PDF Analysis Primer
The Sourcefire Vulnerability Research Team has released a beginners guide to PDF analysis. Well worth the read and very timely considering that according to a report released by a security firm in February 2010, 80% of all exploits in 2009 originated with malicious PDF’s.
For obvious reasons, the VRT has been spending a lot of time on the PDF format lately. While the attack researchers have been concentrating on fuzzing, reverse engineering and data flow analysis, the defense researchers have been automating the backend analysis of PDF submissions. As part of this effort, we’ve had to do a very deep dive on the PDF format. I thought it might be useful to share some of what we’re seeing come in our data feeds, and what you should look for when reviewing PDF files.