Chen, X.; Wang, W.; Han, W. Malicious Office Macro Detection: Combined Features with Obfuscation and Suspicious Keywords. Appl. Sci.2023, 13, 12101.
Chen, X.; Wang, W.; Han, W. Malicious Office Macro Detection: Combined Features with Obfuscation and Suspicious Keywords. Appl. Sci. 2023, 13, 12101.
Chen, X.; Wang, W.; Han, W. Malicious Office Macro Detection: Combined Features with Obfuscation and Suspicious Keywords. Appl. Sci.2023, 13, 12101.
Chen, X.; Wang, W.; Han, W. Malicious Office Macro Detection: Combined Features with Obfuscation and Suspicious Keywords. Appl. Sci. 2023, 13, 12101.
Abstract
Microsoft has implemented several measures to defend against macro viruses, including the use of Anti-malware Scan Interface (AMSI) and automatic macro blocking. Nevertheless, evidence shows that threat actors have found ways to bypass these mechanisms. As a result, phishing emails continue to apply malicious macros as their essential attack vector. In this paper, we analyze 77 obfuscation features from the attacker’s point of view and extract 46 suspicious keywords in macro. We first combine the above two types of features to train machine learning models on a public dataset. Then, we carry out the same experiment on self-constructed dataset, a collection of newly discovered samples, to see if our proposed method could discover the unseen malicious macros. Experimental results demonstrate that, comparing with the existing researches, our proposed method has a higher detection rate and better consistency. Furthermore, ensemble multi-classifiers with distinct feature selection further improve the detection performance.
Computer Science and Mathematics, Security Systems
Copyright:
This is an open access article distributed under the Creative Commons Attribution License which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
