Oblivion: an open-source system for large-scale analysis of macro-based office malware

Sanna, Alessandro
First
;Maiorca, Davide
Penultimate
;Giacinto, Giorgio
Last
2024-01-01

Abstract

Macro-based Office files have been extensively used as infection vectors to embed malware. In particular, VBA macros allow leveraging kernel functions and system routines to execute or remotely drop malicious payloads, and they are typically heavily obfuscated to make static analysis unfeasible. Current state-of-the-art approaches focus on discriminating between malicious and benign Office files by performing static and dynamic analysis directly on obfuscated macros, focusing mainly on detection rather than reversing. Namely, the proposed methods lack an in-depth analysis of the embedded macros, thus losing valuable information about the attack families, the embedded scripts, and the contacted external resources. In this paper, we propose Oblivion, an open-source framework for large-scale analysis of Office macros, to fill in this gap. Oblivion performs instrumentation of macros and executes them in a virtualized environment to de-obfuscate and reconstruct their behavior. Moreover, it can automatically and quickly interact with macros by extracting the embedded PowerShell and non-PowerShell attacks and reconstructing the whole macro behavior. This is the main scope of our analysis: we are more interested in retrieving specific behavioural patterns than detecting maliciousness per se. We performed a large-scale analysis of more than 30,000 files that constitute a representative corpus of attacks. Results show that Oblivion could efficiently de-obfuscate malicious macros by revealing a large corpus of PowerShell and non-PowerShell attacks. We measured that this efficiency can be quantified in an analysis time of less than 1 min per sample, on average. Moreover, we characterize such attacks by pointing out frequent attack patterns and employed obfuscation strategies. We finally release the information obtained from our dataset with our tool.
2024
2024
Inglese
1
20
20
WOS:001260384300001
2-s2.0-85197468374
https://link.springer.com/article/10.1007/s11416-024-00531-3
Comitato scientifico
internazionale
scientifica
Macro; Malware; VBA; PowerShell; Word; Excel; Office
no
Sanna, Alessandro; Cara, Fabrizio; Maiorca, Davide; Giacinto, Giorgio
1.1 Articolo in rivista
info:eu-repo/semantics/article
1 Contributo su Rivista::1.1 Articolo in rivista
262
4
none
   Studying thE impact of anti-analysis Techniques in IoT security evAluations
   SETA
   NextGenerationEU
   229240.00€

   In searCh Of eVidence of stEalth cybeR Threats
   COVERT
   NextGenerationEU

   flexible Sensors for secUre and truSTed crowdsens- ing environmentAl applicatioNs
   SUSTAIN
   NextGenerationEU
Files in This Item:
There are no files associated with this item.

Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.

Questionnaire and social

Share on:
Impostazioni cookie