{"id":435,"date":"2016-02-11T13:17:04","date_gmt":"2016-02-11T21:17:04","guid":{"rendered":"https:\/\/www.pnfsoftware.com\/blog\/?p=435"},"modified":"2017-09-13T00:42:10","modified_gmt":"2017-09-13T08:42:10","slug":"version-0-2-9-jeb2-pdf-analyzer-available","status":"publish","type":"post","link":"https:\/\/www.pnfsoftware.com\/blog\/version-0-2-9-jeb2-pdf-analyzer-available\/","title":{"rendered":"Version 0.2.9 of the PDF analyzer plugin is available"},"content":{"rendered":"

Update (9\/13\/2017): we open-sourced the PDF plugin<\/a>. A compiled JAR binary is also available<\/a>.<\/em><\/strong><\/p>\n

We have released version 0.2.9 of our PDF analyzer plugin for JEB2. This release adds support for XFA (XML Forms Architecture) fragment streams reconstruction and parsing<\/strong>.<\/p>\n

In the following example, a malicious PDF file contains two XFA streams encoded with the unusual CCITTFFax encoder. Once decoded, JEB2 reassembles the decoded contents into a unit “32 0”. The XFA contains a malicious JavaScript snippet, also visible as a separate unit:<\/p>\n

\"\"<\/a>
Reconstructed XFA data showing a malicious JavaScript snippet.<\/figcaption><\/figure>\n
\"\"<\/a>
Notifications reported also show a dangerous Open action.<\/figcaption><\/figure>\n

The malicious PDF file examined in this entry is available on VirusTotal<\/a>.<\/em>
\n SHA256:\u00a0e108432dd9dad6ff57c8de6e907fd6dd25b62673bd4799fa1a47b200db5acf7c<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

Update (9\/13\/2017): we open-sourced the PDF plugin. A compiled JAR binary is also available. We have released version 0.2.9 of our PDF analyzer plugin for JEB2. This release adds support for XFA (XML Forms Architecture) fragment streams reconstruction and parsing. In the following example, a malicious PDF file contains two XFA streams encoded with the … Continue reading Version 0.2.9 of the PDF analyzer plugin is available<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8,2,11],"tags":[],"class_list":["post-435","post","type-post","status-publish","format-standard","hentry","category-jeb2","category-malware","category-pdf"],"_links":{"self":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/posts\/435","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/comments?post=435"}],"version-history":[{"count":0,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/posts\/435\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/media?parent=435"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/categories?post=435"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/tags?post=435"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}