• International journal of advanced smart convergence
• /
• v.12 no.1
• /
• pp.149-156
• /
• 2023

OOXML-based MS-Office digital files are extensively utilized by businesses and organizations worldwide. However, OOXML-based MS-Office digital files are vulnerable to forgery and corruption attack by including hidden suspicious information, which can lead to activating malware or shell code being hidden in the file. Such malicious code can cause a computer system to malfunction or become infected with ransomware. To prevent such attacks, it is necessary to analyze and detect the corruption of OOXML-based MS-Office files. In this paper, we examine the weaknesses of the existing OOXML-based MS-Office file structure and analyzes how concealment and forgery are performed on MS-Office digital files. As a result, we propose a system to detect hidden data effectively and proactively respond to ransomware attacks exploiting MS-Office security vulnerabilities. Proposed system is designed to provide reliable and efficient detection of hidden data in OOXML-based MS-Office files, which can help organizations protect against potential security threats.

• Journal of Internet of Things and Convergence
• /
• v.9 no.6
• /
• pp.1-9
• /
• 2023

Malware files containing concealed malicious scripts have recently been identified within MS Office documents frequently. In response, this paper describes the design and implementation of a system that automatically detects malicious digital files using machine learning techniques. The system is proficient in identifying malicious scripts within MS Office files that exploit the OLE VBA macro functionality, detecting malicious scripts embedded within the CDH/LFH/ECDR internal field values through OOXML structure analysis, and recognizing abnormal CDH/LFH information introduced within the OOXML structure, which is not conventionally referenced. Furthermore, this paper presents a mechanism for utilizing the VirusTotal malicious script detection feature to autonomously determine instances of malicious tampering within MS Office files. This leads to the design and implementation of a machine learning-based integrated software. Experimental results confirm the software's capacity to autonomously assess MS Office file's integrity and provide enhanced detection performance for arbitrary MS Office files when employing the optimal machine learning model.

• KIPS Transactions on Computer and Communication Systems
• /
• v.6 no.2
• /
• pp.87-94
• /
• 2017

Microsoft Office is an office suite of applications developed by Microsoft. Recently users with malicious intent customize Office files as a container of the Malware because MS Office is most commonly used word processing program. To attack target system, many of malicious office files using a variety of skills and techniques like macro function, hiding shell code inside unused area, etc. And, people usually use two techniques to detect these kinds of malware. These are Signature-based detection and Sandbox. However, there is some limits to what it can afford because of the increasing complexity of malwares. Therefore, this paper propose methods to detect malicious MS office files in Computer forensics' way. We checked Macros and potential problem area with structural analysis of the MS Office file for this purpose.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.18 no.3
• /
• pp.143-154
• /
• 2008

Information hiding is a very important technology recently. Having this technology can be a competitive power for secure communication. In this paper, it will be showed that hiding data in MS Office 2007 file is possible. Considering Microsoft (MS) Office 2007 file format is based on Open XML format, the feature of Open XML format makes it possible to hide data in MS Office 2007 file. In Open XML format, unknown XML files and their relationships can be defined by user. These parts and relationships are used to hide data in MS Office 2007 file. Considering unknown parts and unknown relationships are not in normal MS Office 2007 file, the hidden data can be detected by confirming of unknown parts and unknown relationships.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.24 no.2
• /
• pp.319-325
• /
• 2014

Since smart phones or tablet PCs have been widely used recently, the users can create and edit documents anywhere in real time. If the input and edit flows of documents can be traced, it can be used as evidence in digital forensic investigation. The typical document application is the MS(Microsoft) Office. As the MS Office applications consist of two file formats that Compound Document File Format which had been used from version 97 to 2003 and OOXML(Office Open XML) File Format which has been used from version 2007 to now. The studies on MS Office files were for making a decision whether the file has been tampered or not through detection of concealed items or analysis of documents properties so far. This paper analyzed the input order of text cells on MS Excel files and shows how to figure out what cell is the last edited in digital forensic perspective.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.27 no.3
• /
• pp.489-499
• /
• 2017

MS office is a office software which is widely used in the world. The OOXML format has been applied to the document structure from MS office 2007 to the newest version. In this regard, the method of data concealing, which is a representative anti-forensic act has been researched and developed, so the method of detecting concealed data is very important to the digital forensic investigation. In this paper, we present an improved data concealing method bypassing the previewers detecting methods for OOXML formatted MS office documents. In addition, we show concealment of the internal data like sheets and slides for MS office 2013 Excel and PowerPoint, and suggest an improved detecting algorithm against this data concealing.

