Abstract—We propose a method for the dynamic analysis of malicious documents that can exploit various types of vulnerability in applications. Static analysis of a document can be used to identify the type of vulnerability involved. However, it can be difficult to identify unknown vulnerabilities, and the application may not be available even if we could identify the vulnerability. In fact, malicious code that is executed after the exploitation may not have a relationship with the type of vulnerability in many cases. In this paper, we propose a method that extracts and executes “shellcode” to analyze malicious documents without requiring identification of the vulnerability or the application. Our system extracts shellcode by executing byte sequences to observe the features of a document file in a priority order decided on the basis of entropy.Our system was used to analyze 88 malware samples and was able to extract shellcode from 74 samples. of these, 51 extracted shellcodes behaved as malicious software according to dynamic analysis.
Index Terms—Malware, shellcode, entropy, dynamic analysis, vulnerability.
Kazuki Iwamoto is with Advanced Research Laboratory at SecureBrain Corporation, Kojimachi RK Building 4F 2-6-7 Kojimachi, Chiyoda-ku Tokyo, Japan (e-mail: kazuki_iwamoto@securebrain.co.jp).
Katsumi Wasaki is with Interdisciplinary Graduate School of Science and Technology, Shinshu University, 4-17-1 Wakazato, Nagano-shi, Japan (e-mail: wasaki@cs.shinshu-u.ac.jp).
[PDF]
Cite: Kazuki Iwamoto and Katsumi Wasaki, "A Method for Shellcode Extractionfrom Malicious Document Files Using Entropy and Emulation," International Journal of Engineering and Technology vol. 8, no. 2, pp. 101-106, 2016.
