進階持續性滲透攻擊(Advanced Persistence Threat) 在近幾年來成為熱門的話題，使得對於進階持續性滲透攻擊的防禦逐漸受到重視。許多大型企業或組織都已經成為APT攻擊的受害者。由於APT攻擊包含了「針對性」、「特殊滲透技巧」、「特殊動機」、「組織性」以及「資金充足」這幾個特徵，因此APT攻擊所帶來的威脅不容忽視。

在APT攻擊的初期感染階段，惡意文件常常會被魚叉式網路釣魚攻擊(Spear Phishing)所使用，對於APT攻擊的早期防禦階段來說，惡意文件的偵測顯得格外的重要。而近幾年來，Open XML 文件格式成為一種新興的惡意文件使用格式，但目前對於惡意文件的偵測研究大多為針對PDF檔案類型或是舊式的OLE Office文件格式所設計，對於惡意Open XML文件的偵測並沒有一個特別設計的偵測框架。

在這篇論文中，我們提出了一個惡意Open XML文件的偵測框架，這個框架依照: 自動化、彈性化以及配置化的原則來做設計，讓此框架可以自動的對Open XML文件做分析並產生包含重點資訊的報告給使用者，並且此框架包含多個針對不同物件的掃描模組(Scanner Module)，這些掃描模組的設計可以讓使用者或是研究人員容易的在模組中加入掃描工具或客製化的掃描程式來進行符合需求的自動掃描，而可配置化的設計也可以讓此框架依照不同的掃描需求來做客製化的掃描配置。這些特點讓此框架不只可以用在偵測的工作上，更可以使研究人員的分析工作更加便利。

The defense against Advanced Persistence Threat (APT) attacks is a hot issue in recent years. Many organizations and enterprises even governments have been victims of APT attacks. Since APT attacks have a specific objective and are skillfully crafted, motivated, organized and well founded, they should not be ignored. Malicious documents have always been used with the spear phishing attack in the initial infection phase of an APT attack. The detection of malicious documents is important for an early stage defensive APT attack. In recent years, Open XML has become a popular document format used in the APT attacks. However, the related malicious document detection research is mostly focused on the PDF file or the traditional OLE Office document format. A specific framework design for malicious Open XML document detection does not exist.

In this thesis, we propose a malicious Open XML document detection framework. This framework is designed under the principle of: Automatic, Flexible and Configurable. This framework can analyze Open XML document job automatically and generate analysis reports with information highlighting. Also, this framework is flexible since the “Scanner Module” can be configured and it is easy to extend this farmework by adding customized scanners. The “Configurable” framework makes the detection more customizable and can be adjusted to fit different scanning on demand. This framework can not only be used to do the detection work but it can also be used for research purposes.

1 Introduction 1
2 Background 3
2.1 Advanced Persistence Threat . . . . . . . . . . . . . . . . . . . . . . 3
2.1.1 APT Terminology . . . . . . . . . . . . . . . . . . . . . . . . 3
2.1.2 APT characteristics . . . . . . . . . . . . . . . . . . . . . . . 4
2.1.3 APT Life Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.1.4 Famous APT Attack Event . . . . . . . . . . . . . . . . . . . 6
2.2 Open XML Document . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.2.1 Common Vulnerabilities and Exposures . . . . . . . . . . . . 9
2.2.2 Open XML use in APT attack . . . . . . . . . . . . . . . . . 9
2.3 Analysis Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3 Related work 11
3.1 Dynamic Analysis and Static Analysis . . . . . . . . . . . . . . . . . 11
3.2 Customize Framework for Open XML . . . . . . . . . . . . . . . . . . 12
4 Design Framework 13
4.1 Design Principle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
4.2 Five Processing Stage . . . . . . . . . . . . . . . . . . . . . . . . . . 15
4.2.1 Pre-Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
4.2.2 Basic Process . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
4.2.3 Advance Process . . . . . . . . . . . . . . . . . . . . . . . . . 17
4.2.4 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
4.2.5 Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
4.3 Design Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
4.3.1 OpenXML Dissector . . . . . . . . . . . . . . . . . . . . . . . 20
4.3.2 Object Parser . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
4.3.3 Object Extractor . . . . . . . . . . . . . . . . . . . . . . . . . 21
4.3.4 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
4.3.5 Operator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
4.3.6 Scanners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
4.3.7 IOM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
4.3.8 Report Generator . . . . . . . . . . . . . . . . . . . . . . . . . 23
5 Implementation 24
5.1 Development environment . . . . . . . . . . . . . . . . . . . . . . . . 24
5.2 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
5.3 Scanners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
5.3.1 Flash Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
5.3.2 Mal-Structure Scanner . . . . . . . . . . . . . . . . . . . . . . 30
5.3.3 Shellcode Scanner . . . . . . . . . . . . . . . . . . . . . . . . 30
5.3.4 URL Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
5.3.5 VBA Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
5.4 IOM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
5.5 Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
5.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
6 Analysis 35
6.1 Detection Rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
6.1.1 Specify IOM Implication . . . . . . . . . . . . . . . . . . . . . 36
6.1.2 True Positive Rate . . . . . . . . . . . . . . . . . . . . . . . . 37
6.1.3 False Positive Rate . . . . . . . . . . . . . . . . . . . . . . . . 39
6.1.4 Compare with Antivirus . . . . . . . . . . . . . . . . . . . . . 39
6.2 Framework Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
7 Conclusion 43
7.1 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
7.2 Future work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

