What is it?

PDF Malware Slayer (also known as Slayer) is a tool for the detection of malicious PDF files based on their structure.

Why has it been developed?

A PDF file can embed different types of content (e.g., images, Javascript code, Adobe Flash animations, even other PDF files...), which in the last years have been used to harm the security of  modern computer systems. Due to the variety of these contents, it is very difficult to create a detector that is able to spot every type of attack that is deployed. Even Antivirus have many problems at detecting them. This problem is overcome by the analysis of the structure of the PDF file (therefore, analyzing the "container" and not the content): research showed that there is an evident difference between the structure of malicious and benign PDF Files.


PRA Lab was the first to discover and study this aspect, that has been also extended by other authors in important security conferences.

How does it work?

Slayer implements a powerful algorithm that extracts information from the structure of the PDF files and with which it is possible to detect a huge variety of attacks (even recent and the ones not yet detected by Antivirus). This alghorithm adopts Machine Learning (a branch of artificial intelligence) techniques, with which it is possible to "teach" a system how to distinguish between two (or more) different objects. The system learns by "observing" examples, in a way that is similar to the humans' learning style.