PDF Malicious Indicators Extraction Technique Based on Improved Symbolic Execution
The malicious PDF document is a common attack method used by APT organizations.Analyzing extracted indicators of embedded JavaScript code is an important means to determine the maliciousness of the documents.However, attackers can adopt high obfuscation, sandbox detection and other escape methods to...
Uloženo v:
| Vydáno v: | Ji suan ji ke xue Ročník 51; číslo 7; s. 389 - 396 |
|---|---|
| Hlavní autoři: | , , , |
| Médium: | Journal Article |
| Jazyk: | čínština |
| Vydáno: |
Chongqing
Guojia Kexue Jishu Bu
01.07.2024
Editorial office of Computer Science |
| Témata: | |
| ISSN: | 1002-137X |
| On-line přístup: | Získat plný text |
| Tagy: |
Přidat tag
Žádné tagy, Buďte první, kdo vytvoří štítek k tomuto záznamu!
|
| Shrnutí: | The malicious PDF document is a common attack method used by APT organizations.Analyzing extracted indicators of embedded JavaScript code is an important means to determine the maliciousness of the documents.However, attackers can adopt high obfuscation, sandbox detection and other escape methods to interfere with analysis.Therefore, this paper innovatively applies symbolic execution method to PDF indicator extraction.We propose a PDF malicious indicator extraction technique based on improved symbolic execution and implement SYMBPDF,an indicator extraction system consisting of three modules: code parsing, symbolic execution and indicator extraction.In the code parsing module, we implement extraction and reorganization of inline Javascript code.In the symbolic execution module, we design the code rewriting method to force branch shifting, resulting in improving the code coverage of symbolic execution.We also design a concurrency strategy and two constraint solving optimization methods to improve the efficiency |
|---|---|
| Bibliografie: | ObjectType-Article-1 SourceType-Scholarly Journals-1 ObjectType-Feature-2 content type line 14 |
| ISSN: | 1002-137X |
| DOI: | 10.11896/jsjkx.230300117 |