[1] Wikipedia. Office open xml http://en.wikipedia.org/wiki/office_open_xml.
2014.
[2] Wikipedia. Advanced persistent threat http:// en.wikipedia.org/ wiki/ advanced_
persistent_threat.
[3] Mandiant. ”apt1: Exposing one of china’s cyber espionage units”. 2013.
[4] Advanced persistent threats and other advanced attacks: Threat analysis and
defense strategies for smb, mid-size, and enterprise organizations.
[5] WIRED. Google hack attack was ultra sophisticated, new details show. 2010.
[6] PcWorld. ”rsa securid hack shows danger of apts”. 2011.
[7] Office open xml file formates - foundamentals and markup language reference.
[8] Wikipedia. Common vulnerabilities and exposures http://en.wikipedia.org/
wiki/common_vulnerabilities_and_exposures.
[9] Cve http://cve.mitre.org/index.html.
[10] Cve 2013-3906 http:// web.nvd.nist.gov/ view/ vuln/ detail? vulnid=cve-2013-
3906.
[11] Virustotal https://www.virustotal.com/.
[12] Proofpoint. http://www.proofpoint.com/threatinsight/posts/dissecting-docximage-
exploit-kit-cve-exploitation.php.
[13] Xecure lab http://www.xecure-lab.com/zhtw/index.html.
[14] The malware archives: Ms office files http://blog.malwarebytes.org/intelligence/
2013/08/ms-office-files/.
[15] Offvis http://download.techworld.com/3214034/microsoft-offvis-11/.
[16] Jpexs free flash decompiler http://www.free-decompiler.com/flash/.
[17] Jing-Yao Lin and Hsing-Kuo Pao. Multi-view malicious document detection.
In Conference on Technologies and Applications of Artificial Intelligence, 2013.
[18] Adam Barth, Joel Weinberger, and Dawn Song. Cross-origin javascript capability
leaks: Detection, exploitation, and defense. In 18th USENIX Security
Symposium, 2009.
[19] Boxuan Gu, Xiaole Bai, Zhimin Yang, Adam C. Champion, and Dong Xuan.
Malicious shellcode detection with virtual memory snapshots. In INFOCOM,
2010 Proceedings IEEE, 2010.
[20] Peter Likarish, Eunjin (EJ) Jung, and Insoon Jo. Obfuscated malicious
javascript detection using classification techniques. In 4th Inter. Conf, 2009.
[21] Pavel Laskov and Nedim Šrndic. Static detection of malicious javascript-bearing
pdf documents. In 27th Annual Computer Security Applications Conference,
2011.
[22] Zacharias Tzermias, Giorgos Sykiotakisand Michalis Polychronakis, and Evangelos
P. Markatos. Combining static and dynamic analysis for the detection of
malicious documents. In Fourth European Workshop on System Security, 2011.
[23] David Maiorca, Giorgio Giacinto, and Igino Gorona. A pattern recognition
system for malicious pdf files detection. In Machine Learning and Data Mining
in Pattern Recognition, 2012.
[24] Frank Boldewin. http://www.reconstructer.org/code.html.
[25] Pe_carver https://github.com/rurik/pe_carver/blob/master/pe_carve.py.
[26] Beautiful soup http://www.crummy.com/software/beautifulsoup/.
[27] Wikipedia. Xml http://en.wikipedia.org/wiki/xml.
[28] Officemalhunter https://github.com/binjo/utils.