AnsweredAssumed Answered

Using NetWitness to detect malicious PDFs and overcoming obfuscation

Question asked by RSA Admin Employee on Aug 20, 2013
Latest reply on Aug 22, 2013 by SeffyGHops

Hi all,


I am putting together some procedures for detecting a malicious PDF using Netwitness.

So far I have gathered that it is fairly easy to search sessions for common indicators such as embedded JavaScript, Flash and actions such as OpenAction or /URI.


I am aware however that the PDF standard makes it very easy to obfuscate malicious content embedded in PDFs, particularly via the following methods:


  • String splitting across multiple lines using parenthesis and backslashes
  • Switching characters for octal or hexadecimal representations
  • Whitespacing between hex characters


I am finding it difficult to work out a way (Other then manual investigation) that NW can be used to automate the process of detected malicious PDFs using drills and searches and I was just wondering if anyone had any experience using Netwitness to detect malicious PDFs or any ideas how to overcome common obfuscation attempts?


Thanks in advance!