{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T05:05:46Z","timestamp":1750309546326,"version":"3.41.0"},"publisher-location":"New York, NY, USA","reference-count":32,"publisher":"ACM","license":[{"start":{"date-parts":[[2025,4,22]],"date-time":"2025-04-22T00:00:00Z","timestamp":1745280000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/https:\/\/doi.org\/10.13039\/100000015","name":"U.S. Department of Energy","doi-asserted-by":"publisher","award":["DE-AC05-00OR22725"],"award-info":[{"award-number":["DE-AC05-00OR22725"]}],"id":[{"id":"10.13039\/https:\/\/doi.org\/10.13039\/100000015","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2025,4,28]]},"DOI":"10.1145\/3696410.3714814","type":"proceedings-article","created":{"date-parts":[[2025,4,22]],"date-time":"2025-04-22T22:52:18Z","timestamp":1745362338000},"page":"4810-4822","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["On the Abuse and Detection of Polyglot Files"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-2869-8589","authenticated-orcid":false,"given":"Luke","family":"Koch","sequence":"first","affiliation":[{"name":"Oak Ridge National Laboratory, Oak Ridge, Tennessee, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6909-1022","authenticated-orcid":false,"given":"Sean","family":"Oesch","sequence":"additional","affiliation":[{"name":"Oak Ridge National Laboratory, Oak Ridge, Tennessee, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9011-7365","authenticated-orcid":false,"given":"Amir","family":"Sadovnik","sequence":"additional","affiliation":[{"name":"Oak Ridge National Laboratory, Oak Ridge, Tennessee, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-3261-5152","authenticated-orcid":false,"given":"Brian","family":"Weber","sequence":"additional","affiliation":[{"name":"Oak Ridge National Laboratory, Oak Ridge, Tennessee, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4402-4234","authenticated-orcid":false,"given":"Amul","family":"Chaulagain","sequence":"additional","affiliation":[{"name":"Oak Ridge National Laboratory, Oak Ridge, Tennessee, USA"}]},{"ORCID":"https:\/\/orcid.org\/0009-0005-3996-4848","authenticated-orcid":false,"given":"Matthew","family":"Dixson","sequence":"additional","affiliation":[{"name":"Oak Ridge National Laboratory, Oak Ridge, Tennessee, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5320-0581","authenticated-orcid":false,"given":"Jared","family":"Dixon","sequence":"additional","affiliation":[{"name":"University of Tennessee, Knoxville, Knoxville, Tennessee, USA"}]},{"ORCID":"https:\/\/orcid.org\/0009-0009-6365-5120","authenticated-orcid":false,"given":"Mike","family":"Huettel","sequence":"additional","affiliation":[{"name":"Oak Ridge National Laboratory, Oak Ridge, Tennessee, USA"}]},{"ORCID":"https:\/\/orcid.org\/0009-0006-5035-5047","authenticated-orcid":false,"given":"Cory","family":"Watson","sequence":"additional","affiliation":[{"name":"Oak Ridge National Laboratory, Oak Ridge, Tennessee, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5659-9361","authenticated-orcid":false,"given":"Jacob","family":"Hartman","sequence":"additional","affiliation":[{"name":"Assured Information Security, Rome, New York, USA"}]},{"ORCID":"https:\/\/orcid.org\/0009-0007-0516-5153","authenticated-orcid":false,"given":"Richard","family":"Patulski","sequence":"additional","affiliation":[{"name":"Assured Information Security, Rome, New York, USA"}]}],"member":"320","published-online":{"date-parts":[[2025,4,22]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"2018. Polydet. https:\/\/github.com\/Polydet\/polydet"},{"key":"e_1_3_2_1_2_1","volume-title":"International Journal of Proof-of- Concept or Get The Fuck Out (March","author":"Albertini Ange","year":"2015","unstructured":"Ange Albertini. 