Home/PDF X-Ray

📑 PDF X-Ray

Upload any PDF to extract all metadata, detect embedded JavaScript and hidden actions, find embedded files, extract all URLs and email addresses, and identify malicious PDF structures. Runs 100% in your browser — the file is never uploaded.

📑

Drop a PDF or click to upload

All analysis is local — PDF never leaves your browser

Deep PDF Forensics: Metadata, Embedded Objects, JavaScript, and Malware Indicator Analysis

The PDF X-Ray tool performs comprehensive forensic analysis of PDF files without executing any embedded content. PDF is one of the most complex and historically exploited file formats — its specification allows embedding of JavaScript, executables, Flash objects, and other active content that has been weaponized in countless malware campaigns. This tool safely dissects a PDF's structure to expose everything it contains.

Metadata extraction reveals the software used to create the document, the author name, creation and modification timestamps, and whether the document has been digitally signed. Discrepancies between claimed metadata and actual content are common indicators of document forgery. A PDF claiming to be created by Microsoft Word but containing XFA forms (typically used in Adobe-specific workflows) warrants scrutiny.

The URL and URI harvester extracts every embedded link from the PDF — including those hidden in compressed object streams that are invisible to casual inspection. Malicious PDFs frequently contain obfuscated links to phishing sites or malware downloaders. The JavaScript extractor pulls any embedded scripts for manual review, and the tool flags known malware-associated PDF structure patterns.

How to Use

  1. 1Upload a PDF file using the dropzone — the file is analyzed locally, never uploaded.
  2. 2Review the metadata panel for author information, software, and timestamp data.
  3. 3Check the Objects panel for embedded files, JavaScript, and action triggers.
  4. 4Examine the URL list for suspicious or obfuscated links.
  5. 5Review the security verdict: any red flags indicate further manual analysis is warranted.

🎯 Who Uses This

  • IT security teams safely examining potentially malicious PDF attachments
  • Legal professionals verifying document authenticity and detecting forgery
  • Journalists auditing PDFs from anonymous sources before opening them
  • Insurance investigators checking whether submitted PDF forms have been altered
  • Malware analysts studying PDF-based exploit delivery mechanisms
  • Compliance officers verifying that exported PDFs contain expected metadata

Frequently Asked Questions

Q: Is it safe to upload a malicious PDF?
Yes. The PDF is parsed as raw data in your browser's memory. No JavaScript from the PDF is executed, no embedded executables are run, and no network connections are made on the PDF's behalf. The analysis is purely structural — reading the file format, not executing it.
Q: What PDF JavaScript attacks should I watch for?
Common malicious PDF JavaScript patterns include: automatic URI launch on document open, shellcode execution via heap spray combined with known Adobe Reader vulnerabilities, credential phishing via embedded form submissions, and drive-by download triggers. Our analyzer flags these structural patterns even without executing the JavaScript.
Q: Can the tool detect if a PDF has been digitally signed?
Yes. The tool identifies digitally signed PDFs, shows the signing certificate details, and flags whether the signature covers the entire document or only a portion — partial signatures can indicate that content was added after signing, invalidating the document's integrity.