<p>Advanced Persistent Threat campaigns have increasingly adopted semantic obfuscation techniques in malicious Office macros, rendering the code logic opaque to traditional scrutiny. Despite the decline in volumetric attacks following Microsoft’s default blocking policy, these sophisticated vectors can bypass traditional static syntactic pattern matching and evade dynamic analysis through environment awareness guardrails. To recover logic hidden by such obfuscation, this paper proposes a static analysis framework centered on semantic-aware code reconstruction. Unlike conventional methods, our approach reconstructs the underlying execution logic from obfuscated scripts to extract hidden Indicators of Compromise (IoCs). A notable feature of this framework is the Obfuscation Awareness and Splitting Approach. This algorithmic mechanism addresses the challenges of context window limitations and logical fragmentation by utilizing quantitative metrics to identify high-density obfuscation zones and optimally partition scripts, ensuring the preservation of semantic continuity during reconstruction. We then employ a generative semantic engine to process these partitions, feeding a hybrid feature extraction pipeline for multidimensional threat characterization. We systematically evaluate the framework on a contemporary dataset of obfuscated malicious macros. Experimental results demonstrate that our semantic reconstruction approach achieves an average precision of 74.57% in IoC extraction, outperforming conventional static analysis in our evaluation. When integrated with machine learning classifiers, the framework attains a maximum detection accuracy of 98.89%. The experimental results indicate the effectiveness and robustness of our semantic deobfuscation-based framework in real-world malware detection, offering enterprises a scalable solution for defensive deployment.</p>

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

MOD2SAD: enhancing malicious office document detection through semantic-aware deobfuscation

  • Tao Leng,
  • Tujin Liao,
  • Bin Yuan

摘要

Advanced Persistent Threat campaigns have increasingly adopted semantic obfuscation techniques in malicious Office macros, rendering the code logic opaque to traditional scrutiny. Despite the decline in volumetric attacks following Microsoft’s default blocking policy, these sophisticated vectors can bypass traditional static syntactic pattern matching and evade dynamic analysis through environment awareness guardrails. To recover logic hidden by such obfuscation, this paper proposes a static analysis framework centered on semantic-aware code reconstruction. Unlike conventional methods, our approach reconstructs the underlying execution logic from obfuscated scripts to extract hidden Indicators of Compromise (IoCs). A notable feature of this framework is the Obfuscation Awareness and Splitting Approach. This algorithmic mechanism addresses the challenges of context window limitations and logical fragmentation by utilizing quantitative metrics to identify high-density obfuscation zones and optimally partition scripts, ensuring the preservation of semantic continuity during reconstruction. We then employ a generative semantic engine to process these partitions, feeding a hybrid feature extraction pipeline for multidimensional threat characterization. We systematically evaluate the framework on a contemporary dataset of obfuscated malicious macros. Experimental results demonstrate that our semantic reconstruction approach achieves an average precision of 74.57% in IoC extraction, outperforming conventional static analysis in our evaluation. When integrated with machine learning classifiers, the framework attains a maximum detection accuracy of 98.89%. The experimental results indicate the effectiveness and robustness of our semantic deobfuscation-based framework in real-world malware detection, offering enterprises a scalable solution for defensive deployment.