2015. Funky File Formats. International Journal of Proof-of- Concept or Get The Fuck Out (March 2015). https:\/\/github.com\/angea\/pocorgtfo\/blob\/master\/contents\/issue07.pdf#page=18"},{"key":"e_1_3_2_1_3_1","volume-title":"Ember: an open dataset for training static pe malware machine learning models. arXiv preprint arXiv:1804.04637","author":"Anderson Hyrum S","year":"2018","unstructured":"Hyrum S Anderson and Phil Roth. 2018. Ember: an open dataset for training static pe malware machine learning models. arXiv preprint arXiv:1804.04637 (2018)."},{"key":"e_1_3_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2013.2274728"},{"key":"e_1_3_2_1_5_1","volume-title":"Brian Jewell, Jeff A Nichols, Brian Weber, Justin M Beaver, Jared M Smith, et al.","author":"Bridges Robert A","year":"2020","unstructured":"Robert A Bridges, Sean Oesch, Miki E Verma, Michael D Iannacone, Kelly MT Huffer, Brian Jewell, Jeff A Nichols, Brian Weber, Justin M Beaver, Jared M Smith, et al. 2020. Beyond the Hype: A Real-World Evaluation of the Impact and Cost of Machine Learning-Based Malware Detection. arXiv preprint arXiv:2012.09214 (2020)."},{"key":"e_1_3_2_1_6_1","volume-title":"Dual-personality DICOM-TIFF for whole slide images: a migration technique for legacy software. Journal of pathology informatics 10","author":"Clunie David A","year":"2019","unstructured":"David A Clunie. 2019. Dual-personality DICOM-TIFF for whole slide images: a migration technique for legacy software. Journal of pathology informatics 10 (2019)."},{"key":"e_1_3_2_1_7_1","unstructured":"Ian Darwin et al. 2019. file. https:\/\/darwinsys.com\/file\/"},{"key":"e_1_3_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1145\/3473039"},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.2214\/AJR.19.21958"},{"key":"e_1_3_2_1_10_1","volume-title":"Accessed","author":"D\u00edaz Vicente","year":"2022","unstructured":"Vicente D\u00edaz. 2022. Monitoring malware abusing CVE-2020--1599. https:\/\/blog.virustotal.com\/2022\/01\/monitoring-malware-abusing-cve-2020--1599.html. Accessed: Apr. 25, 2023."},{"key":"e_1_3_2_1_11_1","unstructured":"Yanick Fratantonio Luca Invernizzi Marina Zhang Giancarlo Metitieri Thomas Kurt Francois Galilee Alexandre Petit-Bianco Loua Farah Ange Albertini and Elie Bursztein. [n. d.]. Magika content-type scanner. https:\/\/github.com\/google\/magika"},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.crad.2005.07.003"},{"key":"e_1_3_2_1_13_1","unstructured":"Stan Hegt. 2020. Mark of the Web from a Red Team's Perspective. https:\/\/outflank.nl\/blog\/2020\/03\/30\/mark-of-the-web-from-a-red-teams-perspective\/"},{"key":"e_1_3_2_1_14_1","unstructured":"Kyaw Pyiyt Htet. 2017. Lazarus Group. https:\/\/attack.mitre.org\/groups\/G0032\/"},{"key":"e_1_3_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2012.15"},{"key":"e_1_3_2_1_16_1","unstructured":"Hossein Jazi. 2021. Lazarus APT conceals malicious code within BMP image to drop its RAT. https:\/\/www.malwarebytes.com\/blog\/threat-intelligence\/2021\/04\/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat"},{"key":"e_1_3_2_1_17_1","volume-title":"Angelo Del Rosario, and Martin Co","author":"Kiat Ng Choon","year":"2021","unstructured":"Ng Choon Kiat, Angelo Del Rosario, and Martin Co. 2021. SEO Poisoning and the BatLoader APT Group. https:\/\/www.mandiant.com\/resources\/blog\/seopoisoning-batloader-atera"},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"crossref","unstructured":"Bojan Kolosnjaji Ambra Demontis Battista Biggio DavideMaiorca Giorgio Giacinto Claudia Eckert and Fabio Roli. 2018. Adversarial Malware Binaries: Evading Deep Learning for Malware Detection in Executables. arXiv:1803.04173 [cs.CR]","DOI":"10.23919\/EUSIPCO.2018.8553214"},{"key":"e_1_3_2_1_19_1","unstructured":"Microsoft. 