Macros Finder: Do You Remember LOVELETTER?

  • Hiroya MiuraEmail author
  • Mamoru Mimura
  • Hidema Tanaka
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11125)


In recent years, the number of targeted email attacks which use Microsoft (MS) document files has been increasing. In particular, damage by malicious macros has spread in many organizations. Relevant work has proposed a method of malicious MS document files detection. To the best of our knowledge, however, no method of detecting malicious macros exists. Hence, we proposed a method which detects malicious macros themselves using machine learning. First, the proposed method creates corpuses from macros. Our method removes trivial words in the corpus. It becomes easy for the corpuses to classify malicious macros exactly. Second, Doc2Vec represents feature vectors from the corpuses. Malicious macros contain the context. Therefore, the feature vectors of Doc2Vec are classified with high accuracy. Machine learning models (Support Vector Machine, Random Forest and Multi Layer Perceptron) are trained, inputting the feature vectors and the labels. Finally, the trained models predict test feature vectors as malicious macros or benign macros. Evaluations show that the proposed method can obtain a high F-measure (0.93).


Macro Machine learning Natural language processing technique Bag-of-Words Doc2Vec 


  1. 1.
    Wolf in sheep’s clothing: a SophosLabs investigation into delivering malware via VBA.
  2. 2.
    Rieck, K., Trinius, P., Willems, C., Holz, T.: Automatic analysis of malware behavior using machine learning. J. Comput. Secur. 19(4), 639–668 (2011)CrossRefGoogle Scholar
  3. 3.
    Bayer, U., Moser, A., Kruegel, C., Kirda, E.: Dynamic analysis of malicious code. J. Comput. Virol. 2, 67–77 (2006). Scholar
  4. 4.
    Perdisci, R., Lanzi, A., Lee, W.: McBoost: boosting scalability in malware collection and analysis using statical classification of executables. In: Computer Security Applications Conference (2008).
  5. 5.
    Nissim, N., Cohen, A., Elovici, Y.: ALDOCX: detection of unknown malicious microsoft office documents using designated active learning methods based on new structural feature extraction methodology. IEEE Trans. Inf. Forensics Secur. 12(3), 631–646 (2017)CrossRefGoogle Scholar
  6. 6.
    Naser, A., Hadi, A.: Analyzing and detecting malicious content: DOCX files. Int. J. Comput. Sci. Inf. Secur. (IJCSIS) 14(8), 404–412 (2016)Google Scholar
  7. 7.
    Otsubo, Y., Mimura, M., Tanaka, H.: O-checker: detection of malicious documents through deviation from file format specification. In: Black Hat USA (2016)Google Scholar
  8. 8.
    Boldewin, F.: Analyzing MSOffice malware with OfficeMalScanner.
  9. 9.
  10. 10.
    Mimura, M., Otsubo, Y., Tanaka, H.: Evaluation of a brute forcing tool that extracts the RAT from a malicious document file. In: 2016 11th Asia Joint Conference on Information Security (Asia JCIS) (2016).
  11. 11.
    Corona, I., Maiorca, D., Giacinto, G.: Lux0R: detection of malicious PDF-embedded JavaScript code through discriminant analysis of API references (2014)Google Scholar
  12. 12.
    Liu, D., Wang, H., Stavrou, A.: Detecting malicious Javascript in PDF through document instrumentation. In: 2014 44th Annual IEEE/IFIP International Conference Dependable Systems and Networks (DSN), pp. 100–111, ISBN 978-1-4799-2233-8 (2014)Google Scholar
  13. 13.
  14. 14.
    python package index gensim 0.10.1.
  15. 15.
    python package index scikit learn 0.19.0.
  16. 16.

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  1. 1.National Defense AcademyYokosukaJapan

Personalised recommendations