• Nov 09, 2021 News!Vol.13, No. 4 has been published with online version.   [Click]
  • Aug 07, 2021 News!Vol.13, No. 3 has been published with online version.   [Click]
  • Dec 24, 2021 News!Vol. 13, no. 1 & no. 2 has been indexed by INSPEC!   [Click]
General Information
    • ISSN: 1793-8236 (Online)
    • Abbreviated Title Int. J. Eng. Technol.
    • Frequency:  Quarterly 
    • DOI: 10.7763/IJET
    • Executive Editor: Ms.Yoyo Y. Zhou
    • Abstracting/ Indexing: Chemical Abstracts Services (CAS) EBSCO, Google Scholar, Ulrich Periodicals Directory, Crossref, ProQuest, Index CopernicusINSPECCNKI.
    • E-mail: ijet@vip.163.com
Prof. T. Hikmet Karakoc
Anadolu University, Faculty of Aeronautics and Astronautics, Turkey

IJET 2016 Vol.8(2): 101-106 ISSN: 1793-8236
DOI: 10.7763/IJET.2016.V8.866

A Method for Shellcode Extractionfrom Malicious Document Files Using Entropy and Emulation

Kazuki Iwamoto and Katsumi Wasaki
Abstract—We propose a method for the dynamic analysis of malicious documents that can exploit various types of vulnerability in applications. Static analysis of a document can be used to identify the type of vulnerability involved. However, it can be difficult to identify unknown vulnerabilities, and the application may not be available even if we could identify the vulnerability. In fact, malicious code that is executed after the exploitation may not have a relationship with the type of vulnerability in many cases. In this paper, we propose a method that extracts and executes “shellcode” to analyze malicious documents without requiring identification of the vulnerability or the application. Our system extracts shellcode by executing byte sequences to observe the features of a document file in a priority order decided on the basis of entropy.Our system was used to analyze 88 malware samples and was able to extract shellcode from 74 samples. of these, 51 extracted shellcodes behaved as malicious software according to dynamic analysis.

Index Terms—Malware, shellcode, entropy, dynamic analysis, vulnerability.

Kazuki Iwamoto is with Advanced Research Laboratory at SecureBrain Corporation, Kojimachi RK Building 4F 2-6-7 Kojimachi, Chiyoda-ku Tokyo, Japan (e-mail: kazuki_iwamoto@securebrain.co.jp).
Katsumi Wasaki is with Interdisciplinary Graduate School of Science and Technology, Shinshu University, 4-17-1 Wakazato, Nagano-shi, Japan (e-mail: wasaki@cs.shinshu-u.ac.jp).


Cite: Kazuki Iwamoto and Katsumi Wasaki, "A Method for Shellcode Extractionfrom Malicious Document Files Using Entropy and Emulation," International Journal of Engineering and Technology vol. 8, no. 2, pp. 101-106, 2016.

Copyright © 2008-2022. International Journal of Engineering and Technology. All rights reserved. 
E-mail: ijet@vip.163.com