Origami in PDF
What is it? | Blog | Download | Doc | Others | Contact | Greetings
What is it?
origami is a Ruby framework designed to parse, analyze, and forge PDF documents. This is NOT a PDF rendering library. It aims at providing a scripting tool to generate and analyze malicious PDF files. As well, it can be used to create on-the-fly customized PDFs, or to inject (evil) code into already existing documents.
Features
- Create PDF documents from scratch.
- Parse existing documents, modify them and recompile them.
- Explore documents at the object level, going deep into the document structure, uncompressing PDF object streams and desobfuscating names and strings.
- High-level operations, such as encryption/decryption, signature, file attachments...
- A GTK interface to quickly browse into the document
contents.
Quick look
# Create a simple PDF document.
contents = ContentStream.new
contents.write 'I AM EMPTY',
:x => 350, :y => 750, :rendering => PS::Text::Rendering::STROKE, :size => 15
PDF.new.append_page(Page.new.setContents(contents)).saveas('empty.pdf')
# Read a PDF document and add an action.
pdf = PDF.read("foo.pdf")
pdf.onDocumentOpen Action::URI.new('http://google.com')
pdf.saveas('bar.pdf')
# Return an array of objects whose name begins with 'JS' pdf.ls(/^JS/) # Return an array of objects containing '/bin/sh' pdf.grep('/bin/sh') # Add a JS script to execute on first page. pdf.pages.first.onOpen Action::JavaScript.new('app.alert("Hello");') # Attach an embedded file to a document pdf.attach_file('other_doc.pdf')
Full scripts
We provide some scripts helping to perform common actions on PDF files. Feel free to send us your own scripts at origami(at)security-labs.org.
- detectjs.rb: search for all JavaScript objects.
- embed.rb: add an attachment to a PDF file.
- create-jspdf.rb: add a JavaScript to a PDF file, executed when the document is opened.
- moebius.rb: transform a PDF to a moebius strip.
- encrypt.rb: encrypt a PDF file.
More to come on next releases...
Blog
New version fixing stupid bug
Oct 30, 2009
We released a new version, 1.0.0-beta1b fixing a bug in some samples due to internal changes. Sorry for the mess.
A new version while at HITB
Oct 6, 2009
This version 1.0.0-beta1 while at HITB comes up with the ability to forge documents with more graphical contents (such as shapes, colors, gradients...). However, graphical contents modifications from existing documents are not supported. Some templates have been added to quickly create forms widgets. Linearized documents might cause issues during recompilation of existing documents, so a new feature has been added to delinearize a document. A new flag is also present to (syntactically) obfuscate a PDF upon saving, which might be useful to confuse a later analysis. This new version fixes various bugs and slightly improves performance.
Is this PDF malicious?
Jun 26, 2009
A new article, Is this PDF malicious? dealing with the analysis of a suspicious PDF file.
Origami: release 1.0.0-beta0
July 6, 2009
What's new in this release:
- sources/scripts/
- scan/pdfscan.rb: a scanner for malicious PDF, or get a quickview of what is going to happen when handling a given PDF.
- antivir/pdfclean.rb: a script to remove all dynamic features from a PDF file.
- metadata: extract metadata from a PDF, that is author, creation date, and some other piece of information.
- sources/samples/open/: 4 ways to trigger events when a PDF is opened (see here).
- Parser: add support for new objects (XRef streams, Object streams, PNG stream predictor functions).
(At least) 4 ways to die opening a PDF
Jun 26, 2009
Find our last article. It deals with how to trigger an action when a PDF is opened...
Source code will be available in next release (1.0.0-beta0)
Download
- Current version: 1.0.0-beta1b
- All previous releases
Articles, slides, doc...
- Origami pour forger, analyser et manipuler des fichiers PDF malicieux (X. Poli)
Sogeti ESEC R&D blog
- Is this PDF malicious?: how to analyze a PDF by looking at its structure.
- (At least) 4 ways to die opening a PDF: how to trigger an action when a PDF is opened?
- Virus total with origami?: is it easy to conceal a virus in a PDF?
- Streams and filters in PDF with origami: manipulating streams or JavaScript hidding howto with PDF.
- Playing with origami in PDF: a short intro to the usage of origami
- Focus on the PDF language and various readers
- Slides in English and Japanish
- Samples based on Acrobat Reader 9.0.0
Other interesting stuffs about PDFs
- Didier Stevens: very interesting posts about PDF, and many other topics.
- New Viral Threats of PDF Language (A. Blonce, E. Filiol, L. Frayssignes): what you can do with the PDF language.
Author & Contributors
- Lead developer: Guillaume Delugré
- Contributor: Fred Raynal
- Contact: origami(at)security-labs.org
Greetings
- Sogeti/CapGemini: the company we work at to let us research on this project.
- Bot.cat: amazing web designer ;)