Systems and methods for analyzing malicious PDF network content
First Claim
1. A system comprising:
- a processor; and
a memory device coupled to the processor, the memory device comprises a portable document format (PDF) parser that, when executed by the processor, examines one or more portions of a PDF document to determine if one or more suspicious characteristics indicative of malicious network content are included in the one or more examined portions of the PDF document, wherein the one or more examined portions of the PDF document comprise less than an entirety of the PDF document, andone or more virtual machines to receive the PDF document in response to the one or more examined portions of the PDF document being determined to include one or more suspicious characteristics indicative of malicious network content, the one or more virtual machines to process at least the one or more examined portions of the PDF document so as to determine whether the PDF document includes malicious network content.
7 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for analyzing malicious PDF network content are provided herein. According to some embodiments, a PDF parser examines a body portion of a PDF document received over a network and intended for a digital device and determines if one or more suspicious characteristics indicative of malicious network content are included in the examined body portion of the PDF document. The examined body portion of the PDF document is lesser in size than an entirety of the body portion of the PDF document. When the portion of the body section of the PDF document is determined to include one or more suspicious characteristics indicative of malicious network content, the PDF document is provided to one or more virtual machines associated with the digital device to verify the inclusion of malicious network content in the portion of the body section of the PDF document. Such verification comprises execution of a PDF reader application by the one or more virtual machines to process the portion of the body section of the PDF document and monitor behavior of the PDF document so as to determine if the portion of the body section of the PDF document includes malicious network content.
-
Citations
32 Claims
-
1. A system comprising:
-
a processor; and a memory device coupled to the processor, the memory device comprises a portable document format (PDF) parser that, when executed by the processor, examines one or more portions of a PDF document to determine if one or more suspicious characteristics indicative of malicious network content are included in the one or more examined portions of the PDF document, wherein the one or more examined portions of the PDF document comprise less than an entirety of the PDF document, and one or more virtual machines to receive the PDF document in response to the one or more examined portions of the PDF document being determined to include one or more suspicious characteristics indicative of malicious network content, the one or more virtual machines to process at least the one or more examined portions of the PDF document so as to determine whether the PDF document includes malicious network content. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A non-transitory computer readable storage medium storing software that, upon execution by a processor, detects malware within a portable document format (PDF) document, the non-transitory computer readable storage medium comprising:
-
a portable document format (PDF) parser that, when executed by the processor, examines one or more portions of the PDF document to determine if one or more suspicious characteristics indicative of malicious network content are included in the one or more examined portions of the PDF document, wherein the one or more examined portions of the PDF document comprise less than an entirety of the PDF document, and one or more virtual machines to receive the PDF document in response to the one or more examined portions of the PDF document being determined to include one or more suspicious characteristics indicative of malicious network content, the one or more virtual machines to process at least the one or more examined portions of the PDF document so as to determine whether the PDF document includes malicious network content. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
-
Specification