sylver_dragon@lemmy.world 1 month ago
This could just be a really stupid format, put out by a specific application for creating PDFs, because the original authors didn’t want to pay Adobe (never attribute to malice, that which can be sufficiently explained with stupidity).
Does pdfinfo give any indication of the application used to create the document? If it chokes on the Java bit up front, can you extract just the PDF from the file and look at that? You might also dig through the PDF a bit using Dider Stevens 's Tools, looking for JavaScript or other indicators of PDF fuckery.
Does the file contain any other Java bytecode? If so, can you pass that through a decompiler?
would love it if attempts to reach the cloud could be trapped and recorded to a log file in the course of neutering the PDF.
This is possible, but it takes a bit of setup. In my own lab, I have PolarProxy running in one Virtual Machine (VM), using QEMU/KVM. That acts as a gateway between an isolated network and a network with internet access. It runs transparent TLS break and inspect on port 443/tcp and tcpdump capturing port 80/tcp. It also serves DNS using Bind.
There is then the “victim” VM which is running bog standard Windows 10. The PolarProxy root cert has been added to the Trusted Roots certificate store. The Default Gateway and DNS servers are hard coded to the PolarProxy VM. Suspicious stuff is tested on this system and all network traffic is recorded on the PolarProxy system in standard pcap format for analysis.
evenwicht@lemmy.sdf.org 1 month ago
Oracle Documaker PDF Driver PDF version: 1.3
Not sure how to do that but I did just try
pdfimages -all
which was not useful since it’s a vector PDF.pdfdetach -list
shows 0 attachments. It just occurred to me thatpdftocairo
could be useful as far as one way to neuter the doc and make it useable, but that’s a kind of a lossy meat-grinder option that doesn’t help with analysis.Thanks for the tip. I might have to look into that. No readme… I guess this is a /use the source, Luke/ scenario.
I appreciate all the tips. I might be tempted to dig into some of those options.