Deobfuscation and Detection of Malicious PDF Files with High Accuracy

Due to its high popularity and rich functionality, the Portable Document Format (PDF) has become a major vector for malware propagation. To detect malicious PDF files, the first step is to extract and de-obfuscate JavaScript codes from the document, for which an effective technique is yet to be created. However, existing static methods cannot de-obfuscate JavaScript codes, existing dynamic methods bring high overhead, and existing hybrid methods introduce high false negatives.

Therefore, in this paper, we present MPScan, a scanner that combines dynamic JavaScript de-obfuscation and static malware detection. By hooking the Adobe Readers native JavaScript engine, JavaScript source code and opcode can be extracted on the fly after the source code is parsed and then executed. We also perform a multilevel analysis on the resulting JavaScript strings and opcode to detect malware. Our evaluation shows that regardless of obfuscation techniques, MPScan can effectively de-obfuscate and detect 98% malicious PDF samples.