Free Download

Sherlock Forensic PDF Editor A PDF editor that won't run a malicious PDF's code at you.

Every other PDF reader executes JavaScript, launches URLs and runs embedded actions the moment you open a file. This one does not. Pure Rust parser first. Visual rendering only when you click Render. Threat Inspector shows you what the PDF wants to do before it can do anything.

Free to view and inspect. Pro at $29/year unlocks annotation, page management and stamps.

Sherlock Forensic PDF Editor is a security-first PDF viewer and editor that opens files using a pure Rust parser without executing embedded JavaScript, URLs or launch actions. The Threat Inspector surfaces phishing indicators, malicious URLs and embedded files before rendering. Zero telemetry. Single .exe. Free with Pro at $29/year.

Security First

Safe-by-Default Architecture

Most PDF readers parse and render in one step. That single step is where every PDF exploit lives. Sherlock splits the pipeline in two.

Step 1: Safe Parse (automatic): The file is parsed by lopdf, a pure Rust PDF library. No JavaScript engine. No URL handler. No action executor. Text, structure and metadata are extracted. Nothing runs.
Step 2: Visual Render (explicit click only): When you decide the file is safe, click Render. Pdfium (Chrome's PDF engine) handles visual layout in an isolated context. This step never happens automatically.
Zero Outbound Traffic: The application makes no network connections. No telemetry, no update checks, no license validation, no DNS queries. Your PDFs stay on your machine. Verify with Wireshark if you do not believe us.

A sandbox lets malicious code run and hopes to contain it. Sherlock never runs the code in the first place. Prevention, not containment.

Threat Inspector

See What the PDF Wants to Do

Before you render a single pixel, the Threat Inspector extracts and classifies every suspicious element in the file.

URL Extraction

Every URL in the document is extracted and displayed. External links, form submission targets and URI actions are all surfaced.

JavaScript Detection

Embedded JavaScript is extracted and shown as source code. JS exploit primitives (heap sprays, shellcode patterns) are flagged.

Launch Actions

PDF /Launch, /GoTo, /GoToR, /SubmitForm and /ImportData actions are enumerated. You see every action the PDF would execute on open.

Embedded Files

Attached executables, scripts and secondary PDFs are listed with file type, size and hash. Nothing auto-extracts.

Phishing Detection

Six Layers of URL Analysis

The Threat Inspector does not just list URLs. It classifies them.

Detection Layer	What It Catches
Fake Login Pages	URLs containing /login, /signin, /verify, /account, /secure combined with non-matching domains
Homograph Domains	IDN homograph attacks using Cyrillic, Greek or other Unicode lookalikes (e.g. paypa1.com vs paypal.com)
URL Shorteners	bit.ly, t.co, tinyurl.com, goo.gl, is.gd, rebrand.ly and other redirect services that hide the real destination
IP-Only URLs	Links pointing to raw IP addresses instead of domain names, a common indicator of throwaway infrastructure
Low-Reputation TLDs	Domains on .tk, .ml, .ga, .cf, .gq, .xyz, .top, .buzz and other TLDs heavily abused in phishing campaigns
JS Exploit Primitives	JavaScript patterns associated with heap sprays, shellcode delivery, buffer manipulation and obfuscated eval chains

Features

Free vs Pro

Feature	Free	Pro ($29/year)
Safe Rust parser (lopdf)	Yes	Yes
Pdfium visual rendering (click to render)	Yes	Yes
Threat Inspector (URLs, JS, actions, files)	Yes	Yes
Phishing detection (6 layers)	Yes	Yes
Zero telemetry / zero network	Yes	Yes
Text selection and copy	Yes	Yes
Search within PDF	Yes	Yes
Highlight annotation	No	Yes
Text annotation / sticky notes	No	Yes
Stamp tools (Confidential, Approved, Draft)	No	Yes
Page extraction / reorder / delete	No	Yes
Merge multiple PDFs	No	Yes
Flatten annotations for sharing	No	Yes

Compare

vs Adobe Acrobat Reader (Free)

Capability	Adobe Reader (Free)	Sherlock PDF Editor (Free)
Executes JavaScript on open	Yes (dangerous)	No, never
Launches URLs automatically	Yes (with prompt)	No, displays only
Threat Inspector	No	URLs, JS, actions, files, phishing
Phishing detection	No	6-layer analysis
Telemetry / network traffic	Yes, extensive	Zero
Installer required	Yes (300MB+)	No, single 12 MB .exe (7 MB of which is pdfium.dll bundled inside)
Safe parse/render split	No	Rust parse first, pdfium render on click
Cloud account required	Prompted repeatedly	No account, ever
Cost	Free	Free

Compare

vs Adobe Acrobat Pro ($240/year)

Capability	Adobe Acrobat Pro	Sherlock PDF Editor Pro
Annotation and highlighting	Yes	Yes
Page management	Yes	Yes
Merge PDFs	Yes	Yes
Stamp tools	Yes	Yes
Threat Inspector	No	Full threat analysis
Phishing detection	No	6-layer analysis
Safe-by-default parsing	No	Rust parser, no code execution
Zero telemetry	No	Yes
OCR	Yes	No (v1 limitation)
Real redaction	Yes	No (overlay only)
Convert to Word/Excel	Yes	No
Form creation	Yes	No
Annual cost	$240/year	$29/year (save $211)

Adobe Acrobat Pro for $240/year, or this for $29/year. If you need OCR and real redaction, pay the $240. If you need security-first viewing with annotation, save the $211.

