Macros Finder: Do You Remember LOVELETTER?

Miura, Hiroya; Mimura, Mamoru; Tanaka, Hidema

doi:10.1007/978-3-319-99807-7_1

Hiroya Miura¹⁵,
Mamoru Mimura¹⁵ &
Hidema Tanaka¹⁵

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11125))

Included in the following conference series:

International Conference on Information Security Practice and Experience

1270 Accesses
11 Citations

Abstract

In recent years, the number of targeted email attacks which use Microsoft (MS) document files has been increasing. In particular, damage by malicious macros has spread in many organizations. Relevant work has proposed a method of malicious MS document files detection. To the best of our knowledge, however, no method of detecting malicious macros exists. Hence, we proposed a method which detects malicious macros themselves using machine learning. First, the proposed method creates corpuses from macros. Our method removes trivial words in the corpus. It becomes easy for the corpuses to classify malicious macros exactly. Second, Doc2Vec represents feature vectors from the corpuses. Malicious macros contain the context. Therefore, the feature vectors of Doc2Vec are classified with high accuracy. Machine learning models (Support Vector Machine, Random Forest and Multi Layer Perceptron) are trained, inputting the feature vectors and the labels. Finally, the trained models predict test feature vectors as malicious macros or benign macros. Evaluations show that the proposed method can obtain a high F-measure (0.93).

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

Wolf in sheep’s clothing: a SophosLabs investigation into delivering malware via VBA. https://nakedsecurity.sophos.com/2017/05/31/wolf-in-sheeps-clothing-a-sophoslabs-investigation-into-delivering-malware-via-vba/
Rieck, K., Trinius, P., Willems, C., Holz, T.: Automatic analysis of malware behavior using machine learning. J. Comput. Secur. 19(4), 639–668 (2011)
Article Google Scholar
Bayer, U., Moser, A., Kruegel, C., Kirda, E.: Dynamic analysis of malicious code. J. Comput. Virol. 2, 67–77 (2006). https://doi.org/10.1007/s11416-006-0012-2
Article Google Scholar
Perdisci, R., Lanzi, A., Lee, W.: McBoost: boosting scalability in malware collection and analysis using statical classification of executables. In: Computer Security Applications Conference (2008). https://doi.org/10.1109/ACSAC.2006.53
Nissim, N., Cohen, A., Elovici, Y.: ALDOCX: detection of unknown malicious microsoft office documents using designated active learning methods based on new structural feature extraction methodology. IEEE Trans. Inf. Forensics Secur. 12(3), 631–646 (2017)
Article Google Scholar
Naser, A., Hadi, A.: Analyzing and detecting malicious content: DOCX files. Int. J. Comput. Sci. Inf. Secur. (IJCSIS) 14(8), 404–412 (2016)
Google Scholar
Otsubo, Y., Mimura, M., Tanaka, H.: O-checker: detection of malicious documents through deviation from file format specification. In: Black Hat USA (2016)
Google Scholar
Boldewin, F.: Analyzing MSOffice malware with OfficeMalScanner. https://ja.scribd.com/document/21143233/Analyzing-MSOffice-Malware-With-OfficeMalScanner
OLE Background. https://msdn.microsoft.com/en-us/library/19z074ky.aspx
Mimura, M., Otsubo, Y., Tanaka, H.: Evaluation of a brute forcing tool that extracts the RAT from a malicious document file. In: 2016 11th Asia Joint Conference on Information Security (Asia JCIS) (2016). https://doi.org/10.1109/AsiaJCIS.2016.10
Corona, I., Maiorca, D., Giacinto, G.: Lux0R: detection of malicious PDF-embedded JavaScript code through discriminant analysis of API references (2014)
Google Scholar
Liu, D., Wang, H., Stavrou, A.: Detecting malicious Javascript in PDF through document instrumentation. In: 2014 44th Annual IEEE/IFIP International Conference Dependable Systems and Networks (DSN), pp. 100–111, ISBN 978-1-4799-2233-8 (2014)
Google Scholar
olevba. https://github.com/decalage2/oletools/wiki/olevba
python package index gensim 0.10.1. https://pypi.python.org/pypi/gensim/0.10.1
python package index scikit learn 0.19.0. https://pypi.python.org/pypi/scikit-learn/0.19.0
Virus Toral. https://www.virustotal.com/

Download references

Author information

Authors and Affiliations

National Defense Academy, Yokosuka, Japan
Hiroya Miura, Mamoru Mimura & Hidema Tanaka

Authors

Hiroya Miura
View author publications
You can also search for this author in PubMed Google Scholar
Mamoru Mimura
View author publications
You can also search for this author in PubMed Google Scholar
Hidema Tanaka
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Hiroya Miura .

Editor information

Editors and Affiliations

University of Aizu, Aizuwakamatsu, Japan
Chunhua Su
Meiji University, Tokyo, Japan
Hiroaki Kikuchi

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Miura, H., Mimura, M., Tanaka, H. (2018). Macros Finder: Do You Remember LOVELETTER?. In: Su, C., Kikuchi, H. (eds) Information Security Practice and Experience. ISPEC 2018. Lecture Notes in Computer Science(), vol 11125. Springer, Cham. https://doi.org/10.1007/978-3-319-99807-7_1

Download citation

DOI: https://doi.org/10.1007/978-3-319-99807-7_1
Published: 06 September 2018
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-99806-0
Online ISBN: 978-3-319-99807-7
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics