Systems and methods for analyzing PDF documents

US 9,954,890 B1
Filed: 09/02/2016
Issued: 04/24/2018
Est. Priority Date: 11/03/2008
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a hardware processor; and

a memory device coupled to the processor, the memory device comprisesa parser that, when executed by the hardware processor, examines one or more portions of a Portable Document Format (PDF) document to determine if one or more suspicious characteristics indicative of malicious network content are included in the one or more examined portions of the PDF document, wherein the one or more examined portions of the PDF document comprise less than an entirety of the PDF document, andone or more virtual machines to receive the PDF document in response to the one or more examined portions of the PDF document being determined to include one or more suspicious characteristics indicative of malicious network content, the one or more virtual machines to process at least the one or more examined portions of the PDF document so as to determine whether the PDF document includes malicious network content.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for detecting malicious activity within a Portable Document Format (PDF) document. The system includes a parser and one or more virtual machines. The parser that, when executed by a hardware processor, examines one or more portions of the PDF document to determine if one or more suspicious characteristics indicative of malicious network content are included in the one or more examined portions of the PDF document. The examined portion(s) in total are less than an entirety of the PDF document. The virtual machine(s) are adapted to receive the PDF document in response to the one or more examined portions of the PDF document being determined to include one or more suspicious characteristics indicative of malicious network content. The virtual machine(s) to process at least the one or more examined portions of the PDF document so as to determine whether the PDF document includes malicious network content.

644 Citations

61 Claims

1. A system comprising:
- a hardware processor; and
  
  a memory device coupled to the processor, the memory device comprisesa parser that, when executed by the hardware processor, examines one or more portions of a Portable Document Format (PDF) document to determine if one or more suspicious characteristics indicative of malicious network content are included in the one or more examined portions of the PDF document, wherein the one or more examined portions of the PDF document comprise less than an entirety of the PDF document, andone or more virtual machines to receive the PDF document in response to the one or more examined portions of the PDF document being determined to include one or more suspicious characteristics indicative of malicious network content, the one or more virtual machines to process at least the one or more examined portions of the PDF document so as to determine whether the PDF document includes malicious network content.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 2. The system of claim 1, wherein the PDF document is received by the system over a communication network.
  - 3. The system of claim 2, wherein a body portion of the PDF document is examined and the entirety of the PDF document is not examined prior to providing the PDF document to the one or more virtual machines.
  - 4. The system of claim 3, wherein at least one of a header, a cross-reference table, or a trailer of the PDF document is not examined prior to providing the PDF document to the one or more virtual machines.
  - 5. The system of claim 2 being communicatively coupled to a digital data tap being a device connected to the communication network to intercept the PDF document being transmitted from a web server and to provide at least the PDF document to the system.
  - 6. The system of claim 5, wherein the digital data tap being configured to monitor network data over the communication network and provide the PDF document within the network data as the PDF document to the parser being executed by the hardware processor.
  - 7. The system of claim 1, wherein the parser examines the one or more portions of the PDF document by at least:
    - examining one or more of a header section, a body section, a trailer section, or a cross-reference table section of the PDF document; and
      
      providing the PDF document to the one or more virtual machines to verify the inclusion of malicious network content in the PDF document when one or more of the body section, the header section, the trailer section or the cross-reference table section of the PDF document is determined to include one or more suspicious characteristics indicative of malicious network content.
  - 8. The system of claim 7, wherein the cross-reference table allows a PDF reader application to parse pages of the PDF document without a need of parsing the PDF document in its entirety.
  - 9. The system of claim 7, wherein the cross-reference table of the PDF document includes offset information indicative of a portion of objects within content of the PDF document.
  - 10. The system of claim 9, wherein the body of the PDF document includes one or more objects included as part of the content of the PDF document.
  - 11. The system of claim 1, wherein the one or more virtual machines are configured based on one or more specification version numbers of the PDF document.
  - 12. The system of claim 11, wherein a specification version number of the one or more specification version numbers is used to identify a reader application version to be run in a virtual machine of the one or more virtual machines.
  - 13. The system of claim 1, wherein the one or more examined portions of the PDF document comprises a body section and a header section of the PDF document received over a communication network.
  - 14. The system of claim 1, wherein a determination by the parser if the one or more suspicious characteristics indicative of malicious network content are included in the one or more examined portions of the PDF document, comprises:
    - determining a score associated with the one or more suspicious characteristics for the PDF document, the score indicative of a probability that the PDF document includes malicious network content; and
      
