skip to main content
10.1145/1972551.1972555acmconferencesArticle/Chapter ViewAbstractPublication PageseurosysConference Proceedingsconference-collections
research-article

Combining static and dynamic analysis for the detection of malicious documents

Published: 10 April 2011 Publication History

Abstract

The widespread adoption of the PDF format for document exchange has given rise to the use of PDF files as a prime vector for malware propagation. As vulnerabilities in the major PDF viewers keep surfacing, effective detection of malicious PDF documents remains an important issue. In this paper we present MDScan, a standalone malicious document scanner that combines static document analysis and dynamic code execution to detect previously unknown PDF threats. Our evaluation shows that MDScan can detect a broad range of malicious PDF documents, even when they have been extensively obfuscated.

References

[1]
http://www.mozilla.org/js/spidermonkey/.
[2]
http://www.blade-defender.org/.
[3]
http://www.malwaredomainlist.com/.
[4]
http://www.offensivecomputing.net/.
[5]
http://contagiodump.blogspot.com/.
[6]
http://www.metasploit.com/.
[7]
http://www.virustotal.com/.
[8]
http://www.javascriptobfuscator.com/.
[9]
4 ways to die opening a PDF, 2009. http://esec-lab.sogeti.com/dotclear/index.php?post/2009/06/26/68-at-least-4-ways-to-die-opening-a-pdf.
[10]
M. Cova. Malicious PDF trick: XFA. http://www.cs.bham.ac.uk/~covam/blog/pdf/.
[11]
M. Cova, C. Kruegel, and G. Vigna. Detection and analysis of drive-by-download attacks and malicious javascript code. In Proceedings of the 19th International World Wide Web Conference (WWW), 2010.
[12]
Y. Ding, T. Wei, T. Wang, Z. Liang, and W. Zou. Heap taichi: exploiting memory allocation granularity in heap-spraying attacks. In Proceedings of the 26th Annual Computer Security Applications Conference (ACSAC), 2010.
[13]
M. Egele, P. Wurzinger, C. Kruegel, and E. Kirda. Defending browsers against drive-by downloads: Mitigating heap-spraying code injection attacks. In Proceedings of the 6th international conference on Detection of Intrusions and Malware, & Vulnerability Assessment (DIMVA), 2009.
[14]
E. Filiol. New viral threats of PDF language. Black Hat Europe, March 2008.
[15]
S. Ford, M. Cova, C. Kruegel, and G. Vigna. Wepawet. http://wepawet.cs.ucsb.edu/.
[16]
T. Holz. Analyzing malicious pdf files, 2009. http://honeyblog.org/archives/12-Analyzing-Malicious-PDF-Files.html.
[17]
W.-J. Li, S. Stolfo, A. Stavrou, E. Androulaki, and A. D. Keromytis. A study of malcode-bearing documents. In Proceedings of the 4th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA), 2007.
[18]
M. Polychronakis, K. G. Anagnostakis, and E. P. Markatos. Comprehensive shellcode detection using runtime heuristics. In Proceedings of the 26th Annual Computer Security Applications Conference (ACSAC), December 2010.
[19]
S. Porst. How to really obfuscate your PDF malware. RECON, July 2010.
[20]
P. Ratanaworabhan, B. Livshits, and B. Zorn. NOZZLE: A defense against heap-spraying code injection attacks. In Proceedings of the 18th USENIX Security Symposium, Aug. 2009.
[21]
F. Raynal, G. Delugré, and D. Aumaitre. Malicious origami in pdf. J. Comput. Virol., 6(4):289--315, November 2010.
[22]
K. Selvaraj and N. F. Gutierres. The rise of PDF malware, 2010. http://www.symantec.com/connect/blogs/rise-pdf-malware.
[23]
D. Stevens. PDF tools. http://blog.didierstevens.com/programs/pdf-tools/.
[24]
D. Stevens. Malicious PDF documents explained. IEEE Security and Privacy, 9(1):80--82, 2011.
[25]
C. Willems, T. Holz, and F. Freiling. Toward automated dynamic malware analysis using CWSandbox. IEEE Security and Privacy, 5(2):32--39, 2007.
[26]
J. Wolf. OMG WTF PDF. 27th Chaos Communication Congress (27C3), December 2010.
[27]
B. Zdrnja. Sophisticated, targeted malicious pdf documents exploiting cve-2009-4324, 2010. http://isc.sans.edu/diary.html?storyid=7867.

