{"id":"https://openalex.org/W4410852602","doi":"https://doi.org/10.1109/jiot.2025.3574724","title":"XLM4Detector: Multistage Deobfuscation and Semantic-Driven Excel 4.0 Macro Malware Detection","display_name":"XLM4Detector: Multistage Deobfuscation and Semantic-Driven Excel 4.0 Macro Malware Detection","publication_year":2025,"publication_date":"2025-05-29","ids":{"openalex":"https://openalex.org/W4410852602","doi":"https://doi.org/10.1109/jiot.2025.3574724"},"language":"en","primary_location":{"id":"doi:10.1109/jiot.2025.3574724","is_oa":false,"landing_page_url":"https://doi.org/10.1109/jiot.2025.3574724","pdf_url":null,"source":{"id":"https://openalex.org/S2480266640","display_name":"IEEE Internet of Things Journal","issn_l":"2327-4662","issn":["2327-4662","2372-2541"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319808","host_organization_name":"Institute of Electrical and Electronics Engineers","host_organization_lineage":["https://openalex.org/P4310319808"],"host_organization_lineage_names":["Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Internet of Things Journal","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5110378069","display_name":"Xiuzhang Yang","orcid":null},"institutions":[{"id":"https://openalex.org/I178232147","display_name":"Guizhou University","ror":"https://ror.org/02wmsc916","country_code":"CN","type":"education","lineage":["https://openalex.org/I178232147"]}],"countries":["CN"],"is_corresponding":true,"raw_author_name":"Xiuzhang Yang","raw_affiliation_strings":["State Key Laboratory of Public Big Data and Guizhou Big Data Academy, Guizhou University, Guiyang, China"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"State Key Laboratory of Public Big Data and Guizhou Big Data Academy, Guizhou University, Guiyang, China","institution_ids":["https://openalex.org/I178232147"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5100722817","display_name":"Yuling Chen","orcid":"https://orcid.org/0000-0002-8674-8356"},"institutions":[{"id":"https://openalex.org/I178232147","display_name":"Guizhou University","ror":"https://ror.org/02wmsc916","country_code":"CN","type":"education","lineage":["https://openalex.org/I178232147"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Yuling Chen","raw_affiliation_strings":["State Key Laboratory of Public Big Data and Guizhou Big Data Academy, Guizhou University, Guiyang, China"],"raw_orcid":"https://orcid.org/0000-0002-8674-8356","affiliations":[{"raw_affiliation_string":"State Key Laboratory of Public Big Data and Guizhou Big Data Academy, Guizhou University, Guiyang, China","institution_ids":["https://openalex.org/I178232147"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Chaofan Chen","orcid":"https://orcid.org/0009-0006-6966-9863"},"institutions":[{"id":"https://openalex.org/I178232147","display_name":"Guizhou University","ror":"https://ror.org/02wmsc916","country_code":"CN","type":"education","lineage":["https://openalex.org/I178232147"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Chaofan Chen","raw_affiliation_strings":["State Key Laboratory of Public Big Data and Guizhou Big Data Academy, Guizhou University, Guiyang, China"],"raw_orcid":"https://orcid.org/0009-0006-6966-9863","affiliations":[{"raw_affiliation_string":"State Key Laboratory of Public Big Data and Guizhou Big Data Academy, Guizhou University, Guiyang, China","institution_ids":["https://openalex.org/I178232147"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Di Yao","orcid":"https://orcid.org/0009-0009-8226-2330"},"institutions":[{"id":"https://openalex.org/I178232147","display_name":"Guizhou University","ror":"https://ror.org/02wmsc916","country_code":"CN","type":"education","lineage":["https://openalex.org/I178232147"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Di Yao","raw_affiliation_strings":["State Key Laboratory of Public Big Data and Guizhou Big Data Academy, Guizhou University, Guiyang, China"],"raw_orcid":"https://orcid.org/0009-0009-8226-2330","affiliations":[{"raw_affiliation_string":"State Key Laboratory of Public Big Data and Guizhou Big Data Academy, Guizhou University, Guiyang, China","institution_ids":["https://openalex.org/I178232147"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5100783272","display_name":"Chenguang Li","orcid":"https://orcid.org/0000-0002-2783-2259"},"institutions":[{"id":"https://openalex.org/I37461747","display_name":"Wuhan University","ror":"https://ror.org/033vjfk17","country_code":"CN","type":"education","lineage":["https://openalex.org/I37461747"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Chenguang Li","raw_affiliation_strings":["School of Cyber Science and Engineering, Wuhan University, Wuhan, China"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"School of Cyber Science and Engineering, Wuhan University, Wuhan, China","institution_ids":["https://openalex.org/I37461747"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5026036837","display_name":"Yilin Zhou","orcid":"https://orcid.org/0009-0005-2952-5198"},"institutions":[{"id":"https://openalex.org/I37461747","display_name":"Wuhan University","ror":"https://ror.org/033vjfk17","country_code":"CN","type":"education","lineage":["https://openalex.org/I37461747"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Yilin Zhou","raw_affiliation_strings":["School of Cyber Science and Engineering, Wuhan University, Wuhan, China"],"raw_orcid":"https://orcid.org/0009-0005-2952-5198","affiliations":[{"raw_affiliation_string":"School of Cyber Science and Engineering, Wuhan University, Wuhan, China","institution_ids":["https://openalex.org/I37461747"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Chenyang Wang","orcid":"https://orcid.org/0000-0002-9006-6868"},"institutions":[{"id":"https://openalex.org/I37461747","display_name":"Wuhan University","ror":"https://ror.org/033vjfk17","country_code":"CN","type":"education","lineage":["https://openalex.org/I37461747"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Chenyang