2018. ImageFile object. https:\/\/learn.microsoft.com\/en-us\/previousversions\/windows\/desktop\/wiaaut\/-wiaaut-imagefile"},{"key":"e_1_3_2_1_20_1","unstructured":"Microsoft. 2018. ImageProcess object. https:\/\/learn.microsoft.com\/en-us\/previ ous-versions\/windows\/desktop\/wiaaut\/-wiaaut-imageprocess"},{"key":"e_1_3_2_1_21_1","doi-asserted-by":"crossref","unstructured":"Govind Mittal Pawel Korus and Nasir Memon. 2020. FiFTy: Large-scale File Fragment Type Identification using Neural Networks. arXiv:1908.06148 [cs.CR]","DOI":"10.1109\/TIFS.2020.3004266"},{"key":"e_1_3_2_1_22_1","unstructured":"Trail of Bits. 2022. PolyFile. https:\/\/github.com\/trailofbits\/polyfile"},{"key":"e_1_3_2_1_23_1","unstructured":"MO Ortiz. 2019. HIPAA-Protected Malware? Exploiting DICOM Flaw to Embed Malware in CT\/MRI Imagery. Cylera Labs (2019)."},{"key":"e_1_3_2_1_24_1","unstructured":"Seongsu Park. 2021. Andariel evolves to target South Korea with ransomware. https:\/\/securelist.com\/andariel-evolves-to-target-south-korea-with-ransomware\/102811\/"},{"key":"e_1_3_2_1_25_1","unstructured":"Marco Pontello. 2020. TrID File Identifier. https:\/\/mark0.net\/soft-trid-e.html"},{"key":"e_1_3_2_1_26_1","volume-title":"Hiding Malicious Content in PDF Documents. CoRR abs\/1201.0397","author":"Popescu Dan-Sabin","year":"2012","unstructured":"Dan-Sabin Popescu. 2012. Hiding Malicious Content in PDF Documents. CoRR abs\/1201.0397 (2012). arXiv:1201.0397 http:\/\/arxiv.org\/abs\/1201.0397"},{"key":"e_1_3_2_1_27_1","unstructured":"Dan-Sabin Popescu. 2012. Hiding Malicious Content in PDF Documents. arXiv:1201.0397 [cs.CR]"},{"key":"e_1_3_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.48550\/arXiv.1710.09435"},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1145\/3411508.3421372"},{"key":"e_1_3_2_1_30_1","unstructured":"ReFirmLabs. 2021. Binwalk. https:\/\/github.com\/ReFirmLabs\/binwalk"},{"key":"e_1_3_2_1_31_1","unstructured":"Check Point Research Team. 2022. October's Most Wanted Malware: AgentTesla Knocks Formbook off Top Spot and New Text4Shell Vulnerability Disclosed. https:\/\/blog.checkpoint.com\/2022\/11\/08\/octobers-most-wanted-malwareagenttesla-knocks-formbook-off-top-spot-and-new-text4shell-vulnerabilitydisclosed\/"},{"key":"e_1_3_2_1_32_1","unstructured":"Checkpoint Research Team. 2022. Can You Trust a File's Digital Signature? New Zloader Campaign Exploits Microsoft's Signature Verification Putting Users at Risk. https:\/\/research.checkpoint.com\/2022\/can-you-trust-a-files-digitalsignature-new-zloader-campaign-exploits-microsofts-signature-verificationputting-users-at-risk\/"}],"event":{"name":"WWW '25: The ACM Web Conference 2025","sponsor":["SIGWEB ACM Special Interest Group on Hypertext, Hypermedia, and Web"],"location":"Sydney NSW Australia","acronym":"WWW '25"},"container-title":["Proceedings of the ACM on Web Conference 2025"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3696410.3714814","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3696410.3714814","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T01:18:42Z","timestamp":1750295922000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3696410.3714814"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,4,22]]},"references-count":32,"alternative-id":["10.1145\/3696410.3714814","10.1145\/3696410"],"URL":"https:\/\/doi.org\/10.1145\/3696410.3714814","relation":{},"subject":[],"published":{"date-parts":[[2025,4,22]]},"assertion":[{"value":"2025-04-22","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}