Detection of malicious VBA macros using machine learning methods

Since their appearance in 1994 in the Concept virus, VBA macros remain a preferred choice for malware authors. There are two main attack techniques when it comes to document-based malware: exploits and VBA macros, with the latter applied in the vast majority of threats. Although Microsoft have added multiple security features in an attempt to protect users against malicious macros, such protections are often easily circumvented by simple social engineering techniques. Anti-virus companies can no longer rely on static signatures due to the rate at which new macro malware is distributed, and thus are tasked with employing a more proactive approach to threat detection. This paper details the literature on machine learning methods for the detection of VBA macro malware. Further, a machine learning system for the detection of VBA macro malware is proposed and evaluated. A Random Forest classifier achieves a true positive detection rate of 98.9875% with a false positive detection rate of 1.07% over a set of 611 mixed (benign and malicious) malware samples

Detection of malicious VBA macros using machine learning methods

Since their appearance in 1994 in the Concept virus, VBA macros remain a preferred choice for malware authors. There are two main attack techniques when it comes to document-based malware: exploits and VBA macros, with the latter applied in the vast majority of threats. Although Microsoft have added multiple security features in an attempt to protect users against malicious macros, such protections are often easily circumvented by simple social engineering techniques. Anti-virus companies can no longer rely on static signatures due to the rate at which new macro malware is distributed, and thus are tasked with employing a more proactive approach to threat detection. This paper details the literature on machine learning methods for the detection of VBA macro malware. Further, a machine learning system for the detection of VBA macro malware is proposed and evaluated. A Random Forest classifier achieves a true positive detection rate of 98.9875% with a false positive detection rate of 1.07% over a set of 611 mixed (benign and malicious) malware samples