• Mass Spectrometry Letters
• /
• v.3 no.1
• /
• pp.15-17
• /
• 2012

Eighteen of the PDE-5 inhibitors and their analogues were analyzed using GC-EI-MS. Fourteen of them could be identified by simple GC-MS method without derivatization, but hydroxyhongdenafil, hydroxyvardenafil, xanthoanthrafil and mirodenafil could not be identified without derivatization for the high polarity due to the presence of hydroxyl groups. N,O-bis(trimethylsilyl) trifluoroacetamide (BSTFA) and N-methyl-N-(tert-butyldimethylsilyl)trifluoroacetamide (MTBSTFA), widely used trimethylsilyl (TMS) derivatizing reagents, were used to improve the sensitivity of the hydroxylated analogues. And the analytes could be identified by GC-MS after the derivatization.

• The Korean Journal of Pesticide Science
• /
• v.15 no.1
• /
• pp.15-21
• /
• 2011

Monitoring or follow-up surveying pesticide residues in agricultural commodities is the key to meet the international regulations and to enhance international competitiveness of Korean agricultural commodities. Six neonicotinoid insecticides, acctamiprid, clothianidin, dinotefuran, imidacloprid, thiacloprid, and thiamethoxam were monitored in 95 paprika samples collected from Gyeongnam area. Thc pesticide residues were extracted by EN 15662 buffer based on the QuEChERS method, clean-upped with dispersive solid-phase extraction method to remove interfering pigments, and analyzed using UPLC-MS/MS. The neonicotinoid pesticides were detected in 90.5% of the paprika samples. Two or more pesticides were detected in 82.3% of samples. Although detection frequencies were high, all samples complied with the maximum residue limits (MRLs) set by both the Korea Food and Drug Administration (KFDA) and Japanese Ministry of Health, Labour and Welfare.

• Analytical Science and Technology
• /
• v.22 no.3
• /
• pp.210-218
• /
• 2009

A gas chromatography-tandem mass spectrometry (GC-MS/MS) method was developed and validated for simultaneous determination of amphetamine derivatives and norketamine in human hair. Preparation of hair involves external decontamination, mechanical pulverization, incubation and extraction prior to instrumental analysis. The samples were derivatized using heptafluorobutyric anhydride, and analyzed by GC-MS/MS. The linear ranges were 0.05-20.0 ng/mg for the analytes except for 3,4-methylenedioxyamphetamine, with good coefficients of determination ($r^2$ >0.998). The intra-day and inter-day precisions were within 10.7% and 8.5%, respectively. The intra-day and inter-day accuracies were between -1.6 and 17.0% and -2.6 and 10.5%, respectively. The limits of detections for each analyte were lower than 0.007 ng/mg, while recoveries were 75.9-100.9%. When the method was applied to hair samples obtained from suspected drug abusers, the concentrations in hair samples were 0.97-19.30 ng/mg for methamphetamine and 0.14-2.56 ng/mg for amphetamine.

• YAKHAK HOEJI
• /
• v.60 no.3
• /
• pp.112-117
• /
• 2016

A liquid chromatography-tandem mass spectrometry (LC-MS/MS) method was developed and validated for the determination of caffeine in forensic aqueous sample. The centrifuged sample ($100{\mu}l$) was diluted 50-fold with distilled water. The diluted sample ($400{\mu}l$) was then diluted further with $200{\mu}l$ of 0.1% formic acid solution and $400{\mu}l$ of acetonitrile containing 500 ng of caffeine-(3-methyl-$^{13}C_3$) prior to LC-MS/MS analysis. The mobile phase was composed of 0.1% formic acid in distilled water (A) and acetonitrile (B). Chromatographic separation was performed by using a Zorbax SB-C18 ($100mm{\times}2.1mm$ i.d., $3.5{\mu}m$) column and caffeine was eluted within 1.1 min. Linear least-squares regression with a 1/x weighting factor was used to generate a calibration curve with the coefficients of determination ($r^2=0.9983$). The lower limit of quantification was $25ng/ml$ for the analyte. The process efficiency was 98.6~100.1%. Intra- and inter-day precisions were not more than 2.1% and 1.7%, while intra- and inter-day accuracies were ranged from -6.8 to 4.5%, respectively. The suitability of the method was examined by analyzing unknown forensic aqueous samples.