formatting manipulated pdf headers, as well as being able to decode filter chains (multiple filters applied to the same stream object.)