PDF files have evolved to run specific actions and allow for the execution of JavaScript. For PDF analysis, what we can do is extract event information and analyze what the JavaScript will do. We can use Didier Stevens' PDF Tools to help us analyze PDFs. This toolset runs using Python, so we will again need that installed. PDF Tools can be downloaded from https://blog.didierstevens.com/programs/pdf-tools/. If you go to the site, you will get a description about each tool in the package.

Let's try using the tool with https://github.com/PacktPublishing/Mastering-Reverse-Engineering/blob/master/ch13/demo_01.pdf. Using pdfid.py, execute the following line:

python pdfid.py demo_01.pdf

The following screenshot shows the result of pdfid on demo_01.pdf:

Here, we can see that there is JavaScript code embedded to it. Let's now try the pdf-parser.py file so that we can extract more information. Some elements in the PDF file can be compressed and will not be readable. The pdf-parser tool is able to decompress these streams. Execute the following command to redirect output from pdf-parser to demo_01.log:

python pdf-parser.py demo_01.pdf > demo_01.log

The output given by pdf-parser is basically the same as the contents of demo_01.pdf. The reason for this is that there were no PDF objects that got decompressed. If we look closer at the output, we can easily identify where the script code is:

  <<
    /JS (app.alert({cMsg: "Reversing is fun!", cTitle: "Mastering Reverse Engineering"})
    ; )
    /S /JavaScript
  >>

As a result, using Chrome as our PDF reader, the PDF displays the following message box:

To debug the JavaScript, we would need to copy this into a separate JavaScript or HTML file. We may also need to fix the syntax of running JavaScript operators. The JavaScript code from the PDF can be converted into the following HTML code:

<html>
<script>
    alert("Reversing is fun!", "Mastering Reverse Engineering");
</script>
</html>