Journal in Computer Virology

, Volume 8, Issue 4, pp 151–163 | Cite as

A practical approach on clustering malicious PDF documents

  • Cristina Vatamanu
  • Dragoş Gavriluţ
  • Răzvan Benchea
Original Paper


Starting with 2009, the number of advanced persistent threat attacks has increased. In all of the researched cases, this kind of attacks use a zero-day exploit usually found in a frequently used application. Most of the times, the user has to visit a malicious page or open an infected document sent via e-mail. Even though the attack vector can be found in many forms, this paper addresses the case in which the attack relies on PDF files to deliver the payload. We chose PDF format both because of the high number of attacks it was used in and the key advantages it offers to the attacker. From an attackers perspective, the advantage of this attack is clear in that the PDF-files can be opened by an application on the users computer or in a browser, as most of the browsers support plug-ins that can render PDF files. The use of JavaScript inside PDF files offers two further advantages. The first is that code can be executed on the victims computer while the attack avoids different protection methods. The second benefit is that the JavaScript code can be polymorphic in that two files with the same functionality may look very different. This paper unveils a clustering method based on tokenization of the JavaScript code inside PDF files resistant to most of the obfuscation techniques used in script-based malware pieces. Our clustering method is based on the fact that most of the infected PDF-files (over 93 %) are using JavaScript code. By tokenizing the JavaScript code, describing it in an abstract manner and eliminating different operators used in polymorphism, we are able to obtain classes of files, very similar syntax-wise that can be easily clustered using different methods. Given the fact that virus analysts would likely analyse classes of files rather than isolated files, their work will be significantly reduced. The method of abstraction can be taken one step further and used as a detection mechanism—a technique to evaluate prevalent data or to obtain a subset from a large set without losing data variability.


Virtual Machine Hash Table Manhattan Distance Token Class Obfuscation Technique 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Cova, M., Kruegel, C., Vigna, G.: Detection and Analysis of Drive-by Download Attacks and Malicious JavaScript Code. In Proceedings of International World Wide Web Conference (WWW) (2010)Google Scholar
  2. 2.
    Alexander Moshchuk, Tanya Bragin, Damien Deville, Steven D. Gribble, and Henry M. Levy: SpyProxy: Execution-based Detection of Malicious Web Content. In Proceedings of the USENIX Security Symposium (2007)Google Scholar
  3. 3.
    Canali, D., Cova, M., Vigna, G., Kruegel, C.: Prophiler: a Fast Filter for the Large-Scale Detection of Malicious Web Pages. 20th International World Wide Web Conference (2011)Google Scholar
  4. 4.
    Curtsinger, C., Livshits, B., Zorn, B., Seifert, C.: Zozzle: Low-overhead Mostly Static JavaScript Malware Detection. USENIX Security Symposium, August 2011Google Scholar
  5. 5.
    Karanth, S., Laxman, S., Naldurg, P., Venkatesan, R., Lambert, J., Shin, J.: Pattern Mining for Future Attacks (2010)Google Scholar
  6. 6.
    Mozgovoy, M., Fredriksson, K., White, D., Joy M., Sutinen, E.: Fast Plagiarism Detection System. 12th International Conference (SPIRE 2005)Google Scholar
  7. 7.
    Prechelt, L., Malpohl, G., Phlippsen, M.: JPlag: Finding plagiarisms among a set of programs. Technical report, Fakultat for Informatik, Universitat Karlsruhe (2000)Google Scholar
  8. 8.
    Feinstein, B., Peck, D.: Automated Collection, Detection and Analysis of Malicious JavaScript. In Proceedings of the Black Hat Security Conference (2007)Google Scholar
  9. 9.
    Selvaraj, K., Gutierrez, N.F.: The Rise Of PDF Malware. In Symantec Security Response, (2010) (
  10. 10.
    Manning C.D., Raghavan P., Schtze H.: Introduction To Information Retrieval, chapter 16 and 17. Cambridge University Press, Cambridge (2008)CrossRefGoogle Scholar
  11. 11.
    Crockford, D.:Ecma Reference,, July 2006. (
  12. 12.
    Rivest, R.: MIT Laboratory for Computer Science and RSA Data Security, Inc., April 1992. (
  13. 13.
    Eastlake, D.: Motorola P.Jones Cisco Systems, September 2001. (
  14. 14.
    Eastlake, D., Hansen, T.: Huawei, AT&T Labs, May 2011. (
  15. 15.
    Nikolas, A.: Fast and Compact Hash Tables for Integer Keys (2009) (
  16. 16.
    MITRE Corporation. Common Vulnerabilities and Exposures (CVE).
  17. 17.
    Stanley, K.L., Mishra, S.K.: De novo SVM classification of precursor microRNAs from genomic pseudo hairpins using global and intrinsic folding measures (2007)Google Scholar

Copyright information

© Springer-Verlag France 2012

Authors and Affiliations

  • Cristina Vatamanu
    • 1
    • 2
  • Dragoş Gavriluţ
    • 1
    • 3
  • Răzvan Benchea
    • 1
    • 3
  1. 1.BitDefender AntiMalware LaboratoryIaşiRomania
  2. 2.Gheorghe Asachi UniversityIaşiRomania
  3. 3.Alexandru Ioan Cuza UniversityIaşiRomania

Personalised recommendations