{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,9,28]],"date-time":"2025-09-28T20:34:55Z","timestamp":1759091695926,"version":"3.37.3"},"reference-count":77,"publisher":"IEEE","license":[{"start":{"date-parts":[[2022,5,1]],"date-time":"2022-05-01T00:00:00Z","timestamp":1651363200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-009"},{"start":{"date-parts":[[2022,5,1]],"date-time":"2022-05-01T00:00:00Z","timestamp":1651363200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-001"}],"funder":[{"DOI":"10.13039\/100000001","name":"National Science Foundation","doi-asserted-by":"publisher","id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2022,5]]},"DOI":"10.1109\/sp46214.2022.9833765","type":"proceedings-article","created":{"date-parts":[[2022,7,27]],"date-time":"2022-07-27T19:28:05Z","timestamp":1658950085000},"page":"1066-1081","source":"Crossref","is-referenced-by-count":16,"title":["SYMBEXCEL: Automated Analysis and Understanding of Malicious Excel 4.0 Macros"],"prefix":"10.1109","author":[{"given":"Nicola","family":"Ruaro","sequence":"first","affiliation":[{"name":"University of California,Santa Barbara"}]},{"given":"Fabio","family":"Pagani","sequence":"additional","affiliation":[{"name":"University of California,Santa Barbara"}]},{"given":"Stefano","family":"Ortolani","sequence":"additional","affiliation":[{"name":"VMware"}]},{"given":"Christopher","family":"Kruegel","sequence":"additional","affiliation":[{"name":"University of California,Santa Barbara"}]},{"given":"Giovanni","family":"Vigna","sequence":"additional","affiliation":[{"name":"University of California,Santa Barbara"}]}],"member":"263","reference":[{"year":"2021","key":"ref57","article-title":"Library of Congress (loc.gov). Microsoft office excel 97-2003 binary file format (.xls, biff8)"},{"article-title":"SQUIRREL-WAFFLE Leverages malspam to deliver Qakbot, Cobalt Strike","year":"2021","author":"brumaghin","key":"ref13"},{"year":"2021","key":"ref56","article-title":"Library of Congress (loc.gov). Microsoft Office Excel 97-2003 Binary File Format (.xls, BIFF8)"},{"key":"ref12","first-page":"3","article-title":"Persistence in Linux-based IoT malware","author":"brierley","year":"2020","journal-title":"Nordic Conference on Secure IT Systems"},{"key":"ref59","article-title":"Malpedia: a collaborative effort to inventorize the malware landscape","author":"plohmann","year":"2017","journal-title":"Proceedings of the Botconf"},{"key":"ref15","doi-asserted-by":"publisher","DOI":"10.1007\/978-0-387-68768-1_4"},{"article-title":"Excel 4.0 Macro Functions Reference","year":"2017","author":"treacy","key":"ref58"},{"article-title":"Bitscope: Automatically dissecting malicious binaries","year":"2007","author":"brumley","key":"ref14"},{"article-title":"XLMMacroDeobfuscator","year":"2020","author":"niakanlahiji","key":"ref53"},{"key":"ref52","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2007.17"},{"key":"ref55","doi-asserted-by":"publisher","DOI":"10.1145\/3471621.3471848"},{"key":"ref11","article-title":"A View on Current Malware Behaviors","author":"bayer","year":"2009","journal-title":"LEET"},{"year":"2021","author":"niakanlahiji","key":"ref54"},{"key":"ref10","article-title":"Efficient Extraction of Malware Signatures Through System Calls and Symbolic Execution: An Experience Report","author":"baranov","year":"2018","journal-title":"hal-01954483"},{"key":"ref17","doi-asserted-by":"publisher","DOI":"10.1145\/2338965.2336768"},{"key":"ref16","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2018.2879302"},{"key":"ref19","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243771"},{"key":"ref18","doi-asserted-by":"publisher","DOI":"10.1016\/j.future.2020.04.031"},{"article-title":"Cybercrime To Cost The World $10.5 Trillion Annually By 2025","year":"2021","author":"morgan","key":"ref51"},{"key":"ref50","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-99807-7_1"},{"year":"2021","key":"ref46","article-title":"Microsoft. WS-AtomicTransaction Configuration Utility"},{"year":"2021","key":"ref45","article-title":"Microsoft. Excel (.xlsb) Binary File Format"},{"key":"ref48","doi-asserted-by":"publisher","DOI":"10.2197\/ipsjjip.27.555"},{"year":"2021","key":"ref47","article-title":"Microsoft. XLM + AMSI: New runtime defense against Excel 4.0 macro malware"},{"key":"ref42","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2020.24297"},{"article-title":"Identifying Excel 4.0 Macro strains using Anomaly Detection","year":"2021","author":"leibovich","key":"ref41"},{"year":"2021","key":"ref44","article-title":"Microsoft. Excel (.xls) Binary File Format"},{"year":"2021","key":"ref43","article-title":"Microsoft. Excel functions"},{"key":"ref49","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-26834-3_10"},{"article-title":"Excel Formula Parsing","year":"2021","author":"bachtal","key":"ref8"},{"key":"ref7","article-title":"Forecasting Malware Capabilities From Cyber Attack Memory Images","author":"alrawi","year":"2021","journal-title":"30th USENIX Security Symposium (USENIX Security 21)"},{"key":"ref9","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-60080-2_12"},{"key":"ref4","doi-asserted-by":"publisher","DOI":"10.1109\/SCAM.2015.7335408"},{"key":"ref3","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2020.24310"},{"year":"2022","key":"ref6","article-title":"AlienVault OTX. AlienVault