Many malware campaigns use Microsoft (MS) Office documents as droppers to download and execute their malicious payload. Such campaigns often use these documents because MS Office is installed in billions of devices and that these files allow the execution of arbitrary VBA code. Recent versions of MS Office prevent the automatic execution of VBA macros, so malware authors try to convince users into enabling the content via images that, e.g. forge system or technical errors. In this work, we leverage these visual elements to construct lightweight malware signatures that can be applied with minimal effort. We test and validate our approach using an extensive database of malware samples and identify correlations between different campaigns that illustrate that some campaigns are either using the same tools or that there is some collaboration between them.

翻译：许多恶意软件运动使用微软(MS)办公室文件下载和执行其恶意有效载荷,这种运动经常使用这些文件,因为MS办公室安装了数十亿个装置,而这些档案允许任意执行VBA代码。最近版本的MS Office防止自动执行VBA宏,因此恶意软件作者试图说服用户通过图像(例如伪造系统或技术错误)来帮助内容。在这项工作中,我们利用这些视觉元素来构建轻量的恶意软件签名,这些签名可以尽量应用。我们使用一个庞大的恶意软件样本数据库来测试和验证我们的方法,并查明不同运动之间的相互关系,表明有些运动使用的是相同的工具,或者它们之间有一些协作。