[Minor] Lua_content: Add some more PDF stuff

diff --git a/lualib/lua_content/pdf.lua b/lualib/lua_content/pdf.lua
index 588117fc728b3cecaacda7938f7da8253ecac581..a531396dbd2dba2b59fa668fb9ca495b4b7930cd 100644 (file)
--- a/lualib/lua_content/pdf.lua
+++ b/lualib/lua_content/pdf.lua
@@ -32,14 +32,21 @@ local pdf_patterns = {
   },
   javascript = {
     patterns = {
-      [[\s|>/JS]],
-      [[\s|>/JavaScript]],
+      [[/JS(?:[\s/><])]],
+      [[/JavaScript(?:[\s/><])]],
+    }
+  },
+  openaction = {
+    patterns = {
+      [[/OpenAction(?:[\s/><])]],
+      [[/AA(?:[\s/><])]],
     }
   },
   suspicious = {
     patterns = {
       [[netsh\s]],
       [[echo\s]],
+      [[/[A-Za-z]*#\d\d]], -- Hex encode obfuscation
     }
   }
 }
@@ -145,6 +152,11 @@ processors.javascript = function(_, task, _, output)
   output.javascript = true
 end
 
+processors.openaction = function(_, task, _, output)
+  lua_util.debugm(N, task, "pdf: found openaction tag")
+  output.openaction = true
+end
+
 processors.suspicious = function(_, task, _, output)
   lua_util.debugm(N, task, "pdf: found a suspicious pattern")
   output.suspicious = true