phoneyPDF is a tool to help analyze PDF files, and maybe a starting place to identify malicious PDF files from. It uses a javascript engine to execute javascript from PDF files, and exposes Adobe Reader-esque objects and a DOM so that if the javascript tries to interact with the DOM or certain Reader-only objects, they’ll be there, and execution can occur.
This tool was written by Trevor Tonn and Kiran Bandla over a few months at Verisign iDefense. With Verisign Inc permission, we are releasing this tool to the public to use and extend.