{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,10]],"date-time":"2026-04-10T16:22:12Z","timestamp":1775838132147,"version":"3.50.1"},"reference-count":43,"publisher":"Springer Science and Business Media LLC","issue":"4","license":[{"start":{"date-parts":[[2024,7,2]],"date-time":"2024-07-02T00:00:00Z","timestamp":1719878400000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2024,7,2]],"date-time":"2024-07-02T00:00:00Z","timestamp":1719878400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"DOI":"10.13039\/501100000780","name":"European Union","doi-asserted-by":"crossref","award":["PE00000014"],"award-info":[{"award-number":["PE00000014"]}],"id":[{"id":"10.13039\/501100000780","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["J Comput Virol Hack Tech"],"abstract":"<jats:title>Abstract<\/jats:title><jats:p>Macro-based Office files have been extensively used as infection vectors to embed malware. In particular, VBA macros allow leveraging kernel functions and system routines to execute or remotely drop malicious payloads, and they are typically heavily obfuscated to make static analysis unfeasible. Current state-of-the-art approaches focus on discriminating between malicious and benign Office files by performing static and dynamic analysis directly on obfuscated macros, focusing mainly on detection rather than reversing. Namely, the proposed methods lack an in-depth analysis of the embedded macros, thus losing valuable information about the attack families, the embedded scripts, and the contacted external resources. In this paper, we propose Oblivion, an open-source framework for large-scale analysis of Office macros, to fill in this gap. Oblivion performs instrumentation of macros and executes them in a virtualized environment to de-obfuscate and reconstruct their behavior. Moreover, it can automatically and quickly interact with macros by extracting the embedded PowerShell and non-PowerShell attacks and reconstructing the whole macro behavior. This is the main scope of our analysis: we are more interested in retrieving specific behavioural patterns than detecting maliciousness per se. We performed a large-scale analysis of more than 30,000 files that constitute a representative corpus of attacks. Results show that Oblivion could efficiently de-obfuscate malicious macros by revealing a large corpus of PowerShell and non-PowerShell attacks. We measured that this efficiency can be quantified in an analysis time of less than 1\u00a0min per sample, on average. Moreover, we characterize such attacks by pointing out frequent attack patterns and employed obfuscation strategies. We finally release the information obtained from our dataset with our tool.<\/jats:p>","DOI":"10.1007\/s11416-024-00531-3","type":"journal-article","created":{"date-parts":[[2024,7,2]],"date-time":"2024-07-02T15:26:40Z","timestamp":1719934000000},"page":"783-802","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":2,"title":["Oblivion: an open-source system for large-scale analysis of macro-based office malware"],"prefix":"10.1007","volume":"20","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-0610-7736","authenticated-orcid":false,"given":"Alessandro","family":"Sanna","sequence":"first","affiliation":[]},{"given":"Fabrizio","family":"Cara","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2640-4663","authenticated-orcid":false,"given":"Davide","family":"Maiorca","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5759-3017","authenticated-orcid":false,"given":"Giorgio","family":"Giacinto","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2024,7,2]]},"reference":[{"key":"531_CR1","unstructured":"Symantec: Internet Security Threat Report 24 (2019). https:\/\/www.symantec.com\/content\/dam\/symantec\/docs\/reports\/istr-24-2019-en.pdf"},{"key":"531_CR2","doi-asserted-by":"crossref","unstructured":"Verizon: Data Breach Investigations Report (2020). https:\/\/enterprise.verizon.com\/resources\/reports\/dbir\/","DOI":"10.1016\/S1361-3723(20)30059-2"},{"key":"531_CR3","doi-asserted-by":"publisher","DOI":"10.1145\/3332184","author":"D Maiorca","year":"2019","unstructured":"Maiorca, D., Biggio, B., Giacinto, G.: Towards adversarial malware detection: lessons learned from pdf-based attacks. ACM Comput. Surv. (2019). https:\/\/doi.org\/10.1145\/3332184","journal-title":"ACM Comput. Surv."