Using clone detection to find malware in acrobat files

One common vector of malware is JavaScript in Adobe Acrobat(PDF) files. In this paper, we investigate using near miss clone detectors to find the malware. We start by collecting a set of PDF files containing JavaScript malware and a set with clean JavaScript from the VirusTotal repository. We use the NiCad clone detector to find the classes of clones in a small subset of the malicious PDF files. We evaluate how clone classes can be used to find similar malicious files in the rest of the malicious collection while avoiding files in the benign collection. Our results show that a small training set produced 87% detection of previously known malware with 1% false positives.