explaingit

jonaslejon/malicious-pdf

Analysis updated 2026-07-03

3,686PythonAudience · ops devopsComplexity · 2/5Setup · easy

TLDR

A Python command-line tool that generates about 70 specially crafted PDF test files, each targeting a different known attack technique, so security testers can check whether a PDF viewer or document processing service is vulnerable.

Mindmap

mindmap
  root((repo))
    What it does
      Generates test PDFs
      70 attack variants
      CVE mapping
    Attack types
      SSRF callbacks
      JavaScript injection
      NTLM credential leak
      XXE attacks
    Obfuscation levels
      Plain payloads
      Hex encoding
      Compressed output
    Usage
      CLI tool
      pip install
      Burp Collaborator
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Test whether a web application that accepts PDF uploads is vulnerable to server-side request forgery by checking which generated files phone home to your test server.

USE CASE 2

Check a PDF viewer or converter against a list of named CVEs by generating the test files and watching for callbacks to your Burp Collaborator endpoint.

USE CASE 3

Test whether security tools and static analysis products detect PDF-based payloads at different obfuscation levels using the built-in four-level obfuscation option.

What is it built with?

Python

How does it compare?

jonaslejon/malicious-pdfboris-code/feapdercanonical/cloud-init
Stars3,6863,6863,687
LanguagePythonPythonPython
Setup difficultyeasymoderatemoderate
Complexity2/53/53/5
Audienceops devopsdeveloperops devops

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · easy Time to first run · 5min

Requires a server you control such as a Burp Collaborator or Interact.sh instance to receive callbacks from the generated PDFs.

In plain English

Malicious PDF Generator is a Python tool that creates a collection of specially crafted PDF files for security testing. It is designed for penetration testers, bug bounty hunters, and security researchers who need to check whether a PDF viewer, web application, or document processing service is vulnerable to various PDF-based attacks. The README notes it is intended for educational and professional use only. Running the tool requires passing a URL to a server you control, such as a Burp Collaborator endpoint or an Interact.sh instance. The tool then generates around 70 test PDF files, each designed to trigger a different type of potentially dangerous behavior when opened or processed. These behaviors include making outbound network requests back to your server (useful for detecting server-side request forgery), leaking Windows NTLM credentials over a network connection, injecting JavaScript into PDF viewers, submitting form data to an external URL, loading remote files, and various XML external entity attacks. The tool includes an obfuscation option with four levels. At the default level, payloads are written plainly. Higher levels progressively obscure the content using techniques like hex encoding, bracket notation in JavaScript, and compression, which can help test whether security products or static analysis tools detect the payloads. The test matrix in the README maps each generated file to a specific attack technique and in many cases to a named CVE, making it straightforward to trace a callback hit back to the exact mechanism that triggered it. PDF viewers and converters from Adobe, Foxit, and browser-embedded renderers are among the targets represented in the test cases. Installation is via pip and the tool runs from the command line. Output files are written to a local directory.

Copy-paste prompts

Prompt 1
I'm running a penetration test and want to check a document processing pipeline for SSRF vulnerabilities using malicious-pdf. Walk me through generating the test PDFs pointed at my Burp Collaborator URL and what callbacks to watch for.
Prompt 2
Using malicious-pdf, generate test files with level-3 obfuscation to see if my WAF detects the payloads. Explain which attack types the obfuscation affects.
Prompt 3
I got a callback hit from one of the malicious-pdf test files. How do I use the test matrix in the README to identify which CVE or attack technique triggered that specific callback?

Frequently asked questions

What is malicious-pdf?

A Python command-line tool that generates about 70 specially crafted PDF test files, each targeting a different known attack technique, so security testers can check whether a PDF viewer or document processing service is vulnerable.

What language is malicious-pdf written in?

Mainly Python. The stack also includes Python.

How hard is malicious-pdf to set up?

Setup difficulty is rated easy, with roughly 5min to a first successful run.

Who is malicious-pdf for?

Mainly ops devops.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Scan in gitsafehub Deploy in gitdeployhub jonaslejon on gitmyhub

Verify against the repo before relying on details.