{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,14]],"date-time":"2026-01-14T18:49:03Z","timestamp":1768416543316,"version":"3.49.0"},"reference-count":32,"publisher":"Association for Computing Machinery (ACM)","issue":"2","license":[{"start":{"date-parts":[[2023,6,30]],"date-time":"2023-06-30T00:00:00Z","timestamp":1688083200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"European Commission under the Horizon 2020 Programme","award":["830929, 832735"],"award-info":[{"award-number":["830929, 832735"]}]},{"name":"Beatriu de Pin\u00f3s programme of the Government of Catalonia","award":["2020 BP 00035"],"award-info":[{"award-number":["2020 BP 00035"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["Digital Threats"],"published-print":{"date-parts":[[2023,6,30]]},"abstract":"<jats:p>Many malware campaigns use Microsoft (MS) Office documents as droppers to download and execute their malicious payload. Such campaigns often use these documents because MS Office is installed on billions of devices and that these files allow the execution of arbitrary VBA code. Recent versions of MS Office prevent the automatic execution of VBA macros, so malware authors try to convince users into enabling the content via images that, e.g., forge system or technical errors.<\/jats:p>\n          <jats:p>In this article, we propose a mechanism to extract and analyse the different components of the files, including these visual elements, and construct lightweight signatures based on them. These visual elements are used as input for a text extraction pipeline which, in combination with the signatures, is able to capture the intent of MS Office files and the campaign they belong to. We test and validate our approach using an extensive database of malware samples, obtaining an accuracy above 99% in the task of distinguishing between benign and malicious files. Furthermore, our signature-based scheme allowed us to identify correlations between different campaigns, illustrating that some campaigns are either using the same tools or collaborating between them.<\/jats:p>","DOI":"10.1145\/3513025","type":"journal-article","created":{"date-parts":[[2022,3,25]],"date-time":"2022-03-25T12:55:20Z","timestamp":1648212920000},"page":"1-19","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":11,"title":["Analysis and Correlation of Visual Evidence in Campaigns of Malicious Office Documents"],"prefix":"10.1145","volume":"4","author":[{"given":"Fran","family":"Casino","sequence":"first","affiliation":[{"name":"Department of Computer Engineering and Mathematics, Universitat Rovira i Virgili and Information Management Systems Institute of Athena Research Center"}]},{"given":"Nikolaos","family":"Totosis","sequence":"additional","affiliation":[{"name":"Hatching"}]},{"given":"Theodoros","family":"Apostolopoulos","sequence":"additional","affiliation":[{"name":"Department of Informatics, University Piraeus"}]},{"given":"Nikolaos","family":"Lykousas","sequence":"additional","affiliation":[{"name":"Department of Informatics, University Piraeus"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4460-9331","authenticated-orcid":false,"given":"Constantinos","family":"Patsakis","sequence":"additional","affiliation":[{"name":"Department of Informatics, University Piraeus and Information Management Systems Institute of Athena Research Center"}]}],"member":"320","published-online":{"date-parts":[[2023,8,10]]},"reference":[{"issue":"526","key":"e_1_3_3_2_2","first-page":"1","article-title":"Spam and criminal activity","author":"Alazab Mamoun","year":"2016","unstructured":"Mamoun Alazab and Roderic Broadhurst. 2016. Spam and criminal activity. Trends and Issues in Crime and Criminal Justice526 (2016), 1\u201320.","journal-title":"Trends and Issues in Crime and Criminal Justice"},{"key":"e_1_3_3_3_2","doi-asserted-by":"publisher","DOI":"10.1109\/BigData.2017.8258483"},{"key":"e_1_3_3_4_2","unstructured":"David Bianco. 2013. The Pyramid of Pain. Retrieved from https:\/\/detect-respond.blogspot.com\/2013\/03\/the-pyramid-of-pain.html."},{"key":"e_1_3_3_5_2","unstructured":"Fran Casino Tom Dasaklis Georgios Spathoulas Marios Anagnostopoulos Amrita Ghosal Istvan Borocz Agusti Solanas Mauro Conti and Constantinos Patsakis. 2021. A cross-domain qualitative meta-analysis of digital forensics: Research trends challenges and emerging topics. arXiv:2108.04634. Retrieved from https:\/\/arxiv.org\/abs\/2108.04634."},{"key":"e_1_3_3_6_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.jnca.2021.103135"},{"key":"e_1_3_3_7_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.comcom.2021.08.023"},{"key":"e_1_3_3_8_2","doi-asserted-by":"publisher","DOI":"10.5281\/zenodo.5718684"},{"key":"e_1_3_3_9_2","unstructured":"Check Point Research. 2020. Gozi: The Malware with a Thousand Faces. Retrieved from https:\/\/research.checkpoint.com\/2020\/gozi-the-malware-with-a-thousand-faces\/."},{"key":"e_1_3_3_10_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.eswa.2016.07.010"},{"key":"e_1_3_3_11_2","unstructured":"Cybereason. 