UFADF: A Unified Feature Analysis and Detection Framework for Malicious Office Documents

Malicious Office documents have become common mediums in network attacks, which support embedding multi-class attack techniques with strong concealment. Existing detecting methods mainly focus on specific types of malicious attacks or document categories. It is lack of universal detection method for multi-version documents and multi-class malicious attacks. To address the issue, this paper proposes a Unified Feature Analyzing and Detecting Framework UFADF for multi-class malicious Office document detection. It is implemented with three-fold interesting ideas: a) analyzing 20,000 latest real-world Office document samples and extracting the key features of various malicious categories, which innovatively design five mainstream malicious feature extraction methods with eight new features or embedding locations; b) calculating the information gain of all the extracted malicious key features, then choosing the most 64 prominent malicious features to construct the feature list with a newly proposed feature fusion algorithm; c) detecting the fused malicious features with an adaptive classifier, which classifies Office documents with various versions and formats into five malicious categories and benign documents. Through the experiments on 20,000 latest real-world Office document samples, it is demonstrated that the proposed framework UFADF achieve high-precision unified feature detection, including detecting 185 malicious samples with accurate classifications which undetected by antivirus software.