Fast fingerprinting of OLE2 files: heuristics for detection of exploited OLE2 files based on specification non-conformance

Stephen Edwards Sophos
Paul Baccas Sophos

  download slides (PDF)

Today, the main class of malicious OLE2 files currently seen by SophosLabs exploit vulnerabilities in Microsoft Office applications. These are used to install malware - most often rootkits, backdoors, or downloaders. Ten years ago, SophosLabs would have been inundated with self-replicating threats or macro-based trojans. As the attack vector has changed, techniques for detection have also adapted - the knowledge of the OLE2 specification is a powerful tool in the fight.

OLE2 documents are complex, therefore the cost of parsing in order to directly detect an exploit can be prohibitive for a security scanner. However, it is typical for Microsoft Office file formats to have early records with a significant number of rigidly defined fields. This paper will investigate whether non-adherence to specification within these fields can be used as a low-cost heuristic to improve detection of this class of malware. Additionally, this paper will set out which violations are pertinent to exploit detection via the scanning of diverse clean and exploited files.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.