PDF Malicious Indicators Extraction Technique Based on Improved Symbolic Execution
The malicious PDF document is a common attack method used by APT organizations.Analyzing extracted indicators of embedded JavaScript code is an important means to determine the maliciousness of the documents.However, attackers can adopt high obfuscation, sandbox detection and other escape methods to...
Gespeichert in:
| Veröffentlicht in: | Ji suan ji ke xue Jg. 51; H. 7; S. 389 - 396 |
|---|---|
| Hauptverfasser: | , , , |
| Format: | Journal Article |
| Sprache: | Chinesisch |
| Veröffentlicht: |
Chongqing
Guojia Kexue Jishu Bu
01.07.2024
Editorial office of Computer Science |
| Schlagworte: | |
| ISSN: | 1002-137X |
| Online-Zugang: | Volltext |
| Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
| Zusammenfassung: | The malicious PDF document is a common attack method used by APT organizations.Analyzing extracted indicators of embedded JavaScript code is an important means to determine the maliciousness of the documents.However, attackers can adopt high obfuscation, sandbox detection and other escape methods to interfere with analysis.Therefore, this paper innovatively applies symbolic execution method to PDF indicator extraction.We propose a PDF malicious indicator extraction technique based on improved symbolic execution and implement SYMBPDF,an indicator extraction system consisting of three modules: code parsing, symbolic execution and indicator extraction.In the code parsing module, we implement extraction and reorganization of inline Javascript code.In the symbolic execution module, we design the code rewriting method to force branch shifting, resulting in improving the code coverage of symbolic execution.We also design a concurrency strategy and two constraint solving optimization methods to improve the efficiency |
|---|---|
| Bibliographie: | ObjectType-Article-1 SourceType-Scholarly Journals-1 ObjectType-Feature-2 content type line 14 |
| ISSN: | 1002-137X |
| DOI: | 10.11896/jsjkx.230300117 |