Skip to content
A security tool for detecting suspicious PDF modifications commonly found in BEC
Python Shell
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


pdfxpose - A security tool for detecting suspicious PDF modifications commonly found in BEC


While investigating Business Email Compromise (BEC), suspicious indicators were discovered in a majority of the PDFs encountered. This tool was developed to detect PDFs altered by threat actors engaging in BEC.

More information about the investigation can be found here:


Pdfxpose depends on poppler-utils 0.41.0+ for processing PDFs and Tesseract for performing Optical Character Recognition (OCR) on images. Both can be installed from the Ubuntu repositories.

root@host:~# apt-get update
root@host:~# apt-get install poppler-utils tesseract-ocr


The tool accepts paths to one or more PDF files to be processed as command-line arguments. A mock BEC invoice has been provided as an example.

python Widgets_Order.pdf

Interpreting the Output

Suspicious  Flat : Layered  Images  Filename

The “suspicious” column displays either a positive or a negative detection result indicated by a 1 or 0. The PDF file is tested in two states. The flat state is an analysis of just the top layer simulating what the viewer of the document would see. The layered state entails extracting all text and images from a PDF regardless of layer. The results displayed in the flat and layered columns are frequencies of BEC keywords matched while analyzing the PDF in varying states. The images column is the number of images successfully extracted from the PDF.

You can’t perform that action at this time.