resources for analyzing malicious pdfs

If you want to get a toe into the world of analyzing malicious PDF files, check out this analysis walkthru, including all the various tools and links therein, for a great look. The PDF format is bounded, and really you just need to understand some javascript to figure out what is going on. Clearly, a little bit of scripting knowledge is useful (in the link above, Python) when doing parsing and deobfuscation. Grab some PDF files, analyst away. Add some Javascript to the PDF files, and check those. Then grab some malicious PDF files, and see how they do what they do.

Now, if you *really* want to know what the resultant code does, you’ll need a bit of Assembly/shellcode knowledge, process debugging, and probably access to vulnerability/exploit resources to see common exploits and leveraged vulns. More than likely, you just need to investigate a PDF enough to get some good strings to search for known malware.

Follow links on that blog plus others in the posts to web your way through various other analyses by various other people.