# pdfid.py
# Scan PDF files for suspicious keywords like /JavaScript, /OpenAction, /Launch without parsing
# FOR610 Labs: 3.1 | Sections: 1, 3 | Author: Didier Stevens
# Docs: https://docs.remnux.org/discover-the-tools/analyze+documents/pdf

% pdf, static-analysis, triage, didier-stevens

# Basic usage
pdfid.py document.pdf

# Suppress default output
pdfid.py -n document.pdf


# --- Recipes (multi-tool chains) ---

# >> Extract Embedded Object from PDF
# Scan for suspicious keywords
pdfid.py <document.pdf>
# Find objects containing the keyword
pdf-parser.py <document.pdf> -s /URI
# Extract all values for that keyword
pdf-parser.py <document.pdf> -k /URI
# Dump a specific object to file
pdf-parser.py <document.pdf> -o <obj_id> -d extracted_object
# View extracted image
feh extracted_object &

# >> Extract JavaScript from PDF
# Check if PDF contains JavaScript
pdfid.py <document.pdf>
# Find objects with JavaScript
pdf-parser.py <document.pdf> -s /JavaScript
# Interactive analysis with peepdf
peepdf -i <document.pdf>