Efficient Detection and Recovery of Malicious PowerShell Scripts Embedded into Digital Images

<table class="table-group" id="tab4"><tr><td><table class="table"><tr><td class="thead-hr" colspan="3"><hr/></td></tr><tr class="thead"><td class="align_left">Obfuscation method</td><td class="align_center">Multiplication factor <svg height="15.9799pt" id="M69" style="vertical-align:-3.4294pt" version="1.1" viewbox="-0.0498162 -12.5505 20.7215 15.9799" width="20.7215pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M300 -147C201 -63 143 98 143 270S200 602 300 686L282 710C136 610 70 450 70 271V270C70 89 136 -72 282 -170L300 -147Z"></path></g><rect height="0.65243" width="11.5921" x="4.498" y="-11.8482"></rect><g transform="matrix(.013,0,0,-0.013,4.498,0)"><path d="M619 670C619 686 593 712 555 712S459 686 410 634S335 504 320 430H250L219 400L222 388H312L258 73C223 -133 201 -166 187 -180C175 -191 158 -199 140 -199C123 -199 88 -188 74 -172C68 -166 63 -164 54 -171C38 -185 23 -201 23 -215C23 -236 60 -261 93 -261C122 -261 161 -247 207 -200C268 -138 300 -71 337 94C365 220 376 277 394 387L501 399L521 430H401C432 623 464 665 501 665C524 665 544 651 567 627C577 617 583 618 592 625C601 631 619 651 619 670Z"></path></g><g transform="matrix(.0091,0,0,-0.0091,11.219,3.132)"><path d="M452 282C452 397 389 451 302 451C268 451 227 441 188 422C95 377 24 281 24 154C24 65 70 -12 173 -12C240 -12 297 16 342 52C418 113 452 201 452 282ZM359 282C359 163 308 66 247 39C237 35 225 32 212 32C151 32 114 79 114 157C114 301 180 380 223 398C240 405 250 408 265 408C315 408 359 369 359 282Z"></path></g><g transform="matrix(.013,0,0,-0.013,16.09,0)"><path d="M275 270C275 450 212 609 64 710L45 686C145 604 203 442 203 270S147 -63 45 -147L64 -170C213 -68 275 89 275 270Z"></path></g></svg></td><td class="align_center">Corr. predicted</td></tr><tr><td class="thead-hr" colspan="3"><hr/></td></tr><tr><td class="align_left">No obfuscation</td><td class="align_center">1</td><td class="align_center">2,116/2,355 (89.85%)</td></tr><tr><td class="align_left">ASCII encoding</td><td class="align_center">4.19445</td><td class="align_center">2,040/2,355 (85.14%)</td></tr><tr><td class="align_left">Token-based</td><td class="align_center">2.02852</td><td class="align_center">1,999/2,355 (84.88%)</td></tr><tr><td class="align_left">String-based</td><td class="align_center">1.79499</td><td class="align_center">1,939/2,355 (82.34%)</td></tr><tr><td class="align_left">AbstractSyntaxTree</td><td class="align_center">1.09672</td><td class="align_center">2,005/2,355 (85.14%)</td></tr><tr><td class="align_left"><b>Overall</b></td><td class="align_center">—</td><td class="align_center"><b>85.77%</b></td></tr><tr class="table-tr"><td colspan="3"><hr class="tbody-hr"/></td></tr></table></td></tr></table>

<div>Inferred script functionality by size.</div>

Security and Communication Networks

tab4

Table 4

Table 4: Efficient Detection and Recovery of Malicious PowerShell Scripts Embedded into Digital Images 