Created
August 16, 2023 20:29
-
-
Save suuhm/01b85548c9be0a7effbfed5c1846c6ed to your computer and use it in GitHub Desktop.
Simple bash script for checking of PDF files and filter strings
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # | |
| # ------------------------------------------- | |
| # PDF INVESTIGATOR v0.2beta ; (c) 2023 suuhm | |
| # ------------------------------------------- | |
| # | |
| # pdate-alternatives --install /usr/bin/python python /usr/bin/python3.11 1 | |
| # | |
| # apt install pdf-parser pdfid | |
| # | |
| clear; | |
| echo "**********************************************" | |
| echo "*** *.PDF I N V E S T I G A T 0 R v.0.2b ***" | |
| echo "**********************************************" | |
| echo; echo "Usage $0 <PDF_FILENAME.pdf>" | |
| echo; sleep 2 | |
| PDF_FILE="$1" | |
| TI="--------------------------------------------------------" | |
| [ "$PDF_FILE" == "" ] && echo "[ERROR!!] - Usage $0 $PDF_FILE <PDF_FILENAME.pdf>" && exit 1 | |
| # make disarmed pdf PDF_FILE... | |
| function disarmpdf() | |
| { | |
| pdfid -d $PDF_FILE | |
| } | |
| # USE YARA RULES | |
| function useyararules() | |
| { | |
| pdfid -y $YRULE $PDF_FILE | |
| } | |
| # Extra data / force / verbose | |
| echo -e "$TI\n[*] Get First infos about: OpenAction? / Embedded? ..\n$TI" | |
| echo ; sleep 1 | |
| pdfid -efv $PDF_FILE | |
| # get hashes >n dwrite toi PDF_FILE PDF_INVESTIGATION_HASHES.txt | |
| pdf-parser -H $PDF_FILE > PDF_INVESTIGATION_HASHES.txt | |
| echo; echo -e "$TI\n[*] Search for Strings and put on PDF_FILE: PDF_INVESTIGATION_LOG.txt\n$TI\n" | |
| sleep 1 | |
| echo -e "$TI\nPDF_INVESTIGATION: (`date`)\n$TI\n" > PDF_INVESTIGATION_LOG.txt | |
| #TEST FOR JAVASCRIPT | |
| echo; echo -e "$TI\n[+] Search for javascript\n$TI\n" | tee -a PDF_INVESTIGATION_LOG.txt | |
| read -p "Press enter for Continue.." DUMMY | |
| pdf-parser --search=javascript --raw $PDF_FILE | |
| pdf-parser --search=javascript -f $PDF_FILE | tee -a PDF_INVESTIGATION_LOG.txt | |
| echo; echo -e "$TI\n[+] Search for URI\n$TI\n" | tee -a PDF_INVESTIGATION_LOG.txt | |
| read -p "Press enter for Continue.." DUMMY | |
| pdf-parser --search=URI --raw $PDF_FILE | |
| pdf-parser --search=URI -f $PDF_FILE | tee -a PDF_INVESTIGATION_LOG.txt | |
| echo; echo -e "$TI\n[*] Get full log...\n$TI\n" | |
| read -p "Press enter for Continue.." DUMMY | |
| # pass stream object through filters | |
| # (FlateDecode,ASCIIHexDecode, ASCII85Decode, LZWDecode and RunLengthDecode only) | |
| pdf-parser -w -f --regex $PDF_FILE | tee -a PDF_INVESTIGATION_LOG.txt | |
| echo | |
| pdf-parser -O $PDF_FILE | tee -a PDF_INVESTIGATION_LOG.txt | |
| # | |
| echo; echo "Done." | |
| exit 0; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment