Systems and methods for analyzing malicious PDF network content

US 9,438,622 B1
Filed: 03/30/2015
Issued: 09/06/2016
Est. Priority Date: 11/03/2008
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a processor; and

a memory device coupled to the processor, the memory device comprises a portable document format (PDF) parser that, when executed by the processor, examines one or more portions of a PDF document to determine if one or more suspicious characteristics indicative of malicious network content are included in the one or more examined portions of the PDF document, wherein the one or more examined portions of the PDF document comprise less than an entirety of the PDF document, andone or more virtual machines to receive the PDF document in response to the one or more examined portions of the PDF document being determined to include one or more suspicious characteristics indicative of malicious network content, the one or more virtual machines to process at least the one or more examined portions of the PDF document so as to determine whether the PDF document includes malicious network content.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for analyzing malicious PDF network content are provided herein. According to some embodiments, a PDF parser examines a body portion of a PDF document received over a network and intended for a digital device and determines if one or more suspicious characteristics indicative of malicious network content are included in the examined body portion of the PDF document. The examined body portion of the PDF document is lesser in size than an entirety of the body portion of the PDF document. When the portion of the body section of the PDF document is determined to include one or more suspicious characteristics indicative of malicious network content, the PDF document is provided to one or more virtual machines associated with the digital device to verify the inclusion of malicious network content in the portion of the body section of the PDF document. Such verification comprises execution of a PDF reader application by the one or more virtual machines to process the portion of the body section of the PDF document and monitor behavior of the PDF document so as to determine if the portion of the body section of the PDF document includes malicious network content.

659 Citations

32 Claims

1. A system comprising:
- a processor; and
  
  a memory device coupled to the processor, the memory device comprises a portable document format (PDF) parser that, when executed by the processor, examines one or more portions of a PDF document to determine if one or more suspicious characteristics indicative of malicious network content are included in the one or more examined portions of the PDF document, wherein the one or more examined portions of the PDF document comprise less than an entirety of the PDF document, andone or more virtual machines to receive the PDF document in response to the one or more examined portions of the PDF document being determined to include one or more suspicious characteristics indicative of malicious network content, the one or more virtual machines to process at least the one or more examined portions of the PDF document so as to determine whether the PDF document includes malicious network content.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The system of claim 1, wherein a determination by the PDF parser if the one or more suspicious characteristics indicative of malicious network content are included in the one or more examined portions of the PDF document, comprises:
    - determining a score associated with the one or more suspicious characteristics for the PDF document, the score indicative of a probability that the PDF document includes malicious network content; and
      
      identifying the PDF document as suspicious if the score satisfies a threshold value.
  - 3. The system of claim 1, wherein a body portion of the PDF document is examined and the entirety of the PDF document is not examined prior to providing the PDF document to the one or more virtual machines.
  - 4. The system of claim 3, wherein at least one of a header, a cross-reference table, or a trailer of the PDF document is not examined prior to providing the PDF document to the one or more virtual machines.
  - 5. The system of claim 1 wherein the PDF parser, when executed by the processor, examines the PDF document by at least applying heuristics to determine if at least one suspicious characteristic indicative of malicious network content is included in the PDF document.
  - 6. The system of claim 1, wherein the memory further comprises a module that, when executed by the processor, prevents the delivery of the PDF document verified to include malicious network content to a web browser application from which the delivery was requested.
  - 7. The system of claim 1, wherein an examination of the one or more portions of the PDF document by the PDF parser, when executed by the processor, further comprises:
    - examining at least one of a header section or a body section of the PDF document; and
      
      when the body section or the header section of the PDF document is determined to include one or more suspicious characteristics indicative of malicious network content, providing the PDF document to the one or more virtual machines associated with the digital device to verify the inclusion of malicious network content in the PDF document.
  - 8. The system of claim 1, wherein the one or more virtual machines includes two or more augmented finite state machines, the two or more augmented finite state machines each including a configuration that includes at least one set of operating system instructions, at least one set of web browser instructions, and at least one set of PDF reader instructions, the configuration of each of the two or more augmented finite state machines being different from one another.
  - 9. The system of claim 1, wherein the examining of the one or more portions of the PDF document by the PDF parser further comprises:
    - examining one or more of a header section, a body section, a trailer section, or a cross-reference table section of the PDF document; and
      
      providing the PDF document to the one or more virtual machines associated with the digital device to verify the inclusion of malicious network content in the PDF document when one or more of the body section, the header section, the trailer section or the cross-reference table section of the PDF document is determined to include one or more suspicious characteristics indicative of malicious network content.
  - 10. The system of claim 1 further comprising a data access component communicatively coupled to the processor, the data access component to intercept at least the PDF document before the PDF parser examines the one or more portions of the PDF document.
  - 11. The system of claim 10, wherein the one or more portions of the PDF document comprises a body section of the PDF document.
  - 12. The system of claim 1, wherein the one or more virtual machines are configured based on at least data associated with the PDF document in response to the one or more examined portions of the PDF document being determined to include one or more suspicious characteristics indicative of malicious network content.
  - 13. The system of claim 12, wherein the one or more virtual machines are configured based on one or more PDF specification version numbers of the PDF document.
  - 14. The system of claim 13, wherein a PDF specification version number of the one or more PDF specification version numbers is used to identify a PDF reader application version to be run in a virtual machine of the one or more virtual machines.
  - 15. The system of claim 1, wherein the one or more examined portions of the PDF document comprises a body section and a header section of the PDF document.
  - 16. The system of claim 1, wherein a header of the PDF document is examined and the entirety of the PDF document is not examined prior to providing the PDF document to the one or more virtual machines.

