Combining static and dynamic analysis for the detection of malicious documents

Abstract: The widespread adoption of the PDF format for document exchange has given rise to the use of PDF files as a prime vector for malware propagation. As vulnerabilities in the major PDF viewers keep surfacing, effective detection of malicious PDF documents remains an important issue. In this paper we present MDScan, a standalone malicious document scanner that combines static document analysis and dynamic code execution to detect previously unknown PDF threats. Our evaluation shows that MDScan can detect a broad r… Show more

“…Tzermias et al [9] proposed MDScan, which extracts Javascript from documents and executes it in instrumented SpiderMonkey and Nemu [19]. However, such a method suffers several limitations.…”

“…These features characterize the obfuscation techniques frequently used in malicious PDF. The combination of static and runtime features will be more effective and robust than existing methods, which are either fully static [5] [4] [6] or fully dynamic [9] [13]. A more thorough comparison between our method and others is presented in Table I.…”

“…However, when attackers are aware of these static features, they can evade easily [8]. Another recent work extracts and tests malicious Javascript in an emulated interpreter [9]. Although it is more robust against evasion, attackers can still exploit syntax obfuscations to subvert Javascript extraction.…”

“…One intuitive choice is to extract Javascript from documents [9] [14]. Alternatively, Javascript interpreters can be instrumented [15].…”

“…This method, to the best of our knowledge, has never been explored before for PDF malware detection and confinement. For each PDF Javascript snippet, we include a prologue and epilogue to inform our runtime detector for the entry to and exit from [6] No Yes No Yes Extract-and-Emulate [9] Neutral No Yes No Lexical Analysis of Javascript [7] Neutral Yes No Yes Adobe Sandboxing [12] Neutral Yes No Yes CWSandbox [13] Neutral Javascript context. The advantage of using static document instrumentation over the other two alternatives lies in three aspects.…”

Detecting Malicious Javascript in PDF through Document Instrumentation

“…Tzermias et al [9] proposed MDScan, which extracts Javascript from documents and executes it in instrumented SpiderMonkey and Nemu [19]. However, such a method suffers several limitations.…”

“…These features characterize the obfuscation techniques frequently used in malicious PDF. The combination of static and runtime features will be more effective and robust than existing methods, which are either fully static [5] [4] [6] or fully dynamic [9] [13]. A more thorough comparison between our method and others is presented in Table I.…”

“…However, when attackers are aware of these static features, they can evade easily [8]. Another recent work extracts and tests malicious Javascript in an emulated interpreter [9]. Although it is more robust against evasion, attackers can still exploit syntax obfuscations to subvert Javascript extraction.…”

“…One intuitive choice is to extract Javascript from documents [9] [14]. Alternatively, Javascript interpreters can be instrumented [15].…”

“…This method, to the best of our knowledge, has never been explored before for PDF malware detection and confinement. For each PDF Javascript snippet, we include a prologue and epilogue to inform our runtime detector for the entry to and exit from [6] No Yes No Yes Extract-and-Emulate [9] Neutral No Yes No Lexical Analysis of Javascript [7] Neutral Yes No Yes Adobe Sandboxing [12] Neutral Yes No Yes CWSandbox [13] Neutral Javascript context. The advantage of using static document instrumentation over the other two alternatives lies in three aspects.…”

Detecting Malicious Javascript in PDF through Document Instrumentation

Boosting training for PDF malware classifier via active learning

Barnum: Detecting Document Malware via Control Flow Anomalies in Hardware Traces