Table of Contents
Fetching ...

PDFInspect: A Unified Feature Extraction Framework for Malicious Document Detection

Sharmila S P

TL;DR

PDFInspect addresses the need for robust malicious-PDF detection by unifying multiple analytical perspectives into a single feature-extraction pipeline. It combines text-to-graph representations, metadata/structural analysis, and character-entropy features to produce a 170-dimensional signature per document, suitable for classification, clustering, and anomaly detection. Empirical results on a large real-world corpus show that the proposed feature set outperforms baselines across diverse models, with the KAN network achieving the highest accuracy and AUC, demonstrating strong resilience to evasion techniques. The approach is scalable and modular, enabling deployment in threat-intelligence workflows and offering a foundation for integrating dynamic observations in future work.

Abstract

The increasing prevalence of malicious Portable Document Format (PDF) files necessitates robust and comprehensive feature extraction techniques for effective detection and analysis. This work presents a unified framework that integrates graph-based, structural, and metadata-driven analysis to generate a rich feature representation for each PDF document. The system extracts text from PDF pages and constructs undirected graphs based on pairwise word relationships, enabling the computation of graph-theoretic features such as node count, edge density, and clustering coefficient. Simultaneously, the framework parses embedded metadata to quantify character distributions, entropy patterns, and inconsistencies across fields such as author, title, and producer. Temporal features are derived from creation and modification timestamps to capture behavioral signatures, while structural elements including, object streams, fonts, and embedded images, are quantified to reflect document complexity. Boolean flags for potentially malicious PDF constructs (e.g., JavaScript, launch actions) are also extracted. Together, these features form a high-dimensional vector representation (170 dimensions) that is well-suited for downstream tasks such as malware classification, anomaly detection, and forensic analysis. The proposed approach is scalable, extensible, and designed to support real-world PDF threat intelligence workflows.6

PDFInspect: A Unified Feature Extraction Framework for Malicious Document Detection

TL;DR

PDFInspect addresses the need for robust malicious-PDF detection by unifying multiple analytical perspectives into a single feature-extraction pipeline. It combines text-to-graph representations, metadata/structural analysis, and character-entropy features to produce a 170-dimensional signature per document, suitable for classification, clustering, and anomaly detection. Empirical results on a large real-world corpus show that the proposed feature set outperforms baselines across diverse models, with the KAN network achieving the highest accuracy and AUC, demonstrating strong resilience to evasion techniques. The approach is scalable and modular, enabling deployment in threat-intelligence workflows and offering a foundation for integrating dynamic observations in future work.

Abstract

The increasing prevalence of malicious Portable Document Format (PDF) files necessitates robust and comprehensive feature extraction techniques for effective detection and analysis. This work presents a unified framework that integrates graph-based, structural, and metadata-driven analysis to generate a rich feature representation for each PDF document. The system extracts text from PDF pages and constructs undirected graphs based on pairwise word relationships, enabling the computation of graph-theoretic features such as node count, edge density, and clustering coefficient. Simultaneously, the framework parses embedded metadata to quantify character distributions, entropy patterns, and inconsistencies across fields such as author, title, and producer. Temporal features are derived from creation and modification timestamps to capture behavioral signatures, while structural elements including, object streams, fonts, and embedded images, are quantified to reflect document complexity. Boolean flags for potentially malicious PDF constructs (e.g., JavaScript, launch actions) are also extracted. Together, these features form a high-dimensional vector representation (170 dimensions) that is well-suited for downstream tasks such as malware classification, anomaly detection, and forensic analysis. The proposed approach is scalable, extensible, and designed to support real-world PDF threat intelligence workflows.6
Paper Structure (17 sections, 23 equations, 2 figures, 3 tables)