Windows malware detectors based on machine learning are vulnerable to
adversarial examples, even if the attacker is only given black-box query access
to the model. The main drawback of these attacks is that: (i) they are
query-inefficient, as they rely on iteratively applying random transformations
to the input malware; and (ii) they may also require executing the adversarial
malware in a sandbox at each iteration of the optimization process, to ensure
that its intrusive functionality is preserved. In this paper, we overcome these
issues by presenting a novel family of black-box attacks that are both
query-efficient and functionality-preserving, as they rely on the injection of
benign content - which will never be executed - either at the end of the
malicious file, or within some newly-created sections. Our attacks are
formalized as a constrained minimization problem which also enables optimizing
the trade-off between the probability of evading detection and the size of the
injected payload. We empirically investigate this trade-off on two popular
static Windows malware detectors, and show that our black-box attacks can
bypass them with only few queries and small payloads, even when they only
return the predicted labels. We also evaluate whether our attacks transfer to
other commercial antivirus solutions, and surprisingly find that they can
evade, on average, more than 12 commercial antivirus engines. We conclude by
discussing the limitations of our approach, and its possible future extensions
to target malware classifiers based on dynamic analysis