      identifying the PDF document as suspicious if the score satisfies a threshold value.
  - 15. The system of claim 1, wherein the parser, when executed by the processor, examines the PDF document by at least applying heuristics to determine if at least one suspicious characteristic indicative of malicious network content is included in the PDF document.
  - 16. The system of claim 1, wherein the memory further comprises a module that, when executed by the processor, prevents the delivery of the PDF document verified to include malicious network content to a web browser application from which the delivery was requested.
  - 17. The system of claim 1, wherein the parser examines the one or more portions of the PDF document by at leastexamining a header section of the PDF document and the entirety of the PDF document is not examined prior to providing the PDF document to the one or more virtual machines;
    - andwhen the header section of the PDF document is determined to include one or more suspicious characteristics indicative of malicious network content, providing the PDF document to the one or more virtual machines to verify the inclusion of malicious network content in the PDF document.
  - 18. The system of claim 1, wherein the parser examines the one or more portions of the PDF document by at leastexamining a body section of the PDF document;
    - andwhen the body section of the PDF document is determined to include one or more suspicious characteristics indicative of malicious network content, providing the PDF document to the one or more virtual machines to verify the inclusion of malicious network content in the PDF document.
  - 19. The system of claim 1, wherein the one or more virtual machines are configured based on at least data associated with the PDF document in response to the one or more examined portions of the PDF document being determined to include one or more suspicious characteristics indicative of malicious network content.
  - 20. The system of claim 1, wherein the PDF document is included as part of an HTML document.
  - 21. The system of claim 1, wherein the parser, upon execution by the processor, examines the PDF document by decoding content within the PDF document prior to parsing content within the PDF document.
  - 22. The system of claim 1, wherein the parser is configured to determine the one or more suspicious characteristics including examining the one or more examined portions of the PDF document for a specific type or types of JavaScript code.
  - 23. The system of claim 1, wherein the one or more virtual machines process at least the one or more examined portions of the PDF document using both a PDF reader application and a web browser application.
  - 24. The system of claim 23, wherein the PDF reader application and the web browser application cooperate with each other via a plug-in.
  - 25. The system of claim 1, wherein a first virtual machine of the one or more virtual machines processes at least the one or more examined portions of the PDF document using a PDF reader application and at least a second application operating in cooperation with the PDF reader application.
  - 26. The system of claim 25, wherein the second application operates in cooperation with the PDF reader application via a plug-in.
  - 27. The system of claim 26, wherein the second application includes a web browser application.

28. A non-transitory computer readable storage medium storing software that, upon execution by a processor, detects malware within a Portable Document Format (PDF) document, the non-transitory computer readable storage medium comprising:
- a parser that, when executed by the processor, examines one or more portions of the PDF document to determine if one or more suspicious characteristics indicative of malicious network content are included in the one or more examined portions of the PDF document, wherein the one or more examined portions of the PDF document comprise less than an entirety of the PDF document, andone or more virtual machines to receive the PDF document in response to the one or more examined portions of the PDF document being determined to include one or more suspicious characteristics indicative of malicious network content, the one or more virtual machines to process at least the one or more examined portions of the PDF document so as to determine whether the PDF document includes malicious network content.
- View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46)
- - 29. The non-transitory computer readable storage medium of claim 28, wherein the parser determines if the one or more suspicious characteristics indicative of malicious network content are included in the one or more examined portions of the PDF document by at least:
    - determining a score associated with the one or more suspicious characteristics for the PDF document, the score indicative of a probability that the PDF document includes malicious network content; and
      
      identifying the PDF document as suspicious if the score satisfies a threshold value.
  - 30. The non-transitory computer readable storage medium of claim 28, wherein the PDF document is received by the system over a communication network.
  - 31. The non-transitory computer readable storage medium of claim 28, wherein at least one of a header, a cross-reference table, or a trailer of the PDF document is not examined prior to providing the PDF document to the one or more virtual machines.
  - 32. The non-transitory computer readable storage medium of claim 28, wherein an examination of the one or more portions of the PDF document by the parser, when executed by the processor, further comprises:
    - examining at least one of a header section or a body section of the PDF document; and
      
      when the body section or the header section of the PDF document is determined to include one or more suspicious characteristics indicative of malicious network content, providing the PDF document to the one or more virtual machines to verify the inclusion of malicious network content in the PDF document.
  - 33. The non-transitory computer readable storage medium of claim 28, wherein the parser examines a body portion of the PDF document and the entirety of the PDF document is not examined prior to providing the PDF document to the one or more virtual machines.
  - 34. The non-transitory computer readable storage medium of claim 28 wherein the parser, when executed by the processor, examines the PDF document by at least applying heuristics to determine if at least one suspicious characteristic indicative of malicious network content is included in the PDF document.
  - 35. The non-transitory computer readable storage medium of claim 28, wherein the medium further comprises a module that, when executed by the processor, prevents the delivery of the PDF document verified to include malicious network content to a web browser application from which the delivery was requested.
  - 36. The non-transitory computer readable storage medium of claim 28, wherein the one or more virtual machines are configured based on at least data associated with the PDF document in response to the one or more examined portions of the PDF document being determined to include one or more suspicious characteristics indicative of malicious network content.
  - 37. The non-transitory computer readable storage medium of claim 36, wherein the one or more virtual machines are configured based on one or more specification version numbers of the PDF document.
  - 38. The non-transitory computer readable storage medium of claim 37, wherein a specification version number of the one or more specification version numbers is used to identify a specific reader application version to be run in a virtual machine of the one or more virtual machines.
  - 39. The non-transitory computer readable storage medium of claim 28, wherein the one or more examined portions of the PDF document comprises a body section and a header section of the PDF document.
  - 40. The non-transitory computer readable storage medium of claim 28, wherein the parser examines a header of the PDF document and the entirety of the PDF document is not examined prior to providing the PDF document to the one or more virtual machines.
  - 41. The non-transitory computer readable storage medium of claim 28, wherein a first virtual machine of the one or more virtual machines processes at least the one or more examined portions of the PDF document using a PDF reader application and at least a second application operating in cooperation with the PDF reader application.
  - 42. The non-transitory computer readable storage medium of claim 41, wherein the second application operates in cooperation with the PDF reader application via a plug-in.
  - 43. The non-transitory computer readable storage medium of claim 42, wherein the second application includes a web browser application.
  - 44. The non-transitory computer readable storage medium of claim 28, wherein the PDF document is included as part of an HTML document.
  - 45. The non-transitory computer readable storage medium of claim 28, wherein the parser, upon execution by the processor, examines the PDF document by decoding content within the PDF document prior to parsing content within the PDF document.
  - 46. The non-transitory computer readable storage medium of claim 28, wherein the parser is configured to determine the one or more suspicious characteristics including examining the one or more examined portions of the PDF document for a specific type or types of JavaScript code.

