Signatureless detection of malicious ms office documents containing advanced threats in macros

Abstract

The technology disclosed relates to cybersecurity attacks and cloud-based security. The technology disclosed is a method and apparatus for detecting documents with embedded threats in the form of malicious macros and malicious OLE objects. The technology disclosed detects obfuscated malicious code using a trained machine learning model to predict documents having malicious code without a known signature. The technology disclosed can thus predict which documents include signatureless malicious code. Feature engineering is used to define a set of features for detecting malicious macros and malicious OLE objects, based on features selected from a list of known characteristics and attributes possessed by files that have historically indicated malicious content. The selected features are used to train a supervised machine learning model. In another aspect, an office classifier receives incoming documents over a network, parses those documents, and applies the machine learning algorithm to classify the documents as to threat level, as safe, suspicious, or malicious. Safe documents are allowed into the network. Suspicious documents are subjected to additional processing, including quarantining or sandboxing methods. Malicious documents are rejected from the network. In a further aspect, the disclosed technology combines machine learning with other network security methods, to further increase the capability of a network security system to detect malicious macros and malicious OLE files.