},{"key":"531_CR4","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2020.101901","author":"D Maiorca","year":"2020","unstructured":"Maiorca, D., Demontis, A., Biggio, B., Roli, F., Giacinto, G.: Adversarial detection of flash malware: limitations and open issues. Comput. Secur. (2020). https:\/\/doi.org\/10.1016\/j.cose.2020.101901","journal-title":"Comput. Secur."},{"key":"531_CR5","doi-asserted-by":"crossref","unstructured":"McAfee: McAfee Labs Threat Report (2019)","DOI":"10.1016\/S1361-3723(19)30004-1"},{"key":"531_CR6","unstructured":"Decalage: OleVBA (2016). https:\/\/github.com\/decalage2\/oletools\/wiki\/olevba"},{"key":"531_CR7","unstructured":"ESET: VBA Dynamic Hook (2016). https:\/\/github.com\/eset\/vba-dynamic-hook"},{"key":"531_CR8","doi-asserted-by":"publisher","first-page":"631","DOI":"10.1109\/TIFS.2016.2631905","volume":"1","author":"N Nissim","year":"2017","unstructured":"Nissim, N., Cohen, A., Elovici, Y.: ALDOCX: detection of unknown malicious microsoft office documents using designated active learning methods based on new structural feature extraction methodology. IEEE Trans. Inf. Forens. Secur. 1, 631\u2013646 (2017). https:\/\/doi.org\/10.1109\/TIFS.2016.2631905","journal-title":"IEEE Trans. Inf. Forens. Secur."},{"key":"531_CR9","doi-asserted-by":"publisher","unstructured":"Kim, S., Hong, S., Oh, J., Lee, H.: Obfuscated VBA Macro Detection Using Machine Learning, pp. 490\u2013501 (2018). https:\/\/doi.org\/10.1109\/DSN.2018.00057","DOI":"10.1109\/DSN.2018.00057"},{"key":"531_CR10","doi-asserted-by":"publisher","unstructured":"Lu, X., Wang, F., Shu, Z.: Malicious Word Document Detection Based on Multi-View Features Learning, pp. 1\u20136 (2019). https:\/\/doi.org\/10.1109\/ICCCN.2019.8846940","DOI":"10.1109\/ICCCN.2019.8846940"},{"key":"531_CR11","unstructured":"Stichting Cuckoo Foundation: Cuckoo Sandbox (2019). https:\/\/cuckoosandbox.org\/"},{"key":"531_CR12","unstructured":"Any.Run: Any Run Sandbox (2023). https:\/\/app.any.run\/"},{"key":"531_CR13","unstructured":"Hybrid Analysis: Hybrid Analysis Sandbox (2023). https:\/\/www.hybrid-analysis.com\/"},{"key":"531_CR14","unstructured":"Microsoft: Technical Docs (2020). https:\/\/docs.microsoft.com\/en-us\/"},{"key":"531_CR15","unstructured":"Microsoft: Compound File Binary File Format (2019). https:\/\/docs.microsoft.com\/en-us\/openspecs\/windows_protocols\/ms-cfb\/"},{"key":"531_CR16","unstructured":"Microsoft: Word (.doc) Binary File Format (2019). https:\/\/docs.microsoft.com\/en-us\/openspecs\/office_file_formats\/ms-doc"},{"key":"531_CR17","unstructured":"Microsoft: Excel (.xls) Binary File Format (2019). https:\/\/docs.microsoft.com\/en-us\/openspecs\/office_file_formats\/ms-xls\/"},{"key":"531_CR18","unstructured":"ECMA: Standard ECMA-375 Office Open XML File Formats (2016). http:\/\/www.ecma-international.org\/publications\/standards\/Ecma-376.htm"},{"key":"531_CR19","unstructured":"Microsoft: Visual Basic Concepts (2019). https:\/\/docs.microsoft.com\/en-us\/previous-versions\/visualstudio\/visual-basic-6\/"},{"key":"531_CR20","unstructured":"Champs, E.: Top 100 Useful Excel Macro VBA Codes Examples (2019). https:\/\/excelchamps.com\/blog\/useful-macro-codes-for-vba-newcomers\/"},{"key":"531_CR21","doi-asserted-by":"publisher","unstructured":"Schreck, T., Berger, S., G\u00f6bel, J.: