Development of an Automatic Document Malware Analysis System
Malware attacks that use document files like PDF and HWP have been rapidly increasing lately. Particularly, social engineering cases of infection by document based malware that has been transferred through Web/SNS posting or spam mail that pretends to represent political/cultural issues or a work colleague has greatly increased. The threat of document malware is expected to increase as most PC users routinely access document files and the rate of this type of malware being detected by commercial vaccine programs is not that high. Therefore, this paper proposes an automatic document malware analysis system that automatically performs the static/dynamic analysis of document files like PDF and HWP and provides the result. The static analysis of document based malware identifies the existence of the script and the shell code that is generating the malicious behavior and extracts it. It also detects obfuscated codes or the use of reportedly vulnerable functions. The dynamic analysis monitors the behavior of the kernel level and generates the log. The log is then compared with the malicious behavior rule to detect the suspicious malware. In the performance test that used the actual document malware sample, the system demonstrated an outstanding detection performance.
KeywordsDocument Malware Automatic analysis system
This research was supported by the KCC(Korea Communications Commission), Korea, under the R&D program supervised by the KCA(Korea Communications Agency)”(KCA-2012-(10912-06001)).
- 1.Park CS (2010) An email vaccine cloud system for detecting Malcode-Bearing documents. J KMS 13(5):754–762Google Scholar
- 2.Han KS, Shin YH, Im EG (2010) A study of spam spread malware analysis and countermeasure framework. J SE 7(4):363–383Google Scholar
- 3.BoanNews (2012) http://www.boannews.com/media/view.asp?idx=31322&kind=1, 2012
- 4.Ratantonio Y, Kruegel C, Vigna G, Shellzer (2011) a tool for the dynamic analysis of malicious shellcode. In: Proceedings of the international symposium on RAID, pp 61–80Google Scholar
- 5.Ulrich B, Imam H, Davide B, Engin K, Christopher K (2009) Insights into current malware behavior In: 2nd USENIX workshop on LEET, 2009Google Scholar
- 6.CWSandbox: Behavior-based Malware Analysis. http://mwanalysis.org/