In the morning I attended the workshop from Didier Stevens about analyzing malicious PDF files. I rarely attended a workshop with such a high quality.

Dedier showed in 20 good understandable exercises:

  • how the format of a PDF looks like
  • how javascript is included in a PDF file
  • how javascript can be obfuscated
  • how files can be included in a PDF
  • how files can be launched from a PDF

all the exercises will be made available on Didiers Webpage. Additionally you can find an ebook about analyzing malicious PDFs on his website.

During the workshop there were some tools presented, to analyze the PDF files:

  • pdfid.py – analysing the structure of the PDF
  • pdf-parse.py – a parser for PDFs which will print out the content of PDF objects
  • js – a Javascript parser based on spidermonkey which has been slightly modified.

Take a look at Didiers Webpage, it is worth it.