| With the rapid development of the internet and the increasing popularization of office automation, Portable Document Format (PDF) has become the open standard of the distribution of electronic documents, a new file format after PostScript format. With its many advantages, PDF overcomes the identification problems in the process of electronic files sharing and allows the user to browse tiles freely and exchange files easily online. So it has been the ideal file format for file distribution. However, PDF file format also brings many problems with many conveniences to people working and living. The PDF file with malicious code may be the most harmful security problem. It will cause irreparable damage to the enterprise and user and lias posed the serious threat and challenge to internet applications. Because of high availability and general adaptability of the PDF document, it accelerates the propagation speed of the malicious code and becomes its effective carrier. Due to the serious damage on computer systems from the malicious code, researches on detecting and preventing the PDF file with malicious code lias become an important target in the field of computer security.In this paper, we firstly introduce the PDF file’s physical and logic structure, and then realizing an automatic analysis system of the PDF document structure. This system can view and extract the PDF file’s binary code rapidly and accurately, especially for all kinds of compression flow object, providing data for further detecting and analyzing. Secondly, we analyzed different malicious PDF file principles and researched on different kinds of propagation ways and models. Then we explored and summarized different kinds of attack methods and anti-killing technology. Based on this method we explored the detecting methods and its feasibility, constructed the JavaScript decoding engine and implemented the extracting and decoding the PDF file’s JavaScript code. Thirdly we can successfully analyze the malicious code in the PDF and extract its Malicious Characteristics Identification Library by the combination of static and dynamic analyzation. Then we build the new malicious behavior feature identification library based on YARA and produce a method to add feature codes rapidly to our Malicious Characteristics Identification Library, increasing the recognition rate of PDF with malicious codes. Moreover we construct the Libeum Simulation Environment. The first step is disassembling the Shellcode extracted from the malicious PDF file. Second is analyzing the disassembled codes based on X86and implement the registry simulation and essential FPU simulation while detecting the shellcode by GetPC heuristic detection, static analyzation, dynamic analyzation in binary code and Win32API Hook, etc. We could determine whether the PDF file is malicious by behavioral analyzation automatically in the simulation mode. Finally it is shown that the malicious PDF file analyzation and detection system is obviously effective in many malicious PDF file experiments, especially rapid detection to malicious PDF file with Javascripts of compression and confusion. The system can also provide the quick and accurate analyzing data, which is a very important tool for the system security officer to detect malicious PDF file. |
PDF Full Text Request