Email is now a ubiquitous form of communication. To transmit files between persons and organizations, email may also include the files as attachments. Unfortunately, email attachments may contain payloads from attackers intending to compromise computer security.
As one example, document files may include macros that host a shellcode, which is a payload used in the exploitation of a software vulnerability. Attackers may encrypt the shellcode to prevent static scanning-based detection. When executed, the macro may automatically decrypt the shellcode and trigger a memory error to gain control over a document application (e.g., a word processing or spreadsheet application). To bypass address space layout randomization defenses, the attackers may use a heap spraying technique that fills large parts of memory with NOP (“No Operation”) commands and shellcode. After extracting shellcode into memory, macros can also trigger a bug that corrupts a code pointer value. If the pointer points to the shellcode part of memory, then the attack may succeed.
Accordingly, the instant disclosure identifies and addresses a need for additional and improved systems and methods for protecting document files from macro threats.