PDFInspect: A Unified Feature Extraction Framework for Malicious Document Detection
This addresses the need for robust feature extraction in cybersecurity to combat increasing malicious PDF threats, but it appears incremental as it combines existing techniques into a unified framework.
The paper tackles the problem of detecting malicious PDF files by developing a unified framework that integrates graph-based, structural, and metadata-driven analysis to generate a 170-dimensional feature representation, enabling effective detection and analysis for downstream tasks like malware classification.
The increasing prevalence of malicious Portable Document Format (PDF) files necessitates robust and comprehensive feature extraction techniques for effective detection and analysis. This work presents a unified framework that integrates graph-based, structural, and metadata-driven analysis to generate a rich feature representation for each PDF document. The system extracts text from PDF pages and constructs undirected graphs based on pairwise word relationships, enabling the computation of graph-theoretic features such as node count, edge density, and clustering coefficient. Simultaneously, the framework parses embedded metadata to quantify character distributions, entropy patterns, and inconsistencies across fields such as author, title, and producer. Temporal features are derived from creation and modification timestamps to capture behavioral signatures, while structural elements including, object streams, fonts, and embedded images, are quantified to reflect document complexity. Boolean flags for potentially malicious PDF constructs (e.g., JavaScript, launch actions) are also extracted. Together, these features form a high-dimensional vector representation (170 dimensions) that is well-suited for downstream tasks such as malware classification, anomaly detection, and forensic analysis. The proposed approach is scalable, extensible, and designed to support real-world PDF threat intelligence workflows.6