PSDEM: A Feasible De-Obfuscation Method for Malicious PowerShell Detection

PowerShell is so extremely powerful that we have seen that attackers are increasingly using PowerShell in their attack methods lately. In most cases, PowerShell malware arrives via spam email, using a combination of Microsoft Word documents to infect victims with its deadly payload. Nowadays, the de-obfuscation and analysis of PowerShell are still based on the manual analysis. However, as the number of malicious samples and obfuscation methods growing quickly, it is so slow that can't satisfy the demand. In this paper, we propose a deobfuscation method of PowerShell called PSDEM which has two layers de-obfuscation to get original PowerShell scripts. One is extracting PowerShell scripts from much obfuscated document code. The other is de-obfuscating scripts including encoding, strings manipulation and code logic obfuscation. Meanwhile, we design an automatic de-obfuscation and analysis tool for malicious PowerShell scripts in Word documents based on PSDEM. We test the performance of the tool from the accuracy of de-obfuscation and the efficiency of time, and evaluation results show that it has a satisfactory performance. PSDEM improves the efficiency and accuracy rate for analyzing malicious PowerShell Scripts in Word documents, as well as provides a path in which further analysis for security experts to get more information about attacks.