Malware Detection via Static Document Analysis
Static document analysis is an essential component in advanced malware detection
One of the crucial functions of malware detection is the ability to spot advanced malicious code that’s embedded within documents. Document files are key infection sources because:
- They are extremely common
- They are relatively simple to modify and use as a method of attack
- They are easily brought into an organization through email attachments or employee devices
There are two different but essential approaches to identify documents that contain malware: static document analysis, and dynamic document analysis. Both are necessary for effective detection of today’s sophisticated malware. In this blog we’ll focus on static document analysis.
Static document analysis takes place when a file is examined without actually executing it, whereas dynamic analysis looks at the actions of the document and can only occur when the file is executing.
One primary reason to perform static document analysis is because today’s sophisticated malware doesn’t always execute it’s malicious code, especially when it suspects that it is running in a malware detection system. Furthermore, some malware will use specific browser plugins or uncommon operating system extensions or programs to perform their nefarious deeds. If the plugins or uncommon extensions are not present, and often they aren’t in legacy sandbox environments, the malicious code will not execute and bad behavior will not be observed.
So to detect advanced malware it’s necessary to determine if an object is capable of becoming malicious, even if the malicious behavior hasn’t manifest itself yet.
Static document analysis looks for abnormalities in the file itself, not in how it executes. It seeks to answer questions such as the following.
- Are there structural anomalies such as embedded shellcode, abnormal macros, or other executable programs that would not normally be present in a document of this type?
- Does the document have any missing or added segments?
- Are there any embedded files?
- Are there any encryption, fingerprinting, or other suspicious capabilities?
- Is there anything about the document that just looks odd?
Static document analysis is also very efficient and fast. Since it’s not necessary to load and execute a document viewer and exercise different functions (which require more CPU cycles and time), the results can be returned significantly faster. This can be critical when trying to evaluate large numbers of files for potential malware.
Performing static document analysis is an important way to detect malicious code or infections that might otherwise be missed. It’s an essential component in an advanced malware detection system.
Click here to learn more about the Lastline solution and why its static document analysis is superior to other solutions.
Latest posts by Brian Laing (see all)
- Security as a Team Sport: Working Together to Stop Malware in Its Tracks - October 18, 2018
- Email Security Solutions Part 2: What Does it Take to Implement Effective Email Threat Visibility? - June 21, 2018
- Email Security Solutions, Part 1: The Challenges of Protecting Email from Advanced Malware - June 14, 2018