Automatic Hooking for Forensic Analysis of Document-based Code Injection Attacks Techniques and Empirical Analyses

Document-based code injection attacks, where-in malicious code (coined shellcode) is embedded in a document, have quickly replaced network-service based exploits as the preferred method of attack. In this paper, we present a new technique to aid in forensic and diagnostic analysis of malicious documents detected using dynamic code analysis techniques — namely, automated API call hooking and simulation. Our approach provides an API call trace of a shellcode in a few milliseconds. We also present the results of a large empirical analysis of malicious PDFs collected in the wild over the last few years. To our surprise, we found that 90% of shellcode embedded in documents make no use of machine-code level polymorphism, in stark contrast to prior shellcode studies based on samples collected from network-service level attacks. We also observed a heavy-tailed distribution of API call sequences used by contemporary shellcode.