Article
Version 1
Preserved in Portico This version is not peer-reviewed
Malicious Office Macros Detection: Combined Features with Obfuscation and Suspicious Keywords
Version 1
: Received: 21 September 2023 / Approved: 21 September 2023 / Online: 22 September 2023 (09:12:01 CEST)
A peer-reviewed article of this Preprint also exists.
Chen, X.; Wang, W.; Han, W. Malicious Office Macro Detection: Combined Features with Obfuscation and Suspicious Keywords. Appl. Sci. 2023, 13, 12101. Chen, X.; Wang, W.; Han, W. Malicious Office Macro Detection: Combined Features with Obfuscation and Suspicious Keywords. Appl. Sci. 2023, 13, 12101.
Abstract
Microsoft has implemented several measures to defend against macro viruses, including the use of Anti-malware Scan Interface (AMSI) and automatic macro blocking. Nevertheless, evidence shows that threat actors have found ways to bypass these mechanisms. As a result, phishing emails continue to apply malicious macros as their essential attack vector. In this paper, we analyze 77 obfuscation features from the attacker’s point of view and extract 46 suspicious keywords in macro. We first combine the above two types of features to train machine learning models on a public dataset. Then, we carry out the same experiment on self-constructed dataset, a collection of newly discovered samples, to see if our proposed method could discover the unseen malicious macros. Experimental results demonstrate that, comparing with the existing researches, our proposed method has a higher detection rate and better consistency. Furthermore, ensemble multi-classifiers with distinct feature selection further improve the detection performance.
Keywords
malicious document; VBA; macro; obfuscation; suspicious keywords; machine learning
Subject
Computer Science and Mathematics, Security Systems
Copyright: This is an open access article distributed under the Creative Commons Attribution License which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
Comments (0)
We encourage comments and feedback from a broad range of readers. See criteria for comments and our Diversity statement.
Leave a public commentSend a private comment to the author(s)
* All users must log in before leaving a comment