Automatic signature generation for malicious PDF files

US 8,695,096 B1
Filed: 05/24/2011
Issued: 04/08/2014
Est. Priority Date: 05/24/2011
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a processor configured to;

parse a PDF file to extract script stream data embedded in the PDF file, wherein the PDF file is known to include malicious content; and

determine whether to generate a signature associated with the PDF file based at least in part on at least a portion of the extracted script stream data;

in the event that the signature associated with the PDF file is determined to be based at least in part on the at least portion of the extracted script stream data, automatically generate the signature associated with the PDF file based at least in part on the at least portion of the extracted script stream data, wherein the signature is configured to be matched against a potentially malicious PDF file; and

in the event that the signature associated with the PDF file is determined not to be based at least in part on the at least portion of the extracted script stream data, automatically generate the signature associated with the PDF file from an identified cross-reference table from a plurality of cross-reference tables within the PDF file, wherein the identified cross-reference table is identified from the plurality of cross-reference tables based at least in part on a position of the identified cross-reference table relative to respective positions associated with one or more cross-reference tables other than the identified cross-reference table from the plurality of cross-reference tables; and

a memory coupled to the processor and configured to provide the processor with instructions.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In some embodiments, automatic signature generation for malicious PDF files includes: parsing a PDF file to extract script stream data embedded in the PDF file; determining whether the extracted script stream data within the PDF file is malicious; and automatically generating a signature for the PDF file.

277 Citations

26 Claims

1. A system, comprising:
- a processor configured to;
  
  parse a PDF file to extract script stream data embedded in the PDF file, wherein the PDF file is known to include malicious content; and
  
  determine whether to generate a signature associated with the PDF file based at least in part on at least a portion of the extracted script stream data;
  
  in the event that the signature associated with the PDF file is determined to be based at least in part on the at least portion of the extracted script stream data, automatically generate the signature associated with the PDF file based at least in part on the at least portion of the extracted script stream data, wherein the signature is configured to be matched against a potentially malicious PDF file; and
  
  in the event that the signature associated with the PDF file is determined not to be based at least in part on the at least portion of the extracted script stream data, automatically generate the signature associated with the PDF file from an identified cross-reference table from a plurality of cross-reference tables within the PDF file, wherein the identified cross-reference table is identified from the plurality of cross-reference tables based at least in part on a position of the identified cross-reference table relative to respective positions associated with one or more cross-reference tables other than the identified cross-reference table from the plurality of cross-reference tables; and
  
  a memory coupled to the processor and configured to provide the processor with instructions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1, wherein the processor is further configured to determine which objects, if any, within the PDF file includes JavaScript data.
  - 3. The system of claim 1, wherein the processor is further configured to traverse through one or more objects within the PDF file to find an object associated with JavaScript data.
  - 4. The system of claim 1, wherein determining whether to generate the signature associated with the PDF file based at least in part on the at least portion of the extracted script stream data includes:
    - determining one or more portions of the extracted script stream data that are potentially malicious;
      
      assigning one or more numeric values corresponding to the one or more portions of the extracted script stream data that are potentially malicious, wherein the one or more numeric values are determined based on heuristics;
      
      aggregating the one or more numeric values into an aggregate numeric value; and
      
      determining whether the aggregate numeric value exceeds a threshold numeric value;
      
      in the event that the aggregate numeric value exceeds the threshold numeric value, determining to generate the signature based at least in part on the at least portion of the extracted script stream data; and
      
      in the event that the aggregate numeric value is equal to or less than the threshold numeric value, determining not to generate the signature based at least in part on the at least portion of the extracted script stream data.
  - 5. The system of claim 4, wherein the one or more portions of the extracted script stream data that are potentially malicious include one or more of the following:
    - an iFrame that includes an associated Uniform Resource Locator (URL) associated with a blacklisted domain and an iFrame that includes an associated URL associated with a webpage configured to download an .exe file, a .dll file, and/or a .doc file.
  - 6. The system of claim 1, wherein the processor is further configured to de-obfuscate the PDF file.
  - 7. The system of claim 1, wherein the processor is configured to automatically generate the signature for the PDF file based at least in part on at least a subset of portion(s) of a script within the PDF file that was determined to be malicious.
  - 8. The system of claim 1, wherein the processor is configured to automatically generate the signature for the PDF file based at least in part on selecting a plurality of patterns exceeding a suspicious threshold to automatically generate the signature using the plurality of patterns.
  - 9. The system of claim 1, wherein the processor is configured to automatically generate the signature for the PDF file based at least in part on selecting a plurality of patterns exceeding a suspicious threshold to automatically generate the signature using the plurality of patterns, wherein each of the plurality of patterns is based on different threshold numeric values.

10. A method, comprising:
- parsing a PDF file to extract script stream data embedded in the PDF file, wherein the PDF file is known to include malicious content; and
  
  determining whether to generate a signature associated with the PDF file based at least in part on at least a portion of the extracted script stream data;
  
  in the event that the signature associated with the PDF file is determined to be based at least in part on the at least portion of the extracted script stream data, automatically generating the signature associated with the PDF file based at least in part on the at least portion of the extracted script stream data, wherein the signature is configured to be matched against a potentially malicious PDF; and
  
