Talk With an Expert

Detection of Malicious Documents Utilizing XMP Identifiers

Detection of Malicious Documents Utilizing XMP Identifiers (PDF, 2.76MB)Published: 27 Aug, 2020
Created by
Josiah Smith

Modern digital documents are often composed of multiple other documents and images. Malware authors often produce malicious documents while reutilizing graphical assets or other components that can be uniquely identified with the Adobe Extensible Metadata Platform (XMP). XMP IDs define a standard for mapping asset relationships and can be utilized to track, pivot, and cluster malicious campaigns, identify new TTPs, and possibly provide attribution against adversaries.