OTX"},{"key":"ref5","doi-asserted-by":"publisher","DOI":"10.1002\/smr.1895"},{"key":"ref40","first-page":"255","article-title":"K-Tracer: A System for Extracting Kernel Malware Behavior","author":"lanzi","year":"2009","journal-title":"NDSS"},{"key":"ref35","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813642"},{"key":"ref34","doi-asserted-by":"publisher","DOI":"10.1109\/DSN.2018.00057"},{"key":"ref37","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813724"},{"key":"ref36","article-title":"Does Every Second Count? Time-based Evolution of Malware Behavior in Sandboxes","author":"k\u00fcchler","year":"2021","journal-title":"Internet Society Symposium on Network and Distributed Systems Security NDSS-96"},{"article-title":"Emotet Is Not Dead (Yet)","year":"2022","author":"zhang","key":"ref75"},{"key":"ref31","doi-asserted-by":"publisher","DOI":"10.1109\/ICCIT.2007.320"},{"key":"ref74","doi-asserted-by":"publisher","DOI":"10.1145\/1281192.1281308"},{"key":"ref30","first-page":"102","article-title":"A static, packer-agnostic filter to detect similar malware samples","author":"jacob","year":"2012","journal-title":"Detection of Intrusions and Malware and Vulnerability Assessment"},{"key":"ref77","article-title":"SyzScope: Revealing High-Risk Security Impacts of Fuzzer-Exposed Bugs in Linux kernel","author":"zou","year":"2022","journal-title":"31st USENIX Security Symposium (USENIX Security 22)"},{"key":"ref33","doi-asserted-by":"publisher","DOI":"10.1145\/1655148.1655151"},{"article-title":"Emotet Is Not Dead (Yet), Part 2","year":"2022","author":"zhang","key":"ref76"},{"key":"ref32","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2011.41"},{"year":"2022","key":"ref2","article-title":"abuse.ch. URLhaus: Malware URL exchange"},{"year":"2022","key":"ref1","article-title":"abuse.ch. MalwareBazaar: Malware sample exchange"},{"year":"0","key":"ref39","article-title":"Philippe Lagadec. oletools - python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging"},{"year":"0","key":"ref38","article-title":"Philippe Lagadec. A VBA parser and emulation engine to analyze malicious macros"},{"key":"ref71","doi-asserted-by":"crossref","first-page":"47","DOI":"10.1109\/EuroSP.2019.00014","article-title":"Droidevolver: Self-evolving android malware detection system","author":"xu","year":"2019","journal-title":"2019 IEEE European Symposium on Security and Privacy (EuroS&P)"},{"key":"ref70","doi-asserted-by":"publisher","DOI":"10.1109\/JIOT.2021.3063840"},{"article-title":"WIRTE&#x2019;s campaign in the Middle East &#x2019;living off the land&#x2019; since at least 2019","year":"2021","author":"yamout","key":"ref73"},{"key":"ref72","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813663"},{"key":"ref68","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-40667-1_10"},{"key":"ref24","doi-asserted-by":"publisher","DOI":"10.1145\/1168917.1168862"},{"article-title":"Evolution of Excel 4.0 Macro Weaponization, Part 2","year":"2020","author":"singh","key":"ref67"},{"key":"ref23","doi-asserted-by":"publisher","DOI":"10.1145\/3427228.3427256"},{"key":"ref26","first-page":"337","article-title":"Z3: An efficient SMT solver","author":"moura","year":"2008","journal-title":"International Conference on Tools and Algorithms for the Construction and Analysis of Systems"},{"key":"ref69","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-00470-5_26"},{"key":"ref25","first-page":"463","article-title":"FIE on firmware: Finding vulnerabilities in embedded systems using symbolic execution","author":"davidson","year":"2013","journal-title":"22nd USENIX Security Symposium (USENIX Security'13) USENIX"},{"key":"ref64","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2020.101775"},{"key":"ref20","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2005.20"},{"key":"ref63","doi-asserted-by":"publisher","DOI":"10.1145\/3427228.3427261"},{"article-title":"Excel 4.0 Macros - The Risk of Hidden Threats in Compound Files","year":"2020","author":"simmons","key":"ref66"},{"key":"ref22","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2018.00054"},{"key":"ref65","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2016.17"},{"key":"ref21","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2010.12"},{"article-title":"Evolution of Excel 4.0 Macro Weaponization","year":"2020","author":"haughom","key":"ref28"},{"key":"ref27","doi-asserted-by":"publisher","DOI":"10.1109\/CNS48642.2020.9162164"},{"key":"ref29","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134050"},{"key":"ref60","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2021.24479"},{"key":"ref62","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-70542-0_6"},{"key":"ref61","doi-asserted-by":"publisher","DOI":"10.5120\/6194-8715"}],"event":{"name":"2022 IEEE Symposium on Security and Privacy (SP)","start":{"date-parts":[[2022,5,22]]},"location":"San Francisco, CA, USA","end":{"date-parts":[[2022,5,26]]}},"container-title":["2022 IEEE Symposium on Security and Privacy (SP)"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx7\/9833550\/9833558\/09833765.pdf?arnumber=9833765","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2023,11,8]],"date-time":"2023-11-08T23:09:05Z","timestamp":1699484945000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/9833765\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,5]]},"references-count":77,"URL":"https:\/\/doi.org\/10.1109\/sp46214.2022.9833765","relation":{},"subject":[],"published":{"date-parts":[[2022,5]]}}}