A New Framework for PDF Malware Detection Integrating Graph Neural Networks and Large Language Models

This article introduces an innovative open-source framework that integrates Graph Neural Network (GNN) and Large Language Model (LLM) technologies to achieve accurate classification and behavioral analysis of PDF malware families and subfamilies, providing a new technical path for cybersecurity defense. The framework combines structural feature extraction and semantic understanding through a two-stage architecture, and has capabilities such as fine-grained classification and behavioral analysis, which are of great application value in scenarios like enterprise SOC and threat intelligence research.

PDF has become a major carrier for malware propagation due to its cross-platform compatibility and rich functionality; attackers use features like JavaScript support and embedded objects to hide malicious code. Traditional signature-based detection struggles to handle variant families, and static/dynamic analysis faces challenges in accuracy and efficiency. In recent AI technology developments, GNN excels at processing structured data, while LLM performs well in code understanding and semantic analysis—integrating the two is expected to achieve deeper detection.

The framework adopts a two-stage architecture: In the first stage, GNN is used to extract PDF structural features—PDF is parsed into a graph structure (including elements like pages, stream objects, and their relationships), and graph convolutional networks aggregate node information to identify malicious structural patterns. In the second stage, LLM is used for behavioral semantic analysis: structural features extracted by GNN are converted into text input for pre-trained LLM to interpret the semantics of embedded code, identify malicious behavior patterns and intentions, and achieve cross-modal feature fusion.

The framework's technical innovations include: 1. A customized graph encoding scheme that considers PDF object reference relationships, type dependencies, and hierarchical structures, with a multi-relation graph convolution mechanism designed; 2. A deep feature fusion strategy that converts graph structure information into LLM-understandable text through prompt engineering to connect structural and semantic features; 3. Fine-grained classification capability that supports the classification of PDF malware families and subfamilies, aiding threat intelligence analysis and attack traceability.

The framework has strong behavioral analysis capabilities: It combines static analysis and dynamic sandbox execution to extract a complete behavior graph, uses GNN to model relationships between behavior entities (like file operations and network communications), and uses LLM to understand the attack intent behind behavior sequences (e.g., identifying the "download and execute" attack chain). It also supports generating human-readable behavior reports, lowering the analysis threshold and helping security practitioners respond to threats.

The framework has application value in multiple scenarios: In enterprise SOC, it serves as a detection engine to analyze PDF attachments in real time and block malicious documents; in threat intelligence research, it is used for automated analysis of large-scale samples to discover family variants; security vendors can customize and fine-tune models based on the framework, integrate them into existing products, or provide independent detection services.

The framework has limitations: LLM introduces high computational resource requirements, limiting deployment in resource-constrained environments; performance depends on the quality and coverage of training data, and there may be blind spots for rare/new attacks. Future directions: Optimize the architecture to reduce computational overhead and explore model compression; introduce active learning to adapt to new threats; expand support for more document formats; combine federated learning to achieve intelligence sharing under privacy protection.

The GNN-LLM-PDF-Malware framework is an active exploration of AI in the cybersecurity field, integrating GNN's structural analysis and LLM's semantic understanding capabilities to provide a new paradigm for PDF malware detection. Multimodal fusion methods will become an important feature of next-generation security defense systems, and in-depth understanding and practice of such frameworks will help improve the ability to detect and respond to complex threats.