PDF Scrutinizer: Detecting JavaScript-based attacks in PDF documents

For a long time PDF documents have arrived in the everyday life of the average computer user, corporate businesses and critical structures, as authorities and military. Due to its wide spread in general, and because out-of-date versions of PDF readers are quite common, using PDF documents has become a popular malware distribution strategy. In this context, malicious documents have useful features: they are trustworthy, attacks can be camouflaged by inconspicuous document content, but still, they can often download and install malware undetected by firewall and anti-virus software. In this paper we present PDF Scrutinizer, a malicious PDF detection and analysis tool. We use static, as well as, dynamic techniques to detect malicious behavior in an emulated environment. We evaluate the quality and the performance of the tool with PDF documents from the wild, and show that PDF Scrutinizer reliably detects current malicious documents, while keeping a low false-positive rate and reasonable runtime performance.