Digital Investigation of PDF Files: Unveiling Traces of Embedded Malware

TL;DR

This paper reviews techniques for analyzing PDF files to detect embedded malware, discussing current attack methods, analysis tools, limitations, and future research directions in digital forensics.

Contribution

It provides a comprehensive overview of PDF malware analysis techniques, highlighting current tools, limitations, and proposing future research avenues.

Findings

PDF malware remains a significant cyber threat.

Current analysis tools support forensic investigations.

Limitations exist in detection capabilities.

Abstract

Over the last decade, malicious software (or malware, for short) has shown an increasing sophistication and proliferation, fueled by a flourishing underground economy, in response to the increasing complexity of modern defense mechanisms. PDF documents are among the major vectors used to convey malware, thanks to the flexibility of their structure and the ability of embedding different kinds of content, ranging from images to JavaScript code. Despite the numerous efforts made by the research and industrial communities, PDF malware is still one of the major threats on the cyber-security landscape. In this paper, we provide an overview of the current attack techniques used to convey PDF malware, and discuss state-of-the-art PDF malware analysis tools that provide valuable support to digital forensic investigations. We finally discuss limitations and open issues of the current defense mechanisms, and sketch some interesting future research directions.