Cited By

View all
  • (2025)uitPDF-MalDe: Malicious Portable Document Format files detection using multi machine learning modelsEngineering Applications of Artificial Intelligence10.1016/j.engappai.2025.110031143(110031)Online publication date: Mar-2025
  • (2024)The Silent ThreatAdvanced Cyber Security Techniques for Data, Blockchain, IoT, and Network Protection10.4018/979-8-3693-9225-6.ch010(245-270)Online publication date: 4-Oct-2024
  • (2024)AI-Based Solutions for Malware Detection and PreventionMachine Intelligence Applications in Cyber-Risk Management10.4018/979-8-3693-7540-2.ch006(107-134)Online publication date: 22-Nov-2024
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
EUROSEC '11: Proceedings of the Fourth European Workshop on System Security
April 2011
53 pages
ISBN:9781450306133
DOI:10.1145/1972551
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 10 April 2011

Permissions

Request permissions for this article.

Check for updates

Qualifiers

  • Research-article

Funding Sources

Conference

EuroSys '11
Sponsor:
EuroSys '11: Sixth EuroSys Conference 2011
April 10, 2011
Salzburg, Austria

Acceptance Rates

Overall Acceptance Rate 47 of 113 submissions, 42%

Upcoming Conference

EuroSys '25
Twentieth European Conference on Computer Systems
March 30 - April 3, 2025
Rotterdam , Netherlands

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)36
  • Downloads (Last 6 weeks)3
Reflects downloads up to 19 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2025)uitPDF-MalDe: Malicious Portable Document Format files detection using multi machine learning modelsEngineering Applications of Artificial Intelligence10.1016/j.engappai.2025.110031143(110031)Online publication date: Mar-2025
  • (2024)The Silent ThreatAdvanced Cyber Security Techniques for Data, Blockchain, IoT, and Network Protection10.4018/979-8-3693-9225-6.ch010(245-270)Online publication date: 4-Oct-2024
  • (2024)AI-Based Solutions for Malware Detection and PreventionMachine Intelligence Applications in Cyber-Risk Management10.4018/979-8-3693-7540-2.ch006(107-134)Online publication date: 22-Nov-2024
  • (2024)Multi-feature Fusion Malicious PDF Detection Based on CBAM2024 5th International Conference on Information Science, Parallel and Distributed Systems (ISPDS)10.1109/ISPDS62779.2024.10667497(148-155)Online publication date: 31-May-2024
  • (2024)Detecting Malicious Behaviors in PDF Document: A Hybrid Features Detection Method on System Calls2024 Asia-Pacific Conference on Image Processing, Electronics and Computers (IPEC)10.1109/IPEC61310.2024.00086(462-471)Online publication date: 12-Apr-2024
  • (2024)PDF Malware Detection: Toward Machine Learning Modeling With Explainability AnalysisIEEE Access10.1109/ACCESS.2024.335762012(13833-13859)Online publication date: 2024
  • (2024)Using Page Offsets for Detecting Control-Flow AnomaliesInnovative Security Solutions for Information Technology and Communications10.1007/978-3-031-52947-4_2(13-25)Online publication date: 21-Jan-2024
  • (2023)Malicious Office Macro Detection: Combined Features with Obfuscation and Suspicious KeywordsApplied Sciences10.3390/app13221210113:22(12101)Online publication date: 7-Nov-2023
  • (2023)Leveraging Adversarial Samples for Enhanced Classification of Malicious and Evasive PDF FilesApplied Sciences10.3390/app1306347213:6(3472)Online publication date: 8-Mar-2023
  • (2023)From Attachments to SEO: Click Here to Learn More about Clickbait PDFs!Proceedings of the 39th Annual Computer Security Applications Conference10.1145/3627106.3627172(14-28)Online publication date: 4-Dec-2023
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media