Bissam: Automatic Vulnerability Identification of Office Documents, pp. 204\u2013213 (2013). https:\/\/doi.org\/10.1007\/978-3-642-37300-8_12","DOI":"10.1007\/978-3-642-37300-8_12"},{"key":"531_CR22","doi-asserted-by":"publisher","unstructured":"Smutz, C., Stavrou, A.: Preventing Exploits in Microsoft Office Documents Through Content Randomization, pp. 225\u2013246 (2015). https:\/\/doi.org\/10.1007\/978-3-319-26362-5_11","DOI":"10.1007\/978-3-319-26362-5_11"},{"key":"531_CR23","doi-asserted-by":"publisher","unstructured":"Ruaro, N., Pagani, F., Ortolani, S., Kruegel, C., Vigna, G.: SYMBEXCEL: Automated Analysis and Understanding of Malicious Excel 4.0 Macros, pp. 1066\u20131081 (2022). https:\/\/doi.org\/10.1109\/SP46214.2022.9833765","DOI":"10.1109\/SP46214.2022.9833765"},{"key":"531_CR24","doi-asserted-by":"publisher","unstructured":"Mimura, M., Ohminami, T.: Towards Efficient Detection of Malicious VBA Macros with lsi, pp. 168\u2013185 (2019). https:\/\/doi.org\/10.1007\/978-3-030-26834-3_10","DOI":"10.1007\/978-3-030-26834-3_10"},{"key":"531_CR25","doi-asserted-by":"publisher","DOI":"10.2197\/ipsjjip.28.493","author":"M Mimura","year":"2020","unstructured":"Mimura, M., Ohminami, T.: Using lsi to detect unknown malicious VBA macros. J. Inf. Process. (2020). https:\/\/doi.org\/10.2197\/ipsjjip.28.493","journal-title":"J. Inf. Process."},{"key":"531_CR26","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2021.102582","author":"V Koutsokostas","year":"2022","unstructured":"Koutsokostas, V., Lykousas, N., Apostolopoulos, T., Orazi, G., Ghosal, A., Casino, F., Conti, M., Patsakis, C.: Invoice #31415 attached: automated analysis of malicious microsoft office documents. Comput. Secur. (2022). https:\/\/doi.org\/10.1016\/j.cose.2021.102582","journal-title":"Comput. Secur."},{"key":"531_CR27","doi-asserted-by":"publisher","DOI":"10.1145\/3564625.3567982","author":"J Yan","year":"2022","unstructured":"Yan, J., Wan, M., Jia, X., Ying, L., Su, P., Wang, Z.: Ditdetector: bimodal learning based on deceptive image and text for macro malware detection. ACM Int. Conf. Proc. Ser. (2022). https:\/\/doi.org\/10.1145\/3564625.3567982","journal-title":"ACM Int. Conf. Proc. Ser."},{"key":"531_CR28","unstructured":"Rousseau, A.: Hijacking. net to defend powershell. CoRR (2017). https:\/\/doi.org\/10.48550\/arXiv.1709.07508"},{"key":"531_CR29","unstructured":"Bohannon, D., Holmes, L.: Revoke-Obfuscation: PowerShell Obfuscation Detection Using Science (2017). https:\/\/www.blackhat.com\/docs\/us-17\/thursday\/us-17-Bohannon-Revoke-Obfuscation-PowerShell-Obfuscation-Detection-And%20Evasion-Using-Sciencewp.pdf"},{"key":"531_CR30","doi-asserted-by":"publisher","unstructured":"Hendler, D., Kels, S., Rubin, A.: Detecting Malicious Powershell Commands Using Deep Neural Networks, pp. 187\u2013197 (2018). https:\/\/doi.org\/10.1145\/3196494.3196511","DOI":"10.1145\/3196494.3196511"},{"key":"531_CR31","doi-asserted-by":"publisher","unstructured":"Gili\u00a0Rusak, U.-M.O. Abdullah\u00a0Al-Dujaili: Poster: Ast-based deep learning for detecting malicious powershell. CoRR (2018). https:\/\/doi.org\/10.1145\/3243734.3278496","DOI":"10.1145\/3243734.3278496"},{"key":"531_CR32","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2022.3232505","author":"M-H Tsai","year":"2023","unstructured":"Tsai, M.-H., Lin, C.-C., He, Z.-G., Yang, W.-C., Lei, C.-L.: Powerdp: de-obfuscating and profiling malicious powershell commands with multi-label classifiers. IEEE Access (2023). https:\/\/doi.org\/10.1109\/ACCESS.2022.3232505","journal-title":"IEEE Access"},{"key":"531_CR33","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2022.102658","author":"A Alahmadi","year":"2022","unstructured":"Alahmadi, A., Alkhraan, N., BinSaeedan, W.: Mpsautodetect: a malicious powershell script detection model based on stacked denoising auto-encoder. Comput. Secur. (2022). https:\/\/doi.org\/10.1016\/j.cose.2022.102658","journal-title":"Comput. Secur."