Analyze and detect malicious code for compound document binary storage format

Abstract

Comparing traditional malicious attack, embedding malicious codes into documents is becoming a more efficient and hidden way. The attackers embed the malicious codes into a document based on the document storage format so that they activate secretively when the document is opened by third-party software. With a simple action of double click the document, it could bring a nightmare to the user. Through researching and analyzing the structure of compound file, we mainly focus on the Word documents, and try to find out a method to detect them. We have used the bloom filter as well as the entropy rate of Markov chain and reached a high accuracy. Detect embedded malicious codes by analyzing the embedded codes themselves, because they are machine instructions which must can execute by CPU. A basic assumption is that the machine instructions in the document are different from the normal text, pictures, tables, etc. The basic direction of detection is to find the different areas in the document. Thus, we use the entropy rate as a measure to quantify this distinction.