  in the event that the signature associated with the PDF file is determined not to be based at least in part on the at least portion of the extracted script stream data, automatically generating the signature associated with the PDF file from an identified cross-reference table from a plurality of cross-reference tables within the PDF file, wherein the identified cross-reference table is identified from the plurality of cross-reference tables based at least in part on a position of the identified cross-reference table relative to respective positions associated with one or more cross-reference tables other than the identified cross-reference table from the plurality of cross-reference tables.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The method of claim 10, wherein parsing the PDF file to extract script stream data includes determining which objects, if any, within the PDF file include JavaScript data.
  - 12. The method of claim 10, wherein parsing the PDF file to extract script stream data includes traversing through one or more objects within the PDF file to find an object associated with JavaScript data.
  - 13. The method of claim 10, wherein determining whether to generate the signature associated with the PDF file based at least in part on the at least portion of the extracted script stream data includes:
    - detecting one or more portions of the extracted script stream data that are potentially malicious;
      
      assigning one or more numeric values corresponding to the one or more portions of the extracted script stream data that are potentially malicious, wherein the one or more numeric values are determined based on heuristics;
      
      aggregating the one or more numeric values into an aggregate numeric value; and
      
      determining whether the aggregate numeric value exceeds a threshold numeric value;
      
      in the event that the aggregate numeric value exceeds the threshold numeric value, determining to generate the signature based at least in part on the at least portion of the extracted script stream data; and
      
      in the event that the aggregate numeric value is equal to or less than the threshold numeric value, determining not to generate the signature based at least in part on the at least portion of the extracted script stream data.
  - 14. The method of claim 13, wherein the one or more portions of the extracted script stream data that are potentially malicious include one or more of the following:
    - an iFrame that includes an associated Uniform Resource Locator (URL) associated with a blacklisted domain and an iFrame that includes an associated URL associated with a webpage configured to download an .exe file, a .dll file, and/or a .doc file.
  - 15. The method of claim 10, further comprising de-obfuscating the PDF file.
  - 16. The method of claim 10, wherein automatically generating the signature for the PDF file is based at least in part on at least a subset of portion(s) of a script within the PDF file.
  - 17. The method of claim 10, wherein automatically generating the signature for the PDF file includes selecting a plurality of patterns exceeding a suspicious threshold to automatically generate the signature using the plurality of patterns.
  - 18. The method of claim 10, wherein automatically generating the signature for the PDF file includes selecting a plurality of patterns exceeding a suspicious threshold to automatically generate the signature using the plurality of patterns, wherein each of the plurality of patterns is based on different threshold numeric values.

19. A computer program product, the computer program product being embodied in a non-transitory computer readable storage medium and comprising computer instructions for:
- parsing a PDF file to extract script stream data embedded in the PDF file, wherein the PDF file is known to include malicious content; and
  
  determining whether to generate a signature associated with the PDF file based at least in part on at least a portion of the extracted script stream data;
  
  in the event that the signature associated with the PDF file is determined to be based at least in part on the at least portion of the extracted script stream data, automatically generating the signature associated with the PDF file based at least in part on the at least portion of the extracted script stream data, wherein the signature is configured to be matched against a potentially malicious PDF; and
  
  in the event that the signature associated with the PDF file is determined not to be based at least in part on the at least portion of the extracted script stream data, automatically generating the signature associated with the PDF file from an identified cross-reference table from a plurality of cross-reference tables within the PDF file, wherein the identified cross-reference table is identified from the plurality of cross-reference tables based at least in part on a position of the identified cross-reference table relative to respective positions associated with one or more cross-reference tables other than the identified cross-reference table from the plurality of cross-reference tables.

20. A system, comprising:
- a processor configured to;
  
  determine that a PDF file does not include script stream data, wherein the PDF file is known to include malicious content;
  
  determine an identified cross-reference table from a plurality of cross-reference tables within the PDF file, wherein the identified cross-reference table is identified from the plurality of cross-reference tables based at least in part on a position of the identified cross-reference table relative to respective positions associated with one or more cross-reference tables other than the identified cross-reference table from the plurality of cross-reference tables; and
  
  automatically generate a signature for the PDF file from the identified cross-reference table; and
  
  a memory coupled to the processor and configured to provide the processor with instructions.
- View Dependent Claims (21, 22, 23, 24, 25, 26)
- - 21. The system of claim 20, wherein the processor is further configured to de-obfuscate the PDF file.
  - 22. The system of claim 20, wherein the identified cross-reference table is associated with a most recent incremental save associated with the PDF file.
  - 23. The system of claim 20, wherein the processor is further configured to decrypt the identified cross-reference table.
  - 24. The system of claim 20, wherein the processor is further configured to determine a startxref object and two continuous reference objects associated with a predetermined offset range within the identified cross-reference table.
  - 25. The system of claim 20, wherein the processor is further configured to determine a startxref object and two continuous in use reference objects associated with a predetermined offset range within the identified cross-reference table.
  - 26. The system of claim 20, wherein the processor is further configured to determine a startxref object and two continuous reference objects associated with a predetermined offset range within the identified cross-reference table and to automatically generate the signature associated with the PDF file based at least in part on the startxref object and the two continuous reference objects associated with the predetermined offset range within the identified cross-reference table.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palo Alto Networks Incorporated
Original Assignee
Palo Alto Networks Incorporated
Inventors
Zhang, Liang
Primary Examiner(s)
Zecher, Cordelia
Assistant Examiner(s)
McCoy, Richard

Application Number

US13/115,036
Time in Patent Office

1,050 Days
Field of Search

726/22, 715/201, 715/209, 715/234, 707/708, 707/741, 707/748, 707/755, 707/771, 707/830, 707/953, 707/952, 717140-144
US Class Current

726/24
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/564   by virus signature recognition

G06F 21/60   Protecting data

H04L 63/12   Applying verification of th...

H04L 63/123   received data contents, e.g...

Automatic signature generation for malicious PDF files

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

277 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Automatic signature generation for malicious PDF files

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

277 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links