47. A computerized method, comprising:
- examining, by a parser executed by a hardware processor, one or more portions of a Portable Document Format (PDF) document to determine if one or more suspicious characteristics indicative of malicious network content are included in the one or more examined portions of the PDF document, wherein the one or more examined portions of the PDF document comprise less than an entirety of the PDF document, andupon the one or more examined portions of the PDF document being determined to include one or more suspicious characteristics indicative of malicious network content, receiving the PDF document by one or more virtual machines to process at least the one or more examined portions of the PDF document so as to determine whether the PDF document includes malicious network content.
- View Dependent Claims (48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61)
- - 48. The method of claim 47, wherein the examining of the one or more portions of the PDF document comprises:
    - determining a score associated with the one or more suspicious characteristics for the PDF document, the score indicative of a probability that the PDF document includes malicious network content; and
      
      identifying the PDF document as suspicious if the score satisfies a threshold value.
  - 49. The method of claim 47, wherein prior to the examining of the one or more portions of the PDF document, the method further comprisesreceiving the PDF document over a communication network.
  - 50. The method of claim 47, wherein the examining of the one or more portions of the PDF document excludes from an examination of at least one of a header, a cross-reference table, or a trailer of the PDF document prior to providing the PDF document to the one or more virtual machines.
  - 51. The method of claim 47, the examining of the one or more portions of the PDF document comprises:
    - examining at least one of a header section or a body section of the PDF document; and
      
      when the body section or the header section of the PDF document is determined to include one or more suspicious characteristics indicative of malicious network content, providing the PDF document to the one or more virtual machines to verify the inclusion of malicious network content in the PDF document.
  - 52. The method of claim 47 wherein the examining of the one or more portions of the PDF document comprises examining the PDF document by at least applying heuristics to determine if at least one suspicious characteristic indicative of malicious network content is included in the PDF document.
  - 53. The method of claim 47 further comprising:
    - preventing the delivery of the PDF document verified to include malicious network content to a web browser application from which the delivery was requested.
  - 54. The method of claim 47, wherein the one or more virtual machines are configured based on at least data associated with the PDF document in response to the one or more examined portions of the PDF documents being determined to include the one or more suspicious characteristics.
  - 55. The method of claim 54, wherein the one or more virtual machines are configured based on one or more specification version numbers of the PDF document.
  - 56. The method of claim 55, wherein a specification version number of the one or more specification version numbers is used to identify a specific reader application version to be run in a virtual machine of the one or more virtual machines.
  - 57. The method of claim 47, wherein the one or more examined portions of the PDF document comprises a body section and a header section of the PDF document.
  - 58. The method of claim 47, wherein the examining of the one or more portions of the PDF document comprises examining a header of the PDF document and the entirety of the PDF document is not examined prior to the PDF document being received by the one or more virtual machines.
  - 59. The method of claim 47, wherein prior to examining the one or more portions of the PDF document, the method further comprising receiving the PDF document from a web server via a network.
  - 60. The method of claim 59, wherein prior to receiving of the PDF document, monitoring network data being transmitted over the network between the web server and a client device and intercepting the PDF document being sent to the client device from the web server.
  - 61. The method of claim 60, wherein the intercepting of the PDF document includes providing a copy of the PDF document as the PDF document to the parser.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
FireEye, Inc.
Original Assignee
FireEye, Inc.
Inventors
Staniford, Stuart Gresley, Aziz, Ashar
Primary Examiner(s)
Lesniewski, Victor

Application Number

US15/256,367
Time in Patent Office

599 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/562   Static detection

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/033   Test or assess software

H04L 2463/144   Detection or countermeasure...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

H04L 63/1491   using deception as counterm...

Systems and methods for analyzing PDF documents

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

644 Citations

61 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for analyzing PDF documents

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

644 Citations

61 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links