A Flexible Framework for Malicious Open XML Document Detection based on APT Attacks

Abstract

The defense against Advanced Persistence Threat (APT) attacks is an important topic in recent years. Many organizations and enterprises even governments have been victims of APT attacks. As APT attacks have a specific objective and are skillfully crafted, motivated, organized and well founded, we should pay more attention on those attacks. Malicious documents have been used with the spear phishing attack in the initial infection phase of an APT attack. The detection of malicious documents is important for an early stage defensive APT attack. The Open XML has a popular document format used in the APT attacks. However, the related malicious document detection research is mostly focused on the PDF file or the traditional OLE Office document format. A specific framework design for malicious Open XML document detection does not exist. This article proposes a framework based on malicious Open XML document detection. This framework is designed under the fundamental principle, such as automatic, flexible and configurable. Our proposed framework can analyze Open XML document job automatically and generate analysis reports with information highlighting. The Scanner Module in this framework can be configured and easily extended by adding customized scanners, is flexible. The Configurable framework makes the APT detection more customizable and suitable for user's demand.