How can I extract a JavaScript object from a PDF file using a command line tool?
I am trying to make a GUI using Python with this function.
I found these two modules but couldn't run them: pyPdf2 and pyPdf.
When you deal with JavaScript in PDFs, you have to be aware of two cases (which you cannot necessarily distinguish in advance, before closely investigating the file in question).
The OP gave a link to a sample JavaScript-loaded PDF from PlanetPDF:
That one is easy to handle. Just use pdfinfo -js
(but be sure that you use one of the most recent, Poppler-based releases -- the XPDF-based pdfinfo
does not know about -js
!)
Here is the result:
$ pdfinfo -js ppjslc_commonex_3.pdf
Title: Planet PDF JavaScript Learning Center Example #2
Author: Chris Dahl, ARTS PDF Global Services
Creator: PScript5.dll Version 5.2.2
Producer: Acrobat Distiller 6.0.1 (Windows)
CreationDate: Thu Oct 28 18:13:38 2004
ModDate: Thu Oct 28 18:17:46 2004
Tagged: no
UserProperties: no
Suspects: no
Form: AcroForm
JavaScript: yes
Pages: 1
Encrypted: no
Page size: 612 x 792 pts (letter)
Page rot: 0
File size: 84720 bytes
Optimized: no
PDF version: 1.5
Name Dictionary "docOpened":
// variable to store whether document has been opened already or not
var bAlreadyOpened;
function docOpened()
{
if(bAlreadyOpened != "true")
{
// document has just been opened
var d = new Date();
var sDate = util.printd("mm/dd/yyyy", d);
// set date now
app.alert("About to insert date into field now");
this.getField("todaysDate").value = sDate;
// now set bAlreadyOpened to true so it doesn’t
// run again
bAlreadyOpened = "true";
}
else
{
// document has already been opened
}
}
// call the docOpened() function
docOpened();
As you can see, -js
attempts to automatically extract all JavaScript from the PDF and prints it to <stdout>
.
This one was a harmless JavaScript, not trying to hide itself, not obfuscated, inserting the current date into a form field, after popping up an info message about what it is going to do.
There are numerous examples of PDFs out in the wilderness containing JavaScripts which are not as harmless as the above, written by Malware authors who are after your money, or just after the "fun" it gives them if they succeed.
The JavaScripts in these cases are very frequently hidden and obfuscated.
For example, in order to hide the fact that there is even JavaScript contained, they do not use the 'clear' /JavaScript
and /JS
names in the respective PDF object dictionaries. These names must be present for the PDF readers to know what they should do with the object.
Instead, they use another method to express the same names:
/#4Aava#53cript
/J#61vaScrip#74
/#4a#61#76#61#53#63#72#69#70#74
[...]
This method, unfortunately, was even made "legal" by the official PDF specification documents. It allows to replace a selection of some or even of all characters in a PDF name token by their respective ASCII hex number (combined with a leading hash sign for each replaced char).
This can fool some of the more naive attempts to find the /JavaScript
string inside a PDF (such as using a simple grep -a
).
There are a few Free Software tools available, which can be used to dissect and analyze such cases:
Didier Stevens' Python scripts pdfid.py
and pdf-parser.py
are very useful for a first look (and even for a complete analysis) of these cases.
Jose Miguel Esparza's Python framework peepdf is even more powerful. It can even de-obfuscate, beautify and make readable again any obfuscated JavaScript contents inside the PDF.
Origami is Ruby-based, and also quite powerful. And there are a few more...
But all these tools are only useful if you already have (at least some basic) knowledge about PDF syntax (and about JavaScript, of course).
Here are three short examples using pdfid.py
against three different PDFs:
the first does not cantain any JavaScript that is discovered by pdfid.py
:
$ pdfid.py nojavascript.pdf
PDFiD 0.2.1 nojavascript.pdf
PDF Header: %PDF-1.5
obj 193
endobj 193
stream 54
endstream 54
xref 1
trailer 1
startxref 1
/Page 1
/Encrypt 0
/ObjStm 0
/JS 0
/JavaScript 0
/AA 12
/OpenAction 0
/AcroForm 1
/JBIG2Decode 0
/RichMedia 0
/Launch 0
/EmbeddedFile 0
/XFA 0
/Colors > 2^24 0
the second contains JavaScript, and the name /JavaScript
appears in clear text inside the PDF:
$ pdfid.py javascript1.pdf | grep -E '(/JS|/JavaScript)
/JS 30
/JavaScript 30
the last contains JavaScript, and the name tokens /JavaScript
and /JS
both are obfuscated:
$ pdfid.py javascript2.pdf | grep -E '(/JS|/JavaScript)
/JS 30(30)
/JavaScript 30(30)
The fact that pdfid.py
lists a second number in parentheses shows, that it discovered the obfuscation. 30 out of 30 /JavaScript
name tokens are obscured -- this makes the PDF file highly suspicious, which warrants further investigation. Because no "normal" PDF generating tool (that is known to me) uses this obfuscation...
A list of different methods (including command line tools) is available in another answer of mine here:
The best tool currently is peepdf.py, because it can handle even heavily obfuscated JavaScript. This is a Python framework to explore (and change) the source code of PDF files, specialized in analysing malicious PDFs.
Its author(s) recently added the extract
sub-command, which extracts and prints the source code of JavaScripts contained in the PDF:
Short usage info:
git clone https://github.com/jesparza/peepdf.git git.peepdf
$PATH
) to the script:cd git.peepdf ;
ln -s $(pwd)/peepdf.py ${HOME}/bin/peepdf.py
echo 'extract js > all-javascripts-from-my.pdf' > xtract.txt
-l
, and force mode to ignore errors, -f
) to execute non-interactively the sub-command line(s) contained in the newly created script file, -s
:peepdf.py -l -f -s xtract.txt my.pdf
cat all-javascripts-from-my.pdf