whiteSHADOW1234 / PDF_Shield

The PDF Shield is a Python tool designed to help users identify the potential for Denial of Service (DoS) attacks and JavaScript code embedded in PDF files.

PDF files are often used as vectors for social engineering attacks, where attackers attempt to trick victims into opening malicious files.

This tool aims to provide users with an additional layer of security by analyzing downloaded PDF files and alerting them if the file contains a potential DoS attack.

PDF attacks, particularly as a method within social engineering attacks, have seen a significant increase in occurrence. Cyber adversaries exploit the flexibility of PDF files, often leveraging JavaScript customization to target unsuspecting users. Despite attempts to address vulnerabilities, built-in PDF reader engines in modern browsers remain vulnerable. To mitigate risks, the PDF DoS Detector aims to reduce the number of victims by alerting users to potential DoS attack methods found within PDF files.

• Victim opens malicious PDF document
• Bad things happen (attack-dependent)
• No user interaction required

Take JavaScript embedded attack as example:

1. Run pip install PyPDF2 in the terminal.

2. Next, use the .add_js() method of the PyPDF2 library to create a Python script:

   import PyPDF2
   
   def embed_javascript(pdf_file, js_code):
       pdf_reader = PyPDF2.PdfReader(pdf_file)
       pdf_writer = PyPDF2.PdfWriter()
   
       for page in pdf_reader.pages:
           pdf_writer.add_page(page)
       pdf_writer.add_js(js_code)
   
       with open('embedded.pdf', "wb") as f:
           pdf_writer.write(f)
   
   javascript_code = '''
   while(1){
       app.alert("Hello, World!");
   }
   '''
   
   pdf_file_path = 'blank.pdf'
   with open(pdf_file_path, 'rb') as pdf_file:
       embed_javascript(pdf_file, javascript_code)

3. Please ensure that you run the Python file you've recently generated.

   Don't forget to update the FILE_NAME accordingly!

4. Open the embedded.pdf file in the listed web browsers to verify that they trigger an alert window, confirming the successful execution of the embedded JavaScript code within the PDF.

   A. Microsoft Edge:

   B. Google Chrome:

   C. Brave:

• The user downloads a potentially malicious PDF.
• The tool conducts an automated scan on the downloaded PDF, presenting the results through a user-friendly pop-up window.
• The user is empowered to make informed decisions, with options to either eliminate identified vulnerabilities within the PDF or proceed with opening it.

• Note: The following chart lists CVE information specifically related to PDFium. While it might apply to other PDF engines, our project focuses on creating a defense tool for current web browsers using PDFium, like Chrome, Brave, and Edge. Examples include CVE-2023-41257 (Foxit Reader 12.1.2.15356), CVE-2023-38573 (Foxit Reader 12.1.2.15356), and CVE-2022-39016 (PDFtron in M-Files Hubshare before 3.3.10.9).

• This project alerts users when it finds JavaScript code for two reasons. Firstly, many attacks are connected to JavaScript, according to Spider Experts. Secondly, creating a responsible PDF doesn't need JavaScript; there are built-in Named Objects that support responsible actions. JavaScript is only necessary if the PDF relies solely on it, for example, detecting keystrokes or playing videos without using YouTube or other online services.

1. git clone this repository and don't forgot to run pip install -r requirements.txt.
2. Execute the main.py file.
3. And now download a PDF file.
4. Sit back, relax, and wait for the scanning process to be completed.

1. Download the PDF Shield zipped file located in the output directory.
2. Unzip it on your device.
3. Locate the PDF Shield.exe in the unzipped folder and right-click on it to Create a Shortcut on your Desktop.
4. Drag-and-drop the PDF you want to scan onto the icon.
5. Sit back, relax, and wait for the scanning process to be completed.

1. Download the PDF Shield zipped file located in the output directory.
2. Unzip it on your device.
3. Double-click the PDF Shield.exe in the unzipped folder to start the scanning program.
4. Now, download a PDF file.
5. Sit back, relax, and wait for the scanning process to be completed.

• Take JavaScript Infinite Loop as an example

• Take the PDFs from RUB-NDS/PDF101 as an example

• Take the PDFs from RUB-NDS/PDF101 as an example

• Take JavaScript Embedded Attack plus Deflate Bomb as an example

• PDF101
• [TROOPERS15] Ange Albertini, Kurt Pfeifle - Advanced PDF Tricks
• Artifacts for "Portable Document Flaws 101" at Black Hat USA 2020
• CVE searching results for "PDF"
• Malicious PDFs | Revealing the Techniques Behind the Attacks
• Common Tactics Used by Threat Actors to Weaponize PDFs
• How can I extract a JavaScript from a PDF file with a command line tool?
• Threat-Loaded: Malicious PDFs Never Go Out of Style
• One of the easiest and most powerful ways to customize PDF files is by using JavaScript.
• Adobe Reader and Acrobat JavaScript Vulnerabilities
• Hackers Use Weaponized PDF Files to Attack Manufacturing, and Healthcare Organizations
• 66% of malware delivered via PDF files in malicious emails: Report
• How to protect yourself from the Adobe Reader PDF JavaScript Vulnerability
• PDFium
• Portable-Document-Flaws-101

Contributions to the PDF DoS Detector are welcome. Whether it's bug fixes, feature enhancements, or other improvements, feel free to contribute to make the tool more effective in protecting users from PDF-based DoS attacks.

Stay secure, and happy browsing!