A Dynamic Malicious Document Detection Method Based on Multi-Memory Features

Download PDF
Open Webpage

Yuanyuan Wang, Gengwang Li, Min Yu, Kam-Pui Chow, Jianguo Jiang, Xiang Meng, Weiqing Huang

Published: 2023, Last Modified: 09 Feb 2026IFIP Int. Conf. Digital Forensics 2023EveryoneRevisionsBibTeXCC BY-SA 4.0
Abstract: The massive use of Microsoft Office documents underscores the need for effective malicious document detection techniques. Most detection methods characterize document behavior using application programming interface traces or other descriptive information, but ignore memory information due to inherent difficulties. Since many malicious behavior patterns are only manifested in memory, these detection methods are vulnerable to ubiquity evasion attacks. One difficulty in extracting malicious behavior information from memory is that only high-coverage memory dump sequences are meaningful, but no established methods can be employed. Another difficulty is that no efficient method exists for representing the numerous long memory dump sequences associated with malicious document samples.