Abstract | ||
---|---|---|
Due to its high popularity and rich functionalities, the Portable Document Format (PDF) has become a major vector for malware propagation. To detect malicious PDF files, the first step is to extract and de-obfuscate Java Script codes from the document, for which an effective technique is yet to be created. However, existing static methods cannot de-obfuscate Java Script codes, existing dynamic methods bring high overhead, and existing hybrid methods introduce high false negatives. Therefore, in this paper, we present MPScan, a scanner that combines dynamic Java Script de-obfuscation and static malware detection. By hooking the Adobe Reader's native Java Script engine, Java Script source code and op-code can be extracted on the fly after the source code is parsed and then executed. We also perform a multilevel analysis on the resulting Java Script strings and op-code to detect malware. Our evaluation shows that regardless of obfuscation techniques, MPScan can effectively de-obfuscate and detect 98% malicious PDF samples. |
Year | DOI | Venue |
---|---|---|
2013 | 10.1109/HICSS.2013.166 | HICSS |
Keywords | Field | DocType |
java | Programming language,Computer science,Source code,Java annotation,Parsing,Obfuscation,Portable document format,Malware,Java,Hooking,Operating system | Conference |
Volume | Issue | ISSN |
null | null | 1060-3425 |
Citations | PageRank | References |
11 | 0.56 | 5 |
Authors | ||
5 |
Name | Order | Citations | PageRank |
---|---|---|---|
Xun Lu | 1 | 11 | 0.56 |
Jianwei Zhuge | 2 | 155 | 13.86 |
Ruoyu Wang | 3 | 282 | 16.23 |
Yinzhi Cao | 4 | 297 | 18.73 |
Yan Chen | 5 | 3842 | 220.64 |