Development of an Automatic Document Malware Analysis System

  • Hong-Koo Kang
  • Ji-Sang Kim
  • Byung-Ik Kim
  • Hyun-Cheol Jeong
Conference paper
Part of the Lecture Notes in Electrical Engineering book series (LNEE, volume 215)


Malware attacks that use document files like PDF and HWP have been rapidly increasing lately. Particularly, social engineering cases of infection by document based malware that has been transferred through Web/SNS posting or spam mail that pretends to represent political/cultural issues or a work colleague has greatly increased. The threat of document malware is expected to increase as most PC users routinely access document files and the rate of this type of malware being detected by commercial vaccine programs is not that high. Therefore, this paper proposes an automatic document malware analysis system that automatically performs the static/dynamic analysis of document files like PDF and HWP and provides the result. The static analysis of document based malware identifies the existence of the script and the shell code that is generating the malicious behavior and extracts it. It also detects obfuscated codes or the use of reportedly vulnerable functions. The dynamic analysis monitors the behavior of the kernel level and generates the log. The log is then compared with the malicious behavior rule to detect the suspicious malware. In the performance test that used the actual document malware sample, the system demonstrated an outstanding detection performance.


Document Malware Automatic analysis system 



This research was supported by the KCC(Korea Communications Commission), Korea, under the R&D program supervised by the KCA(Korea Communications Agency)”(KCA-2012-(10912-06001)).


  1. 1.
    Park CS (2010) An email vaccine cloud system for detecting Malcode-Bearing documents. J KMS 13(5):754–762Google Scholar
  2. 2.
    Han KS, Shin YH, Im EG (2010) A study of spam spread malware analysis and countermeasure framework. J SE 7(4):363–383Google Scholar
  3. 3.
  4. 4.
    Ratantonio Y, Kruegel C, Vigna G, Shellzer (2011) a tool for the dynamic analysis of malicious shellcode. In: Proceedings of the international symposium on RAID, pp 61–80Google Scholar
  5. 5.
    Ulrich B, Imam H, Davide B, Engin K, Christopher K (2009) Insights into current malware behavior In: 2nd USENIX workshop on LEET, 2009Google Scholar
  6. 6.
    CWSandbox: Behavior-based Malware Analysis.
  7. 7.
    Marco C, Christopher K, Giovanni V (2010) Detection and analysis of drive-by-download attacks and malicious JavaScript code. In: Proceedings of the WWW conference, 2010Google Scholar

Copyright information

© Springer Science+Business Media Dordrecht 2013

Authors and Affiliations

  • Hong-Koo Kang
    • 1
  • Ji-Sang Kim
    • 1
  • Byung-Ik Kim
    • 1
  • Hyun-Cheol Jeong
    • 1
  1. 1.Team of Security R&DKorea Internet and Security AgencySongpa-guSouth Korea

Personalised recommendations