Analysis and Correlation of Visual Evidence in Campaigns of Malicious Office Documents

TL;DR

This paper investigates how visual elements in malicious MS Office documents can be used to create lightweight signatures for malware detection and reveals campaign correlations indicating shared tools or collaboration.

Contribution

It introduces a novel approach leveraging visual evidence in Office documents to detect malware and uncovers campaign relationships through correlation analysis.

Findings

Effective malware signatures based on visual elements

Identification of campaign overlaps and tool sharing

Validation on extensive malware dataset

Abstract

Many malware campaigns use Microsoft (MS) Office documents as droppers to download and execute their malicious payload. Such campaigns often use these documents because MS Office is installed in billions of devices and that these files allow the execution of arbitrary VBA code. Recent versions of MS Office prevent the automatic execution of VBA macros, so malware authors try to convince users into enabling the content via images that, e.g. forge system or technical errors. In this work, we leverage these visual elements to construct lightweight malware signatures that can be applied with minimal effort. We test and validate our approach using an extensive database of malware samples and identify correlations between different campaigns that illustrate that some campaigns are either using the same tools or that there is some collaboration between them.