My kind of bizarre fun to do project.
Watch the video... ;oO
I take my hat off for this...
Linux in a PDF?
Bash script for a first-pass sanity check on untrusted PDFs before opening them. Not a substitute for pdfid.py on anything genuinely suspicious, but better than nothing and fast.
pdf-quickcheck.sh
#!/usr/bin/env bash
# pdf-quickcheck.sh — heuristic PDF security triage
# Usage: ./pdf-quickcheck.sh /path/to/file.pdf
set -euo pipefail
PDF="${1:-}"
if [[ -z "$PDF" || ! -f "$PDF" ]]; then
echo "Usage: $0 /path/to/file.pdf"
exit 2
fi
RISK_FOUND=0
PATTERN='(?i)(/javascript|/js|/openaction|/launch|/embeddedfile|/richmedia|/xfa|/submitform|/uri|/aa|/acroform|/jbig2decode|cmd\.exe|powershell|wget|curl)(?=[^a-z]|$)'
echo "== Basic file info =="
file "$PDF" || true
echo
echo "== Download/source metadata (if present) =="
if command -v mdls >/dev/null 2>&1; then
mdls "$PDF" 2>/dev/null | rg "kMDItemWhereFroms|kMDItemContentType|kMDItemFSName" || true
else
echo "(mdls not available — macOS only)"
fi
echo
echo "== PDF structure info =="
if command -v pdfinfo >/dev/null 2>&1; then
pdfinfo "$PDF" || true
else
echo "(pdfinfo not available — install poppler: brew install poppler)"
fi
echo
echo "== Suspicious PDF markers (strings scan) =="
if command -v strings >/dev/null 2>&1 && command -v rg >/dev/null 2>&1; then
HITS="$(strings -n 8 "$PDF" | rg -P "$PATTERN" || true)"
if [[ -n "$HITS" ]]; then
echo "$HITS"
echo
echo "RISK: suspicious markers found (manual review needed)."
RISK_FOUND=1
else
echo "No obvious high-risk markers found."
fi
else
echo "(strings and/or rg not available — install ripgrep: brew install ripgrep)"
fi
echo
echo "== pdfid.py scan (deep object analysis) =="
if command -v pdfid.py >/dev/null 2>&1; then
pdfid.py "$PDF" | rg -v -i '^[[:space:]]*/Type[[:space:]]+/Font([[:space:]]|$)|^[[:space:]]*/FontDescriptor([[:space:]]|$)|^[[:space:]]*/BaseFont([[:space:]]|$)|^[[:space:]]*/FontName([[:space:]]|$)|^[[:space:]]*/FontBBox([[:space:]]|$)|^[[:space:]]*/Subtype[[:space:]]+/TrueType([[:space:]]|$)' || true
else
echo "(pdfid.py not available — install from Didier Stevens Suite)"
echo " https://github.com/DidierStevens/DidierStevensSuite"
fi
echo
if [[ "$RISK_FOUND" -eq 1 ]]; then
echo "== SUMMARY: RISK MARKERS DETECTED — do not open without further analysis =="
exit 1
else
echo "== SUMMARY: No obvious risks detected (heuristic scan only — not definitive) =="
exit 0
fi
OMG
a feast for the hackers!