PDF Forensic with MPeePDF

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search


This documentations goal is to illustrate the use of the tool MPeePDF which can be used to do PDF forensic work. The goal of PDF forensic is to analyse documents and determine if a malicious activity is conducted.


  • Operating system: Ubuntu 20.04
  • Packages: git, python2

In order to complete these steps, you must have followed python2 install guide before.


Step 1

Enter these commands in the shell to start an analysis of a document.

python2 mpeepdf.py [your.pdf]

This will scan the document and output general information about the document and their contents. You can also go into the console to execute further commands. Just add the -i parameter.

 python2 mpeepdf.py -i [your.pdf]
Result of an Analysis

Step 2

While inside the console, you can look up more things like metadata, specific information about streams and objects and much more. To see all available command type in help into the console.

All Options available

Step 3

Inside the console are many options to analyse your document. You can start by looking at the metadata of the file by typing in:

Metadata of a PDF Document

If you want to look at specific objects or stream type in:

 object [1]
 stream [1]
A object

The raw data of the respective object/stream can also be seen with:

 rawobject [1]
 rawstream [1]

A raw object

A raw stream

You can also store a object or stream in an variable with following command:

 object [1] $> var1
An object stored in a variable

An export to a file is also possible with:

 object [1] > object1.txt
An object saved to a text file