Skip to main content


Showing posts from May, 2011

PDF Malware scoring with PDFExaminer

Today we're going to talk a little about the scoring of PDF malware with the PDFExaminer tool. We're currently rating PDFs as clean, suspicious or malware based on a simple scoring algorithm.

Use of JavaScript, per object: +1
JS Obfuscation function - eval, charCodeAt, etc: +1
Strings/variables exploit, jit, shellcode etc: +1
Flash (define object, Flash block): +1
CVE Exploit detected: +10
JBig2Decode: +1

Clean = 0
Suspicious = 1-9
Malware = 10 or more

Some CVE exploit signatures may occur multiple times, as our detection engine uses REGEX signatures and some exploits may be detected two or more times with varied signatures to more broadly detect new variants of known exploits.

PDFExaminer API

Our new API tool to submit PDFs from the command line and download reports is now available.

Feel free to recode in other languages. We'll post any user submissions here as well.

Upload a PDF and receive the report:
php mwtfile.php [filename] [email address for report]
mwtfile.php source.

Download a PDFExaminer report for a hash
php mwtreport.php [hash] [report xml, text, json, php, is_malware, rating, severity]
mwtreport.php source.

php mwtfile.php China\'s\ Charm\ diplomacy\ in\ BRICS\ Summit.pdf

....php mwtreport.php ae39b747e4fe72dce6e5cdc6d0314c02 xml

XML Report:
<?xml version="1.0"?>
<pdf><filename>China's Charm diplomacy in BRICS Summit.pdf</filename>
<submitted>2011-04-21 14:46:36</submitted>

Server upgrade

We completed a server upgrade to a brand new server with double the resources, processing speed should be even better and we are looking to release our PDFExaminer API tool very soon.

API Features for the Free online PDFExaminer
Submit a PDF for analysis via PHP or scripted web post
Extract reports in XML, Text, JSON, or PHP Serialize (Hash variable)

PDFExaminer: ObjStm handling

We've rolled out a number of new features today, one of the biggest is ObjStm handling - object streams are extracted and processed as separate objects. Malware severity rating now includes the count from embedded PDFs. Our parser has also been enhanced to better process extremely malformed PDFs.

Coming soon, we'll be releasing an API to post PDFs for analysis and retrieve reporting in XML, PHP Serialize, JSON, or text.