Tuesday, May 17, 2011

PDF Malware scoring with PDFExaminer

Today we're going to talk a little about the scoring of PDF malware with the PDFExaminer tool. We're currently rating PDFs as clean, suspicious or malware based on a simple scoring algorithm.

Use of JavaScript, per object: +1
JS Obfuscation function - eval, charCodeAt, etc: +1
Strings/variables exploit, jit, shellcode etc: +1
Flash (define object, Flash block): +1
CVE Exploit detected: +10
JBig2Decode: +1

Clean = 0
Suspicious = 1-9
Malware = 10 or more

Some CVE exploit signatures may occur multiple times, as our detection engine uses REGEX signatures and some exploits may be detected two or more times with varied signatures to more broadly detect new variants of known exploits.

No comments:

Post a Comment