PDF Analysis Intro and OpenActions Entries
Last Updated: 2022-07-29 16:29:46 UTC
by Johannes Ullrich (Version: 1)
This diary was contributed by Jesse La Grew
Many of the tools used to manage email systems filter malicious content before they ever arrive in a user’s inbox. It is becoming rarer to see a malicious document delivered after having the attachments screened through a variety of scanners and malware detonation sandboxes. There are certainly exceptions as creators of these documents improve methods of evasion. A PDF may still get delivered to an inbox and need to be analyzed manually.
An excellent tool is pdf-parser.py  and is included within the Remnux VM . First, getting a general idea of what to expect in the document can be useful before getting into the details.
pdf-parser.py <filename> -a
Image 1: Output of pdf-parser.py highlighting the Object ID
pdf-parser.py <filename> -o 11
Image 2: Output of pdf-parser.py highlighting OpenAction
There is a lot of information to unpack. This can be challenging if unfamiliar with the PDF standards. A useful resource is the Adobe Acrobat Developer Resources  and the latest formatting document from Adobe .
/OpenAction [6 0 R /FitH null]
|OpenAction||“…A value specifying a destination that shall be displayed or an action that shall be performed when the document is opened…” [4, page 74]|
|[ page /FitH top ]||“Display the page designated by page, with the vertical coordinate top positioned at the top edge of the window and the contents of the page magnified just enough to fit the entire width of the page within the window. A null value for top specifies that the current value of that parameter shall be retained unchanged.” [4, page 366]|
Referencing the Adobe documentation, this item is simply telling the PDF viewer to open the page specified by the object reference 6 0 R. References to other objects within the same document are common. It can be helpful to map out these object references to get a better overall picture.
This example did not have anything interesting to tell us, which is usually what I like to see most days. An example mocked up by Didier Stevens shows what a malicious file may look like using the same /OpenAction entry .
There are a variety of great tools for analyzing files. In the case of PDF documents, one of the best tools is Adobe’s PDF standards documentation. Keep it handy the next time you need to really understand what a PDF document is doing and why it may be doing it.