Detailed PDF Malware Threat Report from Symantec

Malicious PDF files are commonly used by attackers to spread malicious software, often targeting patched and zero-day vulnerabilities in Adobe Reader. Recent report from Symantec on the Rise of PDF Malware, authored by Karthik Selvaraj and Nino Fred Gutierrez, explores these trends from a comprehensive data-driven perspective. The report is filled with technical details and is a must-read for people combating malware threats.

The report describes attack trends across the three common methods for distributing PDF files:

  • Mass-mailed PDFs
  • PDFs hosted in malicious web pages
  • PDFs used in targeted attacks

Symantec discusses inner-workings of exploits carries by malicious PDF documents. In most cases, such exploits have often used JavaScript to spray the heap of Adobe Reader prior to triggering the vulnerability. However, there are other techniques for getting the attacker’s shellcode into the targeted program’s memory. In particular, some malicious PDFs used an embedded Flash object that embeds ActionScript to set up the stage for the exploit.

The report also discusses common defensive methods used in malicious PDFs to complicate detection and analysis of such files. This involves JavaScript obfuscation, splitting JavaScript across several PDF streams, using various stream encoding methods and employing encryption.

On a related note, if you want to learn how to analyze malicious PDFs, take a look at my Analyzing Malicious Documents Cheat Sheet. I get into this topic in the reverse-engineering malware course I teach at SANS.

Lenny Zeltser


About the Author

Lenny Zeltser is a seasoned business and tech leader with extensive cybersecurity experience. He builds innovative endpoint defense solutions as VP of Products at Minerva Labs. Beforehand, he was responsible for security product management at NCR Corp. Lenny also trains incident response and digital forensics professionals at SANS Institute. An engaging presenter, he speaks at industry events, writes articles and has co-authored books. Lenny has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania.

Learn more