Origami in PDF

What is it? | Blog | Download | Doc | Others | Contact | Greetings

What is it?

origami is a Ruby framework designed to parse, analyze, and forge PDF documents. This is NOT a PDF rendering library. It aims at providing a scripting tool to generate and analyze malicious PDF files. As well, it can be used to create on-the-fly customized PDFs, or to inject (evil) code into already existing documents.

Features

Quick look

# Create a simple PDF document. 
contents = ContentStream.new
contents.write 'I AM EMPTY', 
  :x => 350, :y => 750, :rendering => PS::Text::Rendering::STROKE, :size => 15
PDF.new.append_page(Page.new.setContents(contents)).saveas('empty.pdf')
  

# Read a PDF document and add an action.
pdf = PDF.read("foo.pdf")
pdf.onDocumentOpen Action::URI.new('http://google.com')
pdf.saveas('bar.pdf')
  

# Return an array of objects whose name begins with 'JS'
pdf.ls(/^JS/)

# Return an array of objects containing '/bin/sh'
pdf.grep('/bin/sh')

# Add a JS script to execute on first page.
pdf.pages.first.onOpen Action::JavaScript.new('app.alert("Hello");')

# Attach an embedded file to a document
pdf.attach_file('other_doc.pdf')
  

Full scripts

We provide some scripts helping to perform common actions on PDF files. Feel free to send us your own scripts at origami(at)security-labs.org.

More to come on next releases...

Blog

New version fixing stupid bug

We released a new version, 1.0.0-beta1b fixing a bug in some samples due to internal changes. Sorry for the mess.


A new version while at HITB

This version 1.0.0-beta1 while at HITB comes up with the ability to forge documents with more graphical contents (such as shapes, colors, gradients...). However, graphical contents modifications from existing documents are not supported. Some templates have been added to quickly create forms widgets. Linearized documents might cause issues during recompilation of existing documents, so a new feature has been added to delinearize a document. A new flag is also present to (syntactically) obfuscate a PDF upon saving, which might be useful to confuse a later analysis. This new version fixes various bugs and slightly improves performance.


Is this PDF malicious?

A new article, Is this PDF malicious? dealing with the analysis of a suspicious PDF file.


Origami: release 1.0.0-beta0

What's new in this release:

  • sources/scripts/
    • scan/pdfscan.rb: a scanner for malicious PDF, or get a quickview of what is going to happen when handling a given PDF.
    • antivir/pdfclean.rb: a script to remove all dynamic features from a PDF file.
    • metadata: extract metadata from a PDF, that is author, creation date, and some other piece of information.
  • sources/samples/open/: 4 ways to trigger events when a PDF is opened (see here).
  • Parser: add support for new objects (XRef streams, Object streams, PNG stream predictor functions).


(At least) 4 ways to die opening a PDF

Find our last article. It deals with how to trigger an action when a PDF is opened...

Source code will be available in next release (1.0.0-beta0)


Download

Articles, slides, doc...

SecuObs

Sogeti ESEC R&D blog

PacSec08

Other interesting stuffs about PDFs

Author & Contributors

Greetings