-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathservice_manifest.yml
209 lines (172 loc) · 5.25 KB
/
service_manifest.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
name: PDFId
version: $SERVICE_TAG
description: This Assemblyline service extracts metadata and objects from PDF files using Didier Stevens PDFId (Version 2.7) and PDFParser (Version 7.4) tools.
accepts: document/pdf
rejects: empty|metadata/.*|document/pdf/passwordprotected
stage: CORE
category: Static Analysis
file_required: true
timeout: 90
disable_cache: false
enabled: true
is_external: false
licence_count: 0
privileged: true
submission_params:
- default: 750
name: "carved_obj_size_limit"
value: 750
type: int
config:
ADDITIONAL_KEYS: ['/URI', '/GoToE', '/GoToR', '/XObject']
HEURISTICS: ['pdf_id/pdfid/plugin_embeddedfile', 'pdf_id/pdfid/plugin_nameobfuscation', 'pdf_id/pdfid/plugin_suspicious_properties', 'pdf_id/pdfid/plugin_triage']
MAX_PDF_SIZE: 3000000
heuristics:
- description: Command detected to auto-open content
filetype: "document/pdf"
heur_id: 1
name: AutoOpen
score: 50
- description: There are between 100 to 499 bytes following the end of the PDF
filetype: "document/pdf"
heur_id: 2
name: 100+ bytes after last %%EOF
score: 100
- description: Looking for /JBIG2Decode. Using the JBIG2 compression
filetype: "document/pdf"
heur_id: 3
name: JBIG2Decode
score: 50
- description: Looking for /AcroForm. This is an action launched by Forms
filetype: "document/pdf"
heur_id: 4
name: AcroForm
score: 25
- description: Looking for /RichMedia. This can be use to embed Flash in a PDF
filetype: "document/pdf"
heur_id: 5
name: RichMedia
score: 25
- description: Malformed object content over 100 bytes extracted by pdfparser
filetype: "document/pdf"
heur_id: 6
name: Malformed Content
score: 0
- description: Embedded object streams in sample. Sometimes used to hide malicious content.
filetype: "document/pdf"
heur_id: 7
name: Objstms Detected
score: 0
- description: Suspicious object content carved from PDF. Displayed in service results.
filetype: "document/pdf"
heur_id: 8
name: Carved Object Content
score: 0
- description: Suspicious object in PDF sample extracted.
filetype: "document/pdf"
heur_id: 9
name: Object Extracted
score: 0
- description: According to configuration parameters, sample too large for service to scan.
filetype: "document/pdf"
heur_id: 10
name: PDF too large
score: 0
- description: Found the /Encrypt string in the file. Will need to figure out why.
filetype: "document/pdf"
heur_id: 11
name: Encrypt
score: 25
- description: Outside stream entropy of > 5. Possible hidden content.
filetype: "document/pdf"
heur_id: 12
name: High Entropy
score: 500
- description: Sample "obj" keyword count does not equal "endobj" keyword count.
filetype: "document/pdf"
heur_id: 13
name: Obj/Endobj Mismatch
score: 50
- description: Sample "stream" keyword count does not equal "endstream" count.
filetype: "document/pdf"
heur_id: 14
name: Stream/Endstream Mismatch
score: 50
- description: Sample contains embedded files.
filetype: "document/pdf"
heur_id: 15
name: Embedded file
score: 50
- description: Sample contains Hex encoded embedded files.
filetype: "document/pdf"
heur_id: 16
name: Hex Encoded Embedded File
score: 1000
- description: There are more then 500 bytes following the end of the PDF
filetype: "document/pdf"
heur_id: 17
name: 500+ bytes after last %%EOF
score: 500
- description: Detected hex encoded flags
filetype: "document/pdf"
heur_id: 18
name: Hex Encoded Flags
score: 1000
- description: Javascript is present in the PDF file
filetype: "document/pdf"
heur_id: 19
name: Javascript
score: 100
- description: Number of colors is expressed with more than 3 bytes
filetype: "document/pdf"
heur_id: 20
name: Color
score: 50
- description: Go to remote entry found in PDF
filetype: "document/pdf"
heur_id: 21
name: GoToE
score: 50
- description: Go to embedded entry found in PDF
filetype: "document/pdf"
heur_id: 22
name: GoToR
score: 50
- description: Indicates XML Forms Architecture. These can be used to hide malicious code
filetype: "document/pdf"
heur_id: 23
name: XFA
score: 25
- description: Sample contains URLs
filetype: "document/pdf"
heur_id: 24
name: URI
score: 0
- description: Sample contains annotations. Not suspicious but should be examined if other signs of maliciousness present.
filetype: "document/pdf"
heur_id: 25
name: XFA
score: 0
- description: Document contains only one page. Most malicious documents will only contain one page.
filetype: "document/pdf"
heur_id: 26
name: Only one page
score: 50
- description: URL found in PDF Annotations
filetype: "document/pdf"
heur_id: 27
name: URL in Annotations
score: 0
signature_score_map:
one_page: 0
- description: XML script tags found in pdf streams
filetype: "document/pdf"
heur_id: 28
name: PDF stream scripts
score: 0
signature_score_map:
foxit: 0
docker_config:
image: ${REGISTRY}cccs/assemblyline-service-pdfid:$SERVICE_TAG
cpu_cores: 1
ram_mb: 2048