phoneyPDF is a tool to help analyze PDF files, and maybe a starting place to identify malicious PDF files from. It uses a javascript engine to execute javascript from PDF files, and exposes Adobe Reader-esque objects and a DOM so that if the javascript tries to interact with the DOM or certain Reader-only objects, they'll be there, and execution can occur.
This tool was written by Trevor Tonn and Kiran Bandla over a few months at Verisign iDefense. With Verisign Inc permission, we are releasing this tool to the public to use and extend.
Requires Python 2.6.x - 2.7.x
phoneyPDF has a few dependencies:
- V8: Google's javascript interpreter
- pyv8: python connector to v8 so you can execute javascript from within your Python scripts
- lxml: a well known XML parser
Building PyV8 is not going to be easy. If you have an option to install a pre-compiled version, go for it.
On Jan23, 2014 bugs were finally fixed in PyV8 r572.
The following version are confirmed to work:
- V8 -r18896
- PyV8 -r573
You can install PyV8 from here.
pip install -e git://github.com/brokenseal/PyV8-OS-X#egg=pyv8The easiest way to install lxml is using pip:
pip install lxmlOn Linux, you can use apt-get or yum to install it. You could also build from source. It might be a little work on some platforms (osx)
See the LICENSE file