In terms of dynamic analysis, the same steps that were taken for Microsoft Office exploits can be followed:
- Figure out the actual exploit payload.
- Identify the product version(s) vulnerable to it.
- Open the document using the candidate product and use monitoring tools to confirm that it triggers.
- Find a place in the code of the vulnerable product for triggering the exploit.
If the actual exploit body is written in some other language (such as JavaScript), it might be more convenient to debug parts of it separately while emulating the environment that's required for the exploit to work. This part will also be covered in a dedicated Chapter 9, Scripts and Macros: Reversing, Deobfuscation, and Debugging.