1

Running the command peepdf <filepath> on mac gives the following output:

>peepdf 1614210893839_DEMOGRAPHICS.pdf

File: 1614210893839_DEMOGRAPHICS.pdf
MD5: ec49e8cd8782c6529e5107200e89364f
SHA1: c95310ef2f101c3646b072108cdffbb853e0a46c
SHA256: 5375d1e9e1d480d2600eb5322ae64c3eb2a1f4c0b1f0c395bbf0c2f64352137b
Size: 2631 bytes
Version: 1.5
Binary: True
Linearized: False
Encrypted: False
Updates: 0
Objects: 9
Streams: 1
URIs: 0
Comments: 0
Errors: 0

Version 0:
    Catalog: 8
    Info: 9
    Objects (9): [1, 2, 3, 4, 5, 6, 7, 8, 9]
    Streams (1): [3]
        Encoded (1): [3]
    Suspicious elements:
        /Names (2): [6, 8]

Why /Names is being treated as suspicious elements by 'peepdf'?

I have run the command 'peepdf' on other PDFs as well. One of the PDFs has the object /AcroForm which is very well explained here as to how it can be used with a malicious intent. However, I couldn't find anything on the object /Names.

corecipher
  • 11
  • 1
  • Marking **Names** as suspicious is inappropriate as marking **AcroForm** as suspicious: Just like in **AcroForm** elements there may be JavaScript elements, there may be some in **Names** elements. But why testing for **Names** only (and so marking all non-JavaScript uses of **Names** suspicious) if one could just as well test for **JavaScript** inside the **Names** dictionary? And why testing for **AcroForm** only (and so marking all forms suspicious) if one could also look for actions of type **JavaScript** in the form elements? – mkl Mar 11 '21 at 10:02
  • Also JavaScript may be attached to pages directly, but I doubt they mark the presence of pages in a PDF as suspicious... – mkl Mar 11 '21 at 10:04
  • 1
    Thanks @mkl. I didn't know 'Names' dictionary can also be used to carry Javascript in it. I am gonna dig deeper into it. – corecipher Mar 14 '21 at 15:36
  • Any development on this? I have the same question. I created a PDF file from scratch and jumps out this Suspicious /Names I changed the metadata but didn't work. I want to use it to automate some analysis but I'm worry about getting a lot of false/positives. – fp007 Apr 15 '21 at 22:21

0 Answers0