Abstract-We propose a method for the dynamic analysis of malicious documents that can exploit various types of vulnerability in applications. Static analysis of a document can be used to identify the type of vulnerability involved. However, it can be difficult to identify unknown vulnerabilities, and the application may not be available even if we could identify the vulnerability. In fact, malicious code that is executed after the exploitation may not have a relationship with the type of vulnerability in many cases. In this paper, we propose a method that extracts and executes "shellcode" to analyze malicious documents without requiring identification of the vulnerability or the application. Our system extracts shellcode by executing byte sequences to observe the features of a document file in a priority order decided on the basis of entropy.Our system was used to analyze 88 malware samples and was able to extract shellcode from 74 samples. of these, 51 extracted shellcodes behaved as malicious software according to dynamic analysis.Index Terms-Malware, shellcode, entropy, dynamic analysis, vulnerability.
I. INTRODUCTIONAt the start of a typical attack aimed at stealing information from a targeted organization, a piece of malware is supplied by targeted email [1]. An email is sent to a specific person, and often has an attached document file containing malicious code. The victim may then open the document file and execute the malicious code without knowing that it was created for attacking purposes. As a part of measures to deal with targeted attacks, we would like to analyze the behavior of malicious code via dynamic analysis.It is often not possible to use dynamic analysis directly, because we cannot reproduce an appropriate vulnerable environment. The reason for this is that the vulnerability usually depends on the environment of the operating system (OS) or the application software. However, versatile malicious code (or "shellcode"), which often does not depend on a specific OS or application software, can be executed. Therefore, our system extracts shellcode from the document file to analyze the malicious document. It then outputs an executable file containing shellcode to enable dynamic analysis.Before building our system, we conducted a preliminary survey of malware samples that we had already analyzed. In this preliminary survey, we determined parameter values for Manuscript received September 24, 2014; revised November 20, 2014. Kazuki Iwamoto is with Advanced Research Laboratory at SecureBrain Corporation, Kojimachi RK Building 4F 2-6-7 Kojimachi, Chiyoda-ku Tokyo, Japan (e-mail: kazuki_iwamoto@securebrain.co.jp).Katsumi Wasaki is with Interdisciplinary Graduate School of Science and Technology, Shinshu University, 4-17-1 Wakazato, Nagano-shi, Japan (e-mail: wasaki@cs.shinshu-u.ac.jp).calculating the entropy, an algorithm for shellcode priority and byte sequences to be excluded from the document file. Our system executes those byte sequences that are shellcode candidates and observes their behavior to ...
