Malware Detection via Static Document Analysis

Malware Detection via Static Document Analysis


Static document analysis is an essential component in advanced malware detection  

One of the crucial functions of malware detection is the ability to spot advanced malicious code that’s embedded within documents. Document files are key infection sources because:

  • They are extremely common
  • They are relatively simple to modify and use as a method of attack
  • They are easily brought into an organization through email attachments or employee devices

There are two different but essential approaches to identify documents that contain malware: static document analysis, and dynamic document analysis. Both are necessary for effective detection of today’s sophisticated malware. In this blog we’ll focus on static document analysis.

Static document analysis takes place when a file is examined without actually executing it, whereas dynamic analysis looks at the actions of the document and can only occur when the file is executing.

One primary reason to perform static document analysis is because today’s sophisticated malware doesn’t always execute it’s malicious code, especially when it suspects that it is running in a malware detection system. Furthermore, some malware will use specific browser plugins or uncommon operating system extensions or programs to perform their nefarious deeds. If the plugins or uncommon extensions are not present, and often they aren’t in legacy sandbox environments, the malicious code will not execute and bad behavior will not be observed.

So to detect advanced malware it’s necessary to determine if an object is capable of becoming malicious, even if the malicious behavior hasn’t manifest itself yet.

Static document analysis looks for abnormalities in the file itself, not in how it executes. It seeks to answer questions such as the following.

  • Are there structural anomalies such as embedded shellcode, abnormal macros, or other executable programs that would not normally be present in a document of this type?
  • Does the document have any missing or added segments?
  • Are there any embedded files?
  • Are there any encryption, fingerprinting, or other suspicious capabilities?
  • Is there anything about the document that just looks odd?

Static document analysis is also very efficient and fast. Since it’s not necessary to load and execute a document viewer and exercise different functions (which require more CPU cycles and time), the results can be returned significantly faster. This can be critical when trying to evaluate large numbers of files for potential malware.

Performing static document analysis is an important way to detect malicious code or infections that might otherwise be missed. It’s an essential component in an advanced malware detection system.

Click here to learn more about the Lastline solution and why its static document analysis is superior to other solutions.

Brian Laing

Brian Laing

For more than 20 years, Brian Laing has shared his strategic business vision and technical leadership with a range of start-ups and established companies in various executive level roles. The author of “APT for Dummies,” he was previously vice president of AhnLab, where he directed the US operations of the internationally known security and software leader. Brian previously founded Hive Media where he served as CEO. He co-founded RedSeal Systems, where he conceived the overall design and features of the product and was granted two patents related to network security. He was also founder and CEO of self-funded Blade Software, who released the industry’s first commercial IPS/FW testing tool.
Brian Laing