decalage2 / exefilter Goto Github PK

On some html file the program gives this error:

Hello,
as Python 2 is deprecated, is Python 3 support planned ?
For example in Arch Linux Python 2 was recently removed.

Use ghostscript / pdfwrite to flatten PDF is dangerous ? ( i read a lot of ghostscript vulnerabilities in the past )

I tried to use pdfclean.rb with Ruby but it doesn't work ( maybe i have the wrong version of Ruby ).
I see that in Origami there is pdf2pdfa, is it different from the pdfclean.rb script ?

As alternative i am trying to use qpdf + pdfid -d ( to uncompress with qpdf and disarm javascript in pdfid with Python 3 )
I see often that ObjStm is more than zero, can ObjStm contain Javascrip or other code ?

I use often exefilter to clean PDF and it works very well :)
Thank you !
Andrea

It looks like some antivirus are now flagging ExeFilter releases (and even the master zip from the github repo) as malware. It is obviously a false positive, and I guess it's due to some test files bundled with ExeFilter.
Solution: remove test files, or zip them with a password.

Virustotal is currently OK with the master zip from github (but my corporate AV blocks it):
https://www.virustotal.com/gui/url/1bd6773a63c33e984ea75642a60986b84c4005325f805662c725be34ea844909?nocache=1
But the latest release from 2011 on Adullact triggers some AV:
https://www.virustotal.com/gui/url/86504856a9901133a900ecc706a37213d0de28e527ac7af1f1c1ae80c2a2dd9a

Hi,

I'm attempting to use ExeFilter.py to remove Word macros on Mac and Linux. When I run ExeFilter.py against a .doc file with macros it reports that it cleaned the file but scanning the file with Clamav still reports Heuristics.OLE2.ContainsMacros FOUND.

I've tested this with both version 1.1.3 and version 1.1.4-alpha6 and get the same results. Could you advise as to whether complete macro removal is possible with ExeFilter such that Clamav would not report an error?

Thanks,

Ashlin.

This pdf has a simple javascript that displays a popup when opening the file.
It has been created with Acrobat on windows, no manual manipulation and no special tool.

Exefilter (pdfid) does not detect the /JavaScript and the /JS tags, therefore they are not disarmed.
These tags are embedded in an obj within the pdf.

By uncompressing the file with qpdf --stream-data=uncompress This_is_an_active_PDF_esg.pdf uncompressed.pdf we can observe the embedded object:

<< /Type /ObjStm /Length 1462 /N 8 /First 50 >>
stream                                                                                                                                              
5 0 6 127 7 151 8 182 9 280 10 535 11 919 12 1180
<< /DA (/Helv 0 Tf 0 g ) /DR << /Encoding << /PDFDocEncoding 29 0 R >> /Font << /Helv 27 0 R /ZaDb 28 0 R >> >> /Fields [ ] >>
<< /JavaScript 7 0 R >>
<< /Names [ (Hello) 8 0 R ] >>
<< /JS (app.alert\({cMsg: "JavaScript action: hello", cTitle: "demo title"}\);) /S /JavaScript >>
<< /Ascent 1026 /CapHeight 632 /Descent -312 /Flags 32 /FontBBox [ -503 -312 1240 1026 ] /FontFamily (Calibri) /FontFile2 30 0 R /FontName /OKZOSG+C
<< /BaseFont /OKZOSG+Calibri /Encoding /WinAnsiEncoding /FirstChar 32 /FontDescriptor 9 0 R /LastChar 117 /Subtype /TrueType /ToUnicode 31 0 R /Type
<< /Ascent 1039 /CapHeight 632 /Descent -349 /Flags 32 /FontBBox [ -519 -349 1263 1039 ] /FontFamily (Calibri) /FontFile2 32 0 R /FontName /UBZYYU+C
<< /BaseFont /UBZYYU+Calibri-Bold /Encoding /WinAnsiEncoding /FirstChar 97 /FontDescriptor 11 0 R /LastChar 118 /Subtype /TrueType /ToUnicode 33 0 R
endstream
endobj

Can we do something about it?

Original pdf file:

This_is_an_active_PDF_esg.pdf

Uncompressed version:

uncompress.pdf

should point to https://github.com/decalage2/exefilter/blob/master/ExeFilter_documentation_EN.pdf