The Extendable Guideline for Analysing Malicious PDF Documents

Abstract: Today, the average computer user has undoubtedly encountered the PDF format while handling electronic documents. Due to its wide-spread popularity and feature richness, PDF documents are commonly utilized by attackers in order to infect systems with malware. This thesis will present The Extendable Guideline for Analysing Malicious PDF Documents. This work will establish the foundation of the guideline and populate it with a part of the analysis process. The guideline relies on earlier published material in the topic. It is a practical guideline that is followed by the use of a flowchart and can be utilized by an analyst in order to determine if a PDF document is malicious or not. It provides technical background information, suitable analysis techniques, and tools. The guideline structure was developed by using sequential thinking in combination with the divide and conquer paradigm. The thesis will also elucidate commonly applied techniques that are used by malicious PDF authors in order to infect systems, evade detection, and distribute their malicious documents. A commonly utilized function in PDF documents are the JavaScript feature. There are a wide range of other features that are targeted by malicious PDF authors, but they are more rarely encountered. PDF documents are often distributed by attackers by sending them as an attachment in an email, or storing the document on a web server.