From dcb3a9cfac9d0c9f1024c2ee90cd12ed1583e892 Mon Sep 17 00:00:00 2001
From: Vsevolod Stakhov <vsevolod@highsecure.ru>
Date: Wed, 27 Nov 2019 14:37:28 +0000
Subject: [Minor] Lua_content: Add some more PDF stuff

---
 lualib/lua_content/pdf.lua | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

(limited to 'lualib/lua_content')

diff --git a/lualib/lua_content/pdf.lua b/lualib/lua_content/pdf.lua
index 588117fc7..a531396db 100644
--- a/lualib/lua_content/pdf.lua
+++ b/lualib/lua_content/pdf.lua
@@ -32,14 +32,21 @@ local pdf_patterns = {
   },
   javascript = {
     patterns = {
-      [[\s|>/JS]],
-      [[\s|>/JavaScript]],
+      [[/JS(?:[\s/><])]],
+      [[/JavaScript(?:[\s/><])]],
+    }
+  },
+  openaction = {
+    patterns = {
+      [[/OpenAction(?:[\s/><])]],
+      [[/AA(?:[\s/><])]],
     }
   },
   suspicious = {
     patterns = {
       [[netsh\s]],
       [[echo\s]],
+      [[/[A-Za-z]*#\d\d]], -- Hex encode obfuscation
     }
   }
 }
@@ -145,6 +152,11 @@ processors.javascript = function(_, task, _, output)
   output.javascript = true
 end
 
+processors.openaction = function(_, task, _, output)
+  lua_util.debugm(N, task, "pdf: found openaction tag")
+  output.openaction = true
+end
+
 processors.suspicious = function(_, task, _, output)
   lua_util.debugm(N, task, "pdf: found a suspicious pattern")
   output.suspicious = true
-- 
cgit v1.2.3