Today we're going to talk a little about the scoring of PDF malware with the PDFExaminer tool. We're currently rating PDFs as clean, suspicious or malware based on a simple scoring algorithm.
JS Obfuscation function - eval, charCodeAt, etc: +1
Strings/variables exploit, jit, shellcode etc: +1
Flash (define object, Flash block): +1
CVE Exploit detected: +10
Clean = 0
Suspicious = 1-9
Malware = 10 or more
Some CVE exploit signatures may occur multiple times, as our detection engine uses REGEX signatures and some exploits may be detected two or more times with varied signatures to more broadly detect new variants of known exploits.