Botconf 2018

Malicious office documents have become a favorite malware delivery tool for malware authors. We have observed an increase in use of malicious documents over past 4 years. 30% of the malware blocked by Zscaler Cloud Sandbox since 2017 are malicious office documents. Malicious office documents are used for the delivery of crimeware payloads and are also often involved in Advanced Persistent Threats (APT) attacks. Over the time, these malicious office documents have used various obfuscation, encryption and evasion techniques to prevent detection. In this paper, we will provide a detailed analysis of different obfuscation, encryption, exploits and evasion techniques used in these malicious documents. We have analyzed over one thousand malicious documents from fifty different campaigns for this study. This research paper also lists the different malware samples delivered by these malicious documents and the use of powershell as well as other scripting languages.