I thought I had seen it all, Linux inside a PDF... ;oO

My kind of bizarre fun to do project.
Watch the video... ;oO
I take my hat off for this...
Linux in a PDF?

Bash script for a first-pass sanity check on untrusted PDFs before opening them. Not a substitute for pdfid.py on anything genuinely suspicious, but better than nothing and fast.

pdf-quickcheck.sh

#!/usr/bin/env bash
# pdf-quickcheck.sh — heuristic PDF security triage
# Usage: ./pdf-quickcheck.sh /path/to/file.pdf
set -euo pipefail

PDF="${1:-}"
if [[ -z "$PDF" || ! -f "$PDF" ]]; then
  echo "Usage: $0 /path/to/file.pdf"
  exit 2
fi

RISK_FOUND=0
PATTERN='(?i)(/javascript|/js|/openaction|/launch|/embeddedfile|/richmedia|/xfa|/submitform|/uri|/aa|/acroform|/jbig2decode|cmd\.exe|powershell|wget|curl)(?=[^a-z]|$)'

echo "== Basic file info =="
file "$PDF" || true
echo

echo "== Download/source metadata (if present) =="
if command -v mdls >/dev/null 2>&1; then
  mdls "$PDF" 2>/dev/null | rg "kMDItemWhereFroms|kMDItemContentType|kMDItemFSName" || true
else
  echo "(mdls not available — macOS only)"
fi
echo

echo "== PDF structure info =="
if command -v pdfinfo >/dev/null 2>&1; then
  pdfinfo "$PDF" || true
else
  echo "(pdfinfo not available — install poppler: brew install poppler)"
fi
echo

echo "== Suspicious PDF markers (strings scan) =="
if command -v strings >/dev/null 2>&1 && command -v rg >/dev/null 2>&1; then
  HITS="$(strings -n 8 "$PDF" | rg -P "$PATTERN" || true)"
  if [[ -n "$HITS" ]]; then
    echo "$HITS"
    echo
    echo "RISK: suspicious markers found (manual review needed)."
    RISK_FOUND=1
  else
    echo "No obvious high-risk markers found."
  fi
else
  echo "(strings and/or rg not available — install ripgrep: brew install ripgrep)"
fi
echo

echo "== pdfid.py scan (deep object analysis) =="
if command -v pdfid.py >/dev/null 2>&1; then
  pdfid.py "$PDF" | rg -v -i '^[[:space:]]*/Type[[:space:]]+/Font([[:space:]]|$)|^[[:space:]]*/FontDescriptor([[:space:]]|$)|^[[:space:]]*/BaseFont([[:space:]]|$)|^[[:space:]]*/FontName([[:space:]]|$)|^[[:space:]]*/FontBBox([[:space:]]|$)|^[[:space:]]*/Subtype[[:space:]]+/TrueType([[:space:]]|$)' || true
else
  echo "(pdfid.py not available — install from Didier Stevens Suite)"
  echo "  https://github.com/DidierStevens/DidierStevensSuite"
fi
echo

if [[ "$RISK_FOUND" -eq 1 ]]; then
  echo "== SUMMARY: RISK MARKERS DETECTED — do not open without further analysis =="
  exit 1
else
  echo "== SUMMARY: No obvious risks detected (heuristic scan only — not definitive) =="
  exit 0
fi

OMG
a feast for the hackers!