Visible to the public SYMBEXCEL: Automated Analysis and Understanding of Malicious Excel 4.0 Macros

TitleSYMBEXCEL: Automated Analysis and Understanding of Malicious Excel 4.0 Macros
Publication TypeConference Paper
Year of Publication2022
AuthorsRuaro, Nicola, Pagani, Fabio, Ortolani, Stefano, Kruegel, Christopher, Vigna, Giovanni
Conference Name2022 IEEE Symposium on Security and Privacy (SP)
Date Publishedmay
KeywordsCollaboration, composability, Computer-Security, Ecosystems, Forensics, Malware, Malware-Analysis, Microsoft-Excel, obfuscation, policy governance, privacy, pubcrawl, Sandboxing, security, software reliability, static analysis, Symbolic-Execution
AbstractMalicious software (malware) poses a significant threat to the security of our networks and users. In the ever-evolving malware landscape, Excel 4.0 Office macros (XL4) have recently become an important attack vector. These macros are often hidden within apparently legitimate documents and under several layers of obfuscation. As such, they are difficult to analyze using static analysis techniques. Moreover, the analysis in a dynamic analysis environment (a sandbox) is challenging because the macros execute correctly only under specific environmental conditions that are not always easy to create. This paper presents SYMBEXCEL, a novel solution that leverages symbolic execution to deobfuscate and analyze Excel 4.0 macros automatically. Our approach proceeds in three stages: (1) The malicious document is parsed and loaded in memory; (2) Our symbolic execution engine executes the XL4 formulas; and (3) Our Engine concretizes any symbolic values encountered during the symbolic exploration, therefore evaluating the execution of each macro under a broad range of (meaningful) environment configurations. SYMBEXCEL significantly outperforms existing deobfuscation tools, allowing us to reliably extract Indicators of Compromise (IoCs) and other critical forensics information. Our experiments demonstrate the effectiveness of our approach, especially in deobfuscating novel malicious documents that make heavy use of environment variables and are often not identified by commercial anti-virus software.
NotesISSN: 2375-1207
Citation Keyruaro_symbexcel_2022