| The Portable Document Format (PDF) is a widely used, cross-platform file format for document exchange. Several applications exist for parsing and rendering PDF documents, with Adobe's Acrobat Reader being the most widely used PDF reader. Starting in 2007, several vulnerabilities in Adobe Reader were discovered being exploited in the wild. PDF-based exploits continued to proliferate during 2008 and 2009, and, although recent security reports have noted a decline in the numbers of PDF-based malware in 2011, malicious PDFs are likely to continue to be a significant threat for the next few years, given the ubiquity of the PDF format and the existence of a large base of unpatched Adobe Reader installations.;In this work, we try to understand the role played by malicious PDFs in the malware and spam ecosystems. We collect data from the execution of a set of about 11,000 malicious PDFs obtained from various sources. We find a correlation between the age of a vulnerability and the number of PDFs exploiting that vulnerability. We also find differences in behavior depending on the distribution vector used. Looking at the final payload of the malicious PDFs, we find that some known pay-per-install services seem to use malicious PDFs as an infection vector. Finally, we see a considerable overlap in malware-hosting domains contacted by malicious PDFs and spam-advertised domains seen in emails collected by various spam feeds, pointing to the use of both vectors for malware distribution. |
