pdfxpose: detecting suspicious PDF modifications

pdfxpose – A security tool for detecting suspicious PDF modifications commonly found in BEC. While investigating Business Email Compromise (BEC), suspicious indicators were discovered in a majority of the PDFs encountered. This tool was developed to detect PDFs altered by threat actors engaging in BEC.

More information about the investigation can be found here: https://www.secureworks.com/research/wire-wire-a-west-african-cyber-threat

Install

apt-get install poppler-utils tesseract-ocr
git clone https://github.com/secureworks/pdfxpose.git

Usage

The tool accepts paths to one or more PDF files to be processed as command-line arguments. A mock BEC invoice has been provided as an example.

python pdfxpose.py Widgets_Order.pdf

The “suspicious” column displays either a positive or a negative detection result indicated by a 1 or 0. The PDF file is tested in two states. The flat state is an analysis of just the top layer simulating what the viewer of the document would see. The layered state entails extracting all text and images from a PDF regardless of layer. The results displayed in the flat and layered columns are frequencies of BEC keywords matched while analyzing the PDF in varying states. The images column is the number of images successfully extracted from the PDF.