TY - GEN
T1 - De-obfuscation and detection of malicious PDF files with high accuracy
AU - Lu, Xun
AU - Zhuge, Jianwei
AU - Wang, Ruoyu
AU - Cao, Yinzhi
AU - Chen, Yan
PY - 2013
Y1 - 2013
N2 - Due to its high popularity and rich functionalities, the Portable Document Format (PDF) has become a major vector for malware propagation. To detect malicious PDF files, the first step is to extract and de-obfuscate JavaScript codes from the document, for which an effective technique is yet to be created. However, existing static methods cannot de-obfuscate JavaScript codes, existing dynamic methods bring high overhead, and existing hybrid methods introduce high false negatives. Therefore, in this paper, we present MPScan, a scanner that combines dynamic JavaScript de-obfuscation and static malware detection. By hooking the Adobe Reader's native JavaScript engine, JavaScript source code and op-code can be extracted on the fly after the source code is parsed and then executed. We also perform a multilevel analysis on the resulting JavaScript strings and op-code to detect malware. Our evaluation shows that regardless of obfuscation techniques, MPScan can effectively de-obfuscate and detect 98% malicious PDF samples.
AB - Due to its high popularity and rich functionalities, the Portable Document Format (PDF) has become a major vector for malware propagation. To detect malicious PDF files, the first step is to extract and de-obfuscate JavaScript codes from the document, for which an effective technique is yet to be created. However, existing static methods cannot de-obfuscate JavaScript codes, existing dynamic methods bring high overhead, and existing hybrid methods introduce high false negatives. Therefore, in this paper, we present MPScan, a scanner that combines dynamic JavaScript de-obfuscation and static malware detection. By hooking the Adobe Reader's native JavaScript engine, JavaScript source code and op-code can be extracted on the fly after the source code is parsed and then executed. We also perform a multilevel analysis on the resulting JavaScript strings and op-code to detect malware. Our evaluation shows that regardless of obfuscation techniques, MPScan can effectively de-obfuscate and detect 98% malicious PDF samples.
UR - http://www.scopus.com/inward/record.url?scp=84875505196&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84875505196&partnerID=8YFLogxK
U2 - 10.1109/HICSS.2013.166
DO - 10.1109/HICSS.2013.166
M3 - Conference contribution
AN - SCOPUS:84875505196
SN - 9780769548920
T3 - Proceedings of the Annual Hawaii International Conference on System Sciences
SP - 4890
EP - 4899
BT - Proceedings of the 46th Annual Hawaii International Conference on System Sciences, HICSS 2013
T2 - 46th Annual Hawaii International Conference on System Sciences, HICSS 2013
Y2 - 7 January 2013 through 10 January 2013
ER -