},{"key":"531_CR34","doi-asserted-by":"publisher","unstructured":"Ugarte, D., Maiorca, D., Cara, F., Giacinto, G.: Powerdrive: Accurate De-Obfuscation and Analysis of Powershell Malwar, pp. 240\u2013259 (2019). https:\/\/doi.org\/10.1007\/978-3-030-22038-9_12","DOI":"10.1007\/978-3-030-22038-9_12"},{"key":"531_CR35","doi-asserted-by":"publisher","unstructured":"Li, Z., Chen, Q.A., Xiong, C., Chen, Y., Zhu, T., Yang, H.: Effective and Light-Weight Deobfuscation and Semantic-Aware Attack Detection for Powershell Scripts, pp. 1831\u20131847 (2019). https:\/\/doi.org\/10.1145\/3319535.3363187","DOI":"10.1145\/3319535.3363187"},{"key":"531_CR36","doi-asserted-by":"publisher","unstructured":"Usui, T., Otsuki, Y., Kawakoya, Y., Iwamura, M., Miyoshi, J., Matsuura, K.: My script engines know what you did in the dark: converting engines into script api tracers. ACSAC \u201919, pp. 466\u2013477. Association for Computing Machinery, New York, NY, USA (2019). https:\/\/doi.org\/10.1145\/3359789.3359849","DOI":"10.1145\/3359789.3359849"},{"key":"531_CR37","doi-asserted-by":"publisher","DOI":"10.1145\/3416126","author":"T Usui","year":"2021","unstructured":"Usui, T., Otsuki, Y., Ikuse, T., Kawakoya, Y., Iwamura, M., Miyoshi, J., Matsuura, K.: Automatic reverse engineering of script engine binaries for building script API tracers. Digit. Threat. (2021). https:\/\/doi.org\/10.1145\/3416126","journal-title":"Digit. Threat."},{"key":"531_CR38","unstructured":"Boldwin, F.: Office MalScanner (2019). www.reconstructer.org"},{"key":"531_CR39","unstructured":"Sandboxie Holdings: Sandboxie (2019). https:\/\/www.sandboxie.com\/"},{"key":"531_CR40","unstructured":"VirusTotal: VirusTotal Service (2023). https:\/\/www.virustotal.com"},{"key":"531_CR41","doi-asserted-by":"publisher","unstructured":"Sebasti\u00e1n, S., Caballero, J.: Avclass2: massive malware tag extraction from av labels. In: Proceedings of the 36th Annual Computer Security Applications Conference, pp. 42\u201353. Association for Computing Machinery, New York (2020). https:\/\/doi.org\/10.1145\/3427228.3427261","DOI":"10.1145\/3427228.3427261"},{"key":"531_CR42","unstructured":"Philippe Lagadec: Advanced VBA Macros Attack And Defence (2019). https:\/\/www.decalage.info\/files\/eu-19-Lagadec-Advanced-VBA-Macros-Attack-And-Defence.pdf"},{"key":"531_CR43","unstructured":"Poonamr Blog: How to Crack the VBA Password Manually? (2015). https:\/\/poonamrblog.wordpress.com\/2015\/11\/25\/how-to-crack-the-vba-password-manually\/"}],"container-title":["Journal of Computer Virology and Hacking Techniques"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s11416-024-00531-3.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s11416-024-00531-3\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s11416-024-00531-3.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,10,15]],"date-time":"2024-10-15T15:13:07Z","timestamp":1729005187000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s11416-024-00531-3"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,7,2]]},"references-count":43,"journal-issue":{"issue":"4","published-online":{"date-parts":[[2024,11]]}},"alternative-id":["531"],"URL":"https:\/\/doi.org\/10.1007\/s11416-024-00531-3","relation":{},"ISSN":["2263-8733"],"issn-type":[{"value":"2263-8733","type":"electronic"}],"subject":[],"published":{"date-parts":[[2024,7,2]]},"assertion":[{"value":"8 March 2024","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"7 June 2024","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"2 July 2024","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}}]}}