Detailed PDF Malware Threat Report from Symantec

Malicious PDF files are commonly used by attackers to spread malicious software, often targeting patched and zero-day vulnerabilities in Adobe Reader. Recent report from Symantec on the Rise of PDF Malware, authored by Karthik Selvaraj and Nino Fred Gutierrez, explores these trends from a comprehensive data-driven perspective. The report is filled with technical details and is a must-read for people combating malware threats.

The report describes attack trends across the three common methods for distributing PDF files:

  • Mass-mailed PDFs
  • PDFs hosted in malicious web pages
  • PDFs used in targeted attacks

Symantec discusses inner-workings of exploits carries by malicious PDF documents. In most cases, such exploits have often used JavaScript to spray the heap of Adobe Reader prior to triggering the vulnerability. However, there are other techniques for getting the attacker’s shellcode into the targeted program’s memory. In particular, some malicious PDFs used an embedded Flash object that embeds ActionScript to set up the stage for the exploit.

The report also discusses common defensive methods used in malicious PDFs to complicate detection and analysis of such files. This involves JavaScript obfuscation, splitting JavaScript across several PDF streams, using various stream encoding methods and employing encryption.

On a related note, if you want to learn how to analyze malicious PDFs, take a look at my Analyzing Malicious Documents Cheat Sheet. I get into this topic in the reverse-engineering malware course I teach at SANS.

Lenny Zeltser

Updated

About the Author

Lenny Zeltser is a seasoned business and technology leader with extensive information security experience. He builds innovative endpoint defense solutions as VP of Products at Minerva. He also trains incident response and digital forensics professionals at SANS Institute. Lenny frequently speaks at industry events, writes articles and has co-authored books. He has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania.

Learn more