Litcius/Paper detail

Analysis and Correlation of Visual Evidence in Campaigns of Malicious Office Documents

Fran Casino, Nikolaos Totosis, Theodoros Apostolopoulos, Nikolaos Lykousas, Constantinos Patsakis

2022Digital Threats Research and Practice15 citationsDOIOpen Access PDF

Abstract

Many malware campaigns use Microsoft (MS) Office documents as droppers to download and execute their malicious payload. Such campaigns often use these documents because MS Office is installed on billions of devices and that these files allow the execution of arbitrary VBA code. Recent versions of MS Office prevent the automatic execution of VBA macros, so malware authors try to convince users into enabling the content via images that, e.g., forge system or technical errors. In this article, we propose a mechanism to extract and analyse the different components of the files, including these visual elements, and construct lightweight signatures based on them. These visual elements are used as input for a text extraction pipeline which, in combination with the signatures, is able to capture the intent of MS Office files and the campaign they belong to. We test and validate our approach using an extensive database of malware samples, obtaining an accuracy above 99% in the task of distinguishing between benign and malicious files. Furthermore, our signature-based scheme allowed us to identify correlations between different campaigns, illustrating that some campaigns are either using the same tools or collaborating between them.

Topics & Concepts

Computer scienceVisual Basic for ApplicationsMalwareTask (project management)Payload (computing)Microsoft OfficePipeline (software)Fingerprint (computing)Construct (python library)DatabaseComputer securityWorld Wide WebInformation retrievalOperating systemProgramming languageEngineeringSystems engineeringNetwork packetAdvanced Malware Detection TechniquesNetwork Security and Intrusion DetectionSpam and Phishing Detection