De-obfuscation and detection of malicious PDF files with high accuracy

Xun Lu*, Jianwei Zhuge, Ruoyu Wang, Yinzhi Cao, Yan Chen

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contribution

42 Scopus citations

Abstract

Due to its high popularity and rich functionalities, the Portable Document Format (PDF) has become a major vector for malware propagation. To detect malicious PDF files, the first step is to extract and de-obfuscate JavaScript codes from the document, for which an effective technique is yet to be created. However, existing static methods cannot de-obfuscate JavaScript codes, existing dynamic methods bring high overhead, and existing hybrid methods introduce high false negatives. Therefore, in this paper, we present MPScan, a scanner that combines dynamic JavaScript de-obfuscation and static malware detection. By hooking the Adobe Reader's native JavaScript engine, JavaScript source code and op-code can be extracted on the fly after the source code is parsed and then executed. We also perform a multilevel analysis on the resulting JavaScript strings and op-code to detect malware. Our evaluation shows that regardless of obfuscation techniques, MPScan can effectively de-obfuscate and detect 98% malicious PDF samples.

Original languageEnglish (US)
Title of host publicationProceedings of the 46th Annual Hawaii International Conference on System Sciences, HICSS 2013
Pages4890-4899
Number of pages10
DOIs
StatePublished - 2013
Event46th Annual Hawaii International Conference on System Sciences, HICSS 2013 - Wailea, Maui, HI, United States
Duration: Jan 7 2013Jan 10 2013

Publication series

NameProceedings of the Annual Hawaii International Conference on System Sciences
ISSN (Print)1530-1605

Other

Other46th Annual Hawaii International Conference on System Sciences, HICSS 2013
Country/TerritoryUnited States
CityWailea, Maui, HI
Period1/7/131/10/13

ASJC Scopus subject areas

  • General Engineering

Fingerprint

Dive into the research topics of 'De-obfuscation and detection of malicious PDF files with high accuracy'. Together they form a unique fingerprint.

Cite this