Under the Hood

Tech Stack

Component	Technology	Why
Language	Rust	Memory safety without garbage collection. No buffer overflows, no use-after-free
PDF parser	lopdf	Pure Rust. Extracts structure, text and metadata without executing anything
Visual renderer	pdfium	Chrome's PDF engine. Used only on explicit render click, isolated from the parser
Distribution	Single .exe	No installer, no DLLs, no runtime dependencies. Copy and run
Network	None	Zero outbound connections. No telemetry, no update checks, no license calls

Pricing

$29/Year. Not $240.

Pro Edition

$29 USD/year

Annual subscription. All security features are free forever. Pro unlocks editing tools.

All free features (safe parser, Threat Inspector, phishing detection)
Highlight and text annotations
Sticky notes
Stamp tools (Confidential, Approved, Draft, custom)
Page extraction, reorder and deletion
Merge multiple PDFs
Flatten annotations for sharing
30-day money-back guarantee

5+ machines? Contact us for volume pricing.

Who It's For

Built for People Who Handle Suspect Files

For DFIR Responders

You receive PDFs from compromised mailboxes and seized drives. You need to see what is in them without triggering payloads. Threat Inspector shows URLs, JS, launch actions and embedded files before any rendering happens.

For IT Security Teams

Users forward suspicious attachments to your team every day. Open them in Sherlock instead of spinning up a VM. The Rust parser cannot execute the payload. Phishing detection catches the fake login pages your users almost clicked.

For Lawyers

Discovery produces thousands of PDFs from unknown sources. You need to review them without risking your firm's network. Sherlock opens them safely, and Pro lets you annotate and stamp without paying Adobe $240/year per seat.

For Sysadmins

Someone emails a PDF that "looks weird." You need to check it before telling the user whether to worry. Open it in Sherlock, check the Threat Inspector, give the answer. Takes 30 seconds instead of booting a sandbox.

Guide

How to Safely Open a Suspicious PDF

Download Sherlock Forensic PDF EditorDownload the free editor from this page. Single .exe, no installer, no dependencies. Launch and go.
Open the Suspicious PDFDrag the file onto Sherlock or use File > Open. The pure Rust parser (lopdf) extracts text, structure and metadata. No JavaScript or actions execute.
Review the Threat InspectorCheck the Threat Inspector panel. It shows extracted URLs, embedded JavaScript, launch actions, embedded files and phishing indicators. Every threat is surfaced before a pixel renders.
Render if SafeIf the Threat Inspector shows no concerns, click Render to display the visual layout via pdfium. This step is always opt-in.
Annotate or ExtractPro users can highlight, annotate, stamp and extract pages. Zero data leaves your machine at any point.

Honest Limitations

What This Tool Does Not Do

We would rather you know the boundaries before downloading than find out after.

No OCR. Scanned-image PDFs display as images. Text extraction works only on PDFs with actual text layers.
No real redaction. The redaction tool places an opaque overlay. It does not remove the underlying text from the PDF structure. For court-grade redaction, use Adobe Acrobat Pro or a dedicated redaction tool.
No Word/Excel conversion. This is a PDF viewer and editor. It does not convert PDFs to .docx or .xlsx.
No form creation. You can fill existing forms but not create new interactive form fields.
Windows only (v1). macOS and Linux builds are planned but not available yet.
SmartScreen warning. New executables without established reputation trigger a Windows SmartScreen warning. This is normal. Verify the SHA-256 hash.

Questions

Trust and Safety FAQ

Can opening a PDF get me hacked?

Yes. Standard PDF readers like Adobe Reader execute JavaScript, launch URLs and run embedded actions automatically when you open a file. A malicious PDF can exploit these features to download malware, steal credentials or redirect you to phishing pages. Sherlock Forensic PDF Editor parses PDFs with a pure Rust parser that does not execute any embedded code. Visual rendering via pdfium only happens when you explicitly click Render after reviewing the Threat Inspector.

Why is this called a forensic PDF editor?

Because it treats every PDF as potentially hostile evidence. The safe-by-default architecture (Rust parser first, pdfium render only on click) mirrors how a forensic examiner handles suspect files: inspect metadata and structure before ever executing content. The Threat Inspector extracts URLs, JavaScript, launch actions, embedded files and phishing indicators so you see what the PDF wants to do before it can do it.

Do you collect any data or telemetry?

No. Sherlock Forensic PDF Editor makes zero outbound network connections. No telemetry, no analytics, no license-phone-home, no update checks. The application is a single .exe that runs entirely offline. Your PDFs never leave your machine. Verify with Wireshark or any network monitor.

How is this different from opening a PDF in a sandbox?

A sandbox lets the malicious code run and tries to contain the damage after the fact. Sherlock never runs the code in the first place. The Rust parser extracts text, structure and metadata without executing JavaScript, launch actions or embedded scripts. You see the threats listed in the Threat Inspector before any rendering occurs. It is prevention vs containment.

Why does Windows SmartScreen warn about this app?

SmartScreen flags executables that have not accumulated enough download volume to build a reputation score with Microsoft. This is normal for new independent software and has nothing to do with the safety of the application itself. Sherlock Forensic PDF Editor is a single Rust binary with no network access, no installer and no system modifications. You can verify the SHA-256 hash on the download page and inspect network traffic with Wireshark to confirm zero outbound connections.

Get Started

Download Sherlock Forensic PDF Editor

Free for viewing, threat inspection and phishing detection. Pro at $29/year for annotation, stamps and page management. Built by CISSP, ISSAP and ISSMP certified examiners with 20 years of courtroom experience. See our full forensic tool suite and expert witness services.

Since 2006CISSP, ISSAP, ISSMP certified604.229.1994

Sherlock Forensic PDF Editor is provided for lawful use. Terms of Service