This repository has been archived by the owner on Jun 7, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 14
/
plugin_triage.py
53 lines (41 loc) · 1.98 KB
/
plugin_triage.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
#!/usr/bin/env python
#2014/09/30
#2015/08/12 added options; changed scoring: /ObjStm 0.75; obj/endobj or stream/endstream discrepancy: 0.50
#2015/08/13 added instructions
#2017/10/29 added /URI
from .pdfid import cPluginParent, AddPlugin
class cPDFiDTriage(cPluginParent):
onlyValidPDF = False
name = 'Triage plugin'
def __init__(self, oPDFiD, options):
self.options = options
self.oPDFiD = oPDFiD
def Score(self):
for keyword in ('/JS', '/JavaScript', '/AA', '/OpenAction', '/AcroForm', '/JBIG2Decode', '/RichMedia', '/Launch', '/EmbeddedFile', '/XFA', '/Colors > 2^24'):
if keyword in self.oPDFiD.keywords and self.oPDFiD.keywords[keyword].count > 0:
return 1.0
if self.options != '--io':
for keyword in ('/ObjStm', ):
if keyword in self.oPDFiD.keywords and self.oPDFiD.keywords[keyword].count > 0:
return 0.75
for keyword in ('/URI', ):
if keyword in self.oPDFiD.keywords and self.oPDFiD.keywords[keyword].count > 0:
return 0.6
if self.oPDFiD.keywords['obj'].count != self.oPDFiD.keywords['endobj'].count:
return 0.5
if self.oPDFiD.keywords['stream'].count != self.oPDFiD.keywords['endstream'].count:
return 0.5
return 0.0
def Instructions(self, score):
if score == 1.0:
return 'Sample is likely malicious and requires further analysis'
if score == 0.75:
return '/ObjStm detected, analyze sample with pdfid-objstm.bat'
if score == 0.5:
return 'Sample is likely not malicious but requires further analysis'
if score == 0.6:
return 'Sample is likely not malicious but could contain phishing or payload URL'
if score == 0.0:
return 'Sample is likely not malicious, unless you suspect this is used in a targeted/sophisticated attack'
return ''
AddPlugin(cPDFiDTriage)