SAFE-PDF: Robust Detection of JavaScript PDF Malware Using Abstract Interpretation

The popularity of the PDF format and the rich JavaScript environment that PDF viewers offer make PDF documents an attractive attack vector for malware developers. PDF documents present a serious threat to the security of organizations because most users are unsuspecting of them and thus likely to open documents from untrusted sources. We propose to identify malicious PDFs by using conservative abstract interpretation to statically reason about the behavior of the embedded JavaScript code. Currently, state-of-the-art tools either: (1) statically identify PDF malware based on structural similarity to known malicious samples; or (2) dynamically execute the code to detect malicious behavior. These two approaches are subject to evasion attacks that mimic the structure of benign documents or do not exhibit their malicious behavior when being analyzed dynamically. In contrast, abstract interpretation is oblivious to both types of evasions. A comparison with two state-of-the-art PDF malware detection tools shows that our conservative abstract interpretation approach achieves similar accuracy, while being more resilient to evasion attacks.