2019. A One-two Punch of Emotet TrickBot & Ryuk Stealing & Ransoming Data. Retrieved from https:\/\/www.cybereason.com\/blog\/one-two-punch-emotet-trickbot-and-ryuk-steal-then-ransom-data."},{"key":"e_1_3_3_12_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.image.2019.115713"},{"key":"e_1_3_3_13_2","unstructured":"Ecma International. 2006. Office Open XML File Formats. Retrieved from https:\/\/www.ecma-international.org\/publications\/standards\/Ecma-376.htm."},{"key":"e_1_3_3_14_2","unstructured":"World Economic Forum. 2020. Wild Wide Web Consequences of Digital Fragmentation. Retrieved from https:\/\/reports.weforum.org\/global-risks-report-2020\/wild-wide-web\/."},{"key":"e_1_3_3_15_2","unstructured":"Carrie Roberts Harold Ogden Kirk Sayre. 2018. VBA stomping: Advanced malicious document techniques. Retrieved from https:\/\/github.com\/clr2of8\/Presentations\/blob\/master\/DerbyCon2018-VBAstomp-Final-WalmartRedact.pdf."},{"key":"e_1_3_3_16_2","unstructured":"Alex Ilgayev. 2020. An Old Bot\u2019s Nasty New Tricks: Exploring Qbot\u2019s Latest Attack Methods. Retrieved from https:\/\/research.checkpoint.com\/2020\/exploring-qbots-latest-attack-methods\/."},{"key":"e_1_3_3_17_2","unstructured":"Intel 471. 2020. Understanding the relationship between Emotet Ryuk and TrickBot. Retrieved from https:\/\/public.intel471.com\/blog\/understanding-the-relationship-between-emotet-ryuk-and-trickbot."},{"key":"e_1_3_3_18_2","unstructured":"International Organization for Standardization. 2016. Information technology \u2013 Document description and processing languages \u2013 Office Open XML File Formats \u2013 Part 1: Fundamentals and Markup Language Reference. Retrieved from https:\/\/www.iso.org\/standard\/71691.html."},{"key":"e_1_3_3_19_2","unstructured":"Internet Crime Complaint Center (IC3). 2019. 2019 INTERNET CRIME REPORT. Retrieved from https:\/\/pdf.ic3.gov\/2019_IC3Report.pdf."},{"key":"e_1_3_3_20_2","doi-asserted-by":"publisher","DOI":"10.1109\/DSN.2018.00057"},{"key":"e_1_3_3_21_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-36938-5_46"},{"key":"e_1_3_3_22_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.jisa.2020.102600"},{"key":"e_1_3_3_23_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-26834-3_10"},{"key":"e_1_3_3_24_2","doi-asserted-by":"publisher","DOI":"10.5555\/3488877.3488889"},{"key":"e_1_3_3_25_2","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2016.2631905"},{"key":"e_1_3_3_26_2","unstructured":"Constantinos Patsakis and Anargyros Chrysanthou. 2020. Analysing the fall 2020 emotet campaign. arXiv:2011.06479. Retrieved from https:\/\/arxiv.org\/abs\/2011.06479."},{"key":"e_1_3_3_27_2","doi-asserted-by":"publisher","DOI":"10.1109\/THS.2018.8574202"},{"key":"e_1_3_3_28_2","doi-asserted-by":"publisher","DOI":"10.1080\/19393555.2020.1723747"},{"key":"e_1_3_3_29_2","doi-asserted-by":"crossref","unstructured":"Douglas S. Thomas. 2020. Cybercrime Losses: An Examination of US Manufacturing and the Total Economy.","DOI":"10.6028\/NIST.AMS.100-32"},{"key":"e_1_3_3_30_2","unstructured":"Khoi-Nguyen Tran Mamoun Alazab Roderic Broadhurst et\u00a0al. 2014. Towards a feature rich model for predicting spam emails containing malicious attachments and urls."},{"key":"e_1_3_3_31_2","unstructured":"Trend Micro Research. 2018. Retrieved from https:\/\/www.trendmicro.com\/en_us\/research\/18\/l\/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader.html."},{"key":"e_1_3_3_32_2","first-page":"157","volume-title":"Proceedings of the International Conference on Security for Information Technology and Communications","author":"Yamin Muhammd Mudassar","year":"2018","unstructured":"Muhammd Mudassar Yamin and Basel Katt. 2018. Detecting malicious windows commands using natural language processing techniques. In Proceedings of the International Conference on Security for Information Technology and Communications. Springer, 157\u2013169."},{"key":"e_1_3_3_33_2","unstructured":"Jason Zhang. 2020. VelvetSweatshop: Default Passwords Can Still Make a Difference. Retrieved from https:\/\/blogs.vmware.com\/networkvirtualization\/2020\/11\/velvetsweatshop-when-default-passwords-can-still-make-a-difference.html\/."}],"container-title":["Digital Threats: Research and Practice"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3513025","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3513025","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T19:31:20Z","timestamp":1750188680000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3513025"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,6,30]]},"references-count":32,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2023,6,30]]}},"alternative-id":["10.1145\/3513025"],"URL":"https:\/\/doi.org\/10.1145\/3513025","relation":{},"ISSN":["2692-1626","2576-5337"],"issn-type":[{"value":"2692-1626","type":"print"},{"value":"2576-5337","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,6,30]]},"assertion":[{"value":"2021-04-30","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2022-01-20","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2023-08-10","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}