Static detection of malicious JavaScript-bearing PDF documents

“…False Positive True Positive N-grams [17] 31% 84% PJScan [7] 16% 85% PDFRate [4] 2% 99% Structural [5] 0.05% 99% MDScan [9] N/A 89% Wepawet [18] N/A 68% [9] Ours 0 97% system with other methods by analyzing possible advanced attacks.…”

“…In 2011, Laskov et al [7] presented PJScan, the first static method dedicated to the detection of malicious PDF. Using a patched SpiderMonkey, PJScan extracts lexical tokens of Javascript and trains an OCSVM (One Class Support Vector Machine) classifier to identify malicious PDF.…”

“…The first step of our method is to reconstruct all Javascript chains in a document. We use a similar technique described in previous works [7] [8] [9] to locate Javascript. Specifically, we scan the document for keywords /JS and /JavaScript that indicate a string or stream containing Javascript [29].…”

“…Unfortunately, it appears that traditional signature and behavior based detection methods, which are favored by the majority of modern antivirus software, cannot handle malicious PDF well. Recently, researchers exploit the structural differences between benign and malicious documents to detect malicious PDF [4] [5] [6] [7]. These methods have been proven to be simple, fast, and accurate.…”

“…This method, to the best of our knowledge, has never been explored before for PDF malware detection and confinement. For each PDF Javascript snippet, we include a prologue and epilogue to inform our runtime detector for the entry to and exit from [6] No Yes No Yes Extract-and-Emulate [9] Neutral No Yes No Lexical Analysis of Javascript [7] Neutral Yes No Yes Adobe Sandboxing [12] Neutral Yes No Yes CWSandbox [13] Neutral Javascript context. The advantage of using static document instrumentation over the other two alternatives lies in three aspects.…”

Detecting Malicious Javascript in PDF through Document Instrumentation

“…False Positive True Positive N-grams [17] 31% 84% PJScan [7] 16% 85% PDFRate [4] 2% 99% Structural [5] 0.05% 99% MDScan [9] N/A 89% Wepawet [18] N/A 68% [9] Ours 0 97% system with other methods by analyzing possible advanced attacks.…”

“…In 2011, Laskov et al [7] presented PJScan, the first static method dedicated to the detection of malicious PDF. Using a patched SpiderMonkey, PJScan extracts lexical tokens of Javascript and trains an OCSVM (One Class Support Vector Machine) classifier to identify malicious PDF.…”

“…The first step of our method is to reconstruct all Javascript chains in a document. We use a similar technique described in previous works [7] [8] [9] to locate Javascript. Specifically, we scan the document for keywords /JS and /JavaScript that indicate a string or stream containing Javascript [29].…”

“…Unfortunately, it appears that traditional signature and behavior based detection methods, which are favored by the majority of modern antivirus software, cannot handle malicious PDF well. Recently, researchers exploit the structural differences between benign and malicious documents to detect malicious PDF [4] [5] [6] [7]. These methods have been proven to be simple, fast, and accurate.…”

“…This method, to the best of our knowledge, has never been explored before for PDF malware detection and confinement. For each PDF Javascript snippet, we include a prologue and epilogue to inform our runtime detector for the entry to and exit from [6] No Yes No Yes Extract-and-Emulate [9] Neutral No Yes No Lexical Analysis of Javascript [7] Neutral Yes No Yes Adobe Sandboxing [12] Neutral Yes No Yes CWSandbox [13] Neutral Javascript context. The advantage of using static document instrumentation over the other two alternatives lies in three aspects.…”

Detecting Malicious Javascript in PDF through Document Instrumentation

Boosting training for PDF malware classifier via active learning

Barnum: Detecting Document Malware via Control Flow Anomalies in Hardware Traces