17. A non-transitory computer readable storage medium storing software that, upon execution by a processor, detects malware within a portable document format (PDF) document, the non-transitory computer readable storage medium comprising:
- a portable document format (PDF) parser that, when executed by the processor, examines one or more portions of the PDF document to determine if one or more suspicious characteristics indicative of malicious network content are included in the one or more examined portions of the PDF document, wherein the one or more examined portions of the PDF document comprise less than an entirety of the PDF document, andone or more virtual machines to receive the PDF document in response to the one or more examined portions of the PDF document being determined to include one or more suspicious characteristics indicative of malicious network content, the one or more virtual machines to process at least the one or more examined portions of the PDF document so as to determine whether the PDF document includes malicious network content.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 18. The non-transitory computer readable storage medium of claim 17, wherein a determination by the PDF parser if the one or more suspicious characteristics indicative of malicious network content are included in the one or more examined portions of the PDF document, comprises:
    - determining a score associated with the one or more suspicious characteristics for the PDF document, the score indicative of a probability that the PDF document includes malicious network content; and
      
      identifying the PDF document as suspicious if the score satisfies a threshold value.
  - 19. The non-transitory computer readable storage medium of claim 17, wherein the PDF parser examines a body portion of the PDF document and the entirety of the PDF document is not examined prior to providing the PDF document to the one or more virtual machines.
  - 20. The non-transitory computer readable storage medium of claim 19, wherein at least one of a header, a cross-reference table, or a trailer of the PDF document is not examined prior to providing the PDF document to the one or more virtual machines.
  - 21. The non-transitory computer readable storage medium of claim 17 wherein the PDF parser, when executed by the processor, examines the PDF document by at least applying heuristics to determine if at least one suspicious characteristic indicative of malicious network content is included in the PDF document.
  - 22. The non-transitory computer readable storage medium of claim 17, wherein the memory further comprises a module that, when executed by the processor, prevents the delivery of the PDF document verified to include malicious network content to a web browser application from which the delivery was requested.
  - 23. The non-transitory computer readable storage medium of claim 17, wherein an examination of the one or more portions of the PDF document by the PDF parser, when executed by the processor, further comprises:
    - examining at least one of a header section or a body section of the PDF document; and
      
      when the body section or the header section of the PDF document is determined to include one or more suspicious characteristics indicative of malicious network content, providing the PDF document to the one or more virtual machines associated with the digital device to verify the inclusion of malicious network content in the PDF document.
  - 24. The non-transitory computer readable storage medium of claim 17, wherein the one or more virtual machines includes two or more augmented finite state machines, the two or more augmented finite state machines each including a configuration that includes at least one set of operating system instructions, at least one set of web browser instructions, and at least one set of PDF reader instructions, the configuration of each of the two or more augmented finite state machines being different from one another.
  - 25. The non-transitory computer readable storage medium of claim 17, wherein the examining of the one or more portions of the PDF document by the PDF parser further comprises:
    - examining one or more of a header section, a body section, a trailer section, or a cross-reference table section of the PDF document; and
      
      providing the PDF document to the one or more virtual machines associated with the digital device to verify the inclusion of malicious network content in the PDF document when one or more of the body section, the header section, the trailer section or the cross-reference table section of the PDF document is determined to include one or more suspicious characteristics indicative of malicious network content.
  - 26. The non-transitory computer readable storage medium of claim 17 further comprising a data access component communicatively coupled to the processor, the data access component to intercept at least the PDF document before the PDF parser examines the one or more portions of the PDF document.
  - 27. The non-transitory computer readable storage medium of claim 26, wherein the one or more portions of the PDF document comprises a body section of the PDF document.
  - 28. The non-transitory computer readable storage medium of claim 17, wherein the one or more virtual machines are configured based on at least data associated with the PDF document in response to the one or more examined portions of the PDF document being determined to include one or more suspicious characteristics indicative of malicious network content.
  - 29. The non-transitory computer readable storage medium of claim 28, wherein the one or more virtual machines are configured based on one or more PDF specification version numbers of the PDF document.
  - 30. The non-transitory computer readable storage medium of claim 29, wherein a PDF specification version number of the one or more PDF specification version numbers is used to identify a specific PDF reader application version to be run in a virtual machine of the one or more virtual machines.
  - 31. The non-transitory computer readable storage medium of claim 17, wherein the one or more examined portions of the PDF document comprises a body section and a header section of the PDF document.
  - 32. The non-transitory computer readable storage medium of claim 17, wherein the PDF parser examines a header of the PDF document and the entirety of the PDF document is not examined prior to providing the PDF document to the one or more virtual machines.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Staniford, Stuart Gresley, Aziz, Ashar
Primary Examiner(s)
Lesniewski, Victor

Application Number

US14/673,292
Time in Patent Office

526 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/562   Static detection

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/033   Test or assess software

H04L 2463/144   Detection or countermeasure...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

H04L 63/1491   using deception as counterm...

Systems and methods for analyzing malicious PDF network content

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

659 Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for analyzing malicious PDF network content

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

659 Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links