Browse > Article
http://dx.doi.org/10.13089/JKIISC.2020.30.3.429

A Study of Office Open XML Document-Based Malicious Code Analysis and Detection Methods  

Lee, Deokkyu (Institute of Cyber Security & Privacy (ICSP), Korea University)
Lee, Sangjin (Institute of Cyber Security & Privacy (ICSP), Korea University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.30, no.3, 2020 , pp. 429-442 More about this Journal
Abstract
The proportion of attacks via office documents is increasing in recent incidents. Although the security of office applications has been strengthened gradually, the attacks through the office documents are still effective due to the sophisticated use of social engineering techniques and advanced attack techniques. In this paper, we propose a method for detecting malicious OOXML(Office Open XML) documents and a framework for detection. To do this, malicious files used in the attack and benign files were collected from the malicious code repository and the search engine. By analyzing the malicious code types of collected files, we identified six "suspicious object" elements that are meaningful in determining whether they are malicious in a document. In addition, we implemented an OOXML document-based malware detection framework based on the detection method to classify the collected files and found that 98.45% of malicious filesets were detected.
Keywords
OOXML; Microsoft Office; documents; malware;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Kaspersky, "Kaspersky Security Bulletin STATISTICS 2016-2019", https://securelist.com, March. 2020.
2 J. Hurtuk, M. Chovanec, M. Kicina and R. Billik, "Case Study of Ransomware Malware Hiding Using Obfuscation Methods," International Conference on Emerging eLearning Technologies and Applications, pp. 216-217, 2018.
3 Bora Park, Jungheum Park and Sangjin Lee, "Data concealment and detection in Microsoft Office 2007 files," Digital Investigation, vol. 5(3-4), pp. 149-152, 2009.
4 Muhammad Ali Raffay et al. "Data Hiding and Detection in Office Open XML (OOXML) Documents," University of Ontario Institute of Technology, pp. 52-57, 2011.
5 Fu Z., Sun X., Zhou L. and Shu J. "New Forensic Methods for OOXML Format Documents," Digital-Forensics and Watermarking, IWDW, pp. 507-511, 2013.
6 SungHye Cho and SangJin Lee, "A Research of Anomaly Detection Method in MS Office Document," KIPS Transactions on Computer and Communication Systems, 6(2), pp. 87-94, Feb. 2017.   DOI
7 M. Li, Y. Liu, M. Yu, G. Li, Y. Wang and C. Liu, "FEPDF: A Robust Feature Extractor for Malicious PDF Detection," IEEE Trustcom/BigDataSE/ICESS, NSW, pp. 218-224, 2017.
8 ISO/IEC 29500, "Office Open XML File Formats", https://www.iso.org/standard/71691.html, Feb. 2020.
9 N. Nissim, A. Cohen and Y. Elovici, "ALDOCX: Detection of Unknown Malicious Microsoft Office Documents Using Designated Active Learning Methods Based on New Structural Feature Extraction Methodology," IEEE Transactions on Information Forensics and Security, vol. 12, no. 3, pp 631-646, 2017.   DOI
10 ECMA-376, "Office Open XML File Formats", https://www.ecma-international.org/publications/standards/Ecma-376.htm, Feb. 2020.
11 Australian Cyber Security Centre(ACSC), "Microsoft Office Macro Security" Security Report, https://www.cyber.gov.au/publications/microsoft-office-macro-security, Oct, 2019.
12 Australian Cyber Security Centre(ACSC), "Hardening Microsoft Office 365 ProPlus, Office 2019 and Office 2016" Security Report, https://www.cyber.gov.au/publications/hardening-microsoft-office-365-proplus-office-2019-and-office-2016, Oct, 2019.
13 GreyHatHacker.NET, "Detecting Malicious Microsoft Office Macro Documents", www.greyhathacker.net/?p=872, Oct, 2019.
14 GreyHatHacker.NET, "Running Macros via ActiveX Controls", www.greyhathacker.net/?p=948, Oct, 2019.
15 Microsoft Open Specifications, "2.1.839 Part 1 Section 18.14.4, ddeLink (DDE Connection)", https://docs.microsoft.com/en-us/dotnet/api/documentformat.openxml.spreadsheet.ddelink?view=openxml-2.8.1, Oct, 2019.