I am putting together some procedures for detecting a malicious PDF using Netwitness.
I am aware however that the PDF standard makes it very easy to obfuscate malicious content embedded in PDFs, particularly via the following methods:
String splitting across multiple lines using parenthesis and backslashes
Switching characters for octal or hexadecimal representations
Whitespacing between hex characters
I am finding it difficult to work out a way (Other then manual investigation) that NW can be used to automate the process of detected malicious PDFs using drills and searches and I was just wondering if anyone had any experience using Netwitness to detect malicious PDFs or any ideas how to overcome common obfuscation attempts?