Portable Document Format Malware

Approximately two years ago a vulnerability in Adobe Reader's JavaScript API was discovered, and malware authors continue to produce malicious PDF files that exploit this flaw. This vulnerability has been patched, though a number of other vulnerabilities have been found and used in active exploits before being patched themselves.

There are numerous reasons why malware authors might use vulnerabilities in Adobe Reader and Acrobat as an attack vector. First, the PDF format is widely used throughout the world for sharing documents, and Adobe Reader is the most popular PDF viewer; many OEMs ship PCs with the software preinstalled. Second, the PDF file format specification and the properties of the viewer allow malware authors a significant degree of freedom when designing and developing a threat. Third, the nature of the PDF format provides malware authors with some useful tricks that help to avoid detection by AV scanners, and the support for JavaScript further extends this capability. Obfuscation, encryption, and misdirection are techniques often employed in a similar manner to how they may be seen in HTML and other environments that support JavaScript.

This paper aims to detail the different paths malware authors have taken and point out how attack techniques via PDF have evolved. It is hoped that it will aid AV vendors and PC users alike in better understanding the problems posed by malicious PDFs, as well as the importance of staying up-to-date with patches.