I was emailed a PDF file by a family member. I have reason to suspect that it was given to said family member by someone who would like nothing more than to infect me with a Remote Access Trojan. How can I tell if it contains code that would allow an attacker to gain access to my Android phone?
Asked
Active
Viewed 3.7k times
3 Answers
16
You can upload a pdf to VirusTotal and check if that file is infected, but be careful since results from VirusTotal are not 100% accurate.
There is also PDF Examiner.
PDF Examiner by Malware Tracker is able to scan the uploaded PDF for several known exploits, allows the user to explore the structure of the file, as well as examine, decode and dump PDF object contents. This tool lends itself well to manual PDF analysis tasks. In this way, it differs from Jsunpack and Wepawet, which focus on automating the analysis as much as possible.
One more free service Jsunpack.
Jsunpack by Blake Hartstein is designed for automatically examining and de-obfuscating JavaScript. Its features also include carving contents of network packet capture (PCAP) files and identifying common client-side exploits. It can also examine PDF files for malicious JavaScript artifacts.
For deeper analysis you should check PDF tools from Didier Stevens.
Mirsad
- 10,005
- 8
- 33
- 53
-
1jsunpack link is broken – schroeder Apr 27 '19 at 15:42
-
PDF Examiner link is dead; they appear to have pivoted so not sure if it's worth just removing the link, or removing the paragraph entirely. – James Skemp Jun 04 '20 at 21:42
2
There's also PDFrate, it works like VirusTotal and is specialized on PDFs.
PDFrate is designed to complement existing malicious document detection mechanisms, such as signature matching and dynamic analysis systems. PDFrate is capable of detecting malicious documents, including previously unseen variants, without relying on extensive parsing or execution of the documents. In addition to identifying malicious documents, PDFrate seeks to accurately separate opportunistic attacks, which represent the overwhelming majority of malicious activity, from targeted attacks, whose apparent goal is espionage against a small number of specific victims.
Knorke
- 464
- 2
- 5
0
You can install ClamAV and feed your suspect files in for a scan. If you own your incoming email server, you can install ClamAV such that your email server automatically triggers such scans. Such a pairing is available from email server. See for example https://github.com/tomav/docker-mailserver
I have been running this in prod for several years without too much fuss. A side benefit of owning your own infrastructure is the ability to execute an active content filter. In my case incoming email triggers a golang binary of my own crafting which reads the email and executes what I want on what I need to. You get the point.
James Skemp
- 103
- 4
Scott Stensland
- 241
- 1
- 10