O-Checker - Detection of Malicious Documents Through Deviation From File Format Specifications

Explore a 19-minute Black Hat conference talk that delves into the detection of malicious documents through deviations from file format specifications. Learn about the O-Checker tool, which examines various document formats used in targeted email attacks in Japan from 2009 to 2012. Discover how the tool focuses on anomalous structures within Rich Text Format, Compound File Binary, and Portable Document Format files to identify hidden executable files. Gain insights into eight classified anomalous structures and understand how O-Checker achieved a 96.1% detection rate for malicious files used in targeted email attacks in 2013 and 2014. Examine the effectiveness of this approach, which capitalizes on the stability of document file formats compared to document processors, potentially offering a long-term solution for malware detection.