Wang","raw_affiliation_strings":["School of Cyber Science and Engineering, Wuhan University, Wuhan, China"],"raw_orcid":"https://orcid.org/0000-0002-9006-6868","affiliations":[{"raw_affiliation_string":"School of Cyber Science and Engineering, Wuhan University, Wuhan, China","institution_ids":["https://openalex.org/I37461747"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5063054609","display_name":"Zhi Ouyang","orcid":"https://orcid.org/0000-0003-0461-8177"},"institutions":[{"id":"https://openalex.org/I178232147","display_name":"Guizhou University","ror":"https://ror.org/02wmsc916","country_code":"CN","type":"education","lineage":["https://openalex.org/I178232147"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Zhi Ouyang","raw_affiliation_strings":["State Key Laboratory of Public Big Data and Guizhou Big Data Academy, Guizhou University, Guiyang, China"],"raw_orcid":"https://orcid.org/0000-0003-0461-8177","affiliations":[{"raw_affiliation_string":"State Key Laboratory of Public Big Data and Guizhou Big Data Academy, Guizhou University, Guiyang, China","institution_ids":["https://openalex.org/I178232147"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5076621366","display_name":"Guojun Peng","orcid":"https://orcid.org/0000-0001-5731-8958"},"institutions":[{"id":"https://openalex.org/I37461747","display_name":"Wuhan University","ror":"https://ror.org/033vjfk17","country_code":"CN","type":"education","lineage":["https://openalex.org/I37461747"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Guojun Peng","raw_affiliation_strings":["School of Cyber Science and Engineering, Wuhan University, Wuhan, China"],"raw_orcid":"https://orcid.org/0000-0001-5731-8958","affiliations":[{"raw_affiliation_string":"School of Cyber Science and Engineering, Wuhan University, Wuhan, China","institution_ids":["https://openalex.org/I37461747"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":9,"corresponding_author_ids":["https://openalex.org/A5110378069"],"corresponding_institution_ids":["https://openalex.org/I178232147"],"apc_list":null,"apc_paid":null,"fwci":1.2753,"has_fulltext":false,"cited_by_count":1,"citation_normalized_percentile":{"value":0.7868223,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":{"min":91,"max":95},"biblio":{"volume":"12","issue":"16","first_page":"33271","last_page":"33292"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9997000098228455,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9997000098228455,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.9970999956130981,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11512","display_name":"Anomaly Detection Techniques and Applications","score":0.986299991607666,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.8534854650497437},{"id":"https://openalex.org/keywords/macro","display_name":"Macro","score":0.7170045375823975},{"id":"https://openalex.org/keywords/malware","display_name":"Malware","score":0.6988256573677063},{"id":"https://openalex.org/keywords/stage","display_name":"Stage (stratigraphy)","score":0.44822248816490173},{"id":"https://openalex.org/keywords/data-mining","display_name":"Data mining","score":0.32537734508514404},{"id":"https://openalex.org/keywords/operating-system","display_name":"Operating system","score":0.31583672761917114},{"id":"https://openalex.org/keywords/programming-language","display_name":"Programming language","score":0.3008549213409424}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8534854650497437},{"id":"https://openalex.org/C166955791","wikidata":"https://www.wikidata.org/wiki/Q629579","display_name":"Macro","level":2,"score":0.7170045375823975},{"id":"https://openalex.org/C541664917","wikidata":"https://www.wikidata.org/wiki/Q14001","display_name":"Malware","level":2,"score":0.6988256573677063},{"id":"https://openalex.org/C146357865","wikidata":"https://www.wikidata.org/wiki/Q1123245","display_name":"Stage (stratigraphy)","level":2,"score":0.44822248816490173},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.32537734508514404},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.31583672761917114},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.3008549213409424},{"id":"https://openalex.org/C151730666","wikidata":"https://www.wikidata.org/wiki/Q7205","display_name":"Paleontology","level":1,"score":0.0},{"id":"https://openalex.org/C86803240","wikidata":"https://www.wikidata.org/wiki/Q420","display_name":"Biology","level":0,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1109/jiot.2025.3574724","is_oa":false,"landing_page_url":"https://doi.org/10.1109/jiot.2025.3574724","pdf_url":null,"source":{"id":"https://openalex.org/S2480266640","display_name":"IEEE Internet of Things Journal","issn_l":"2327-4662","issn":["2327-4662","2372-2541"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319808","host_organization_name":"Institute of Electrical and Electronics Engineers","host_organization_lineage":["https://openalex.org/P4310319808"],"host_organization_lineage_names":["Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Internet of Things Journal","raw_type":"journal-article"}],"best_oa_location":null,"sustainable_development_goals":[],"awards":[{"id":"https://openalex.org/G1452176057","display_name":null,"funder_award_id":"62172308, 61972297, U24A20241, 62202118, 62062019","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G2784752186","display_name":null,"funder_award_id":"[2024]014","funder_id":"https://openalex.org/F4320329858","funder_display_name":"Major Scientific and Technological Special Project of Guizhou Province"},{"id":"https://openalex.org/G2901559538","display_name":null,"funder_award_id":"62172308","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G4840164131","display_name":null,"funder_award_id":"72261004","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G6526812876","display_name":null,"funder_award_id":"62202118","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"}],"funders":[{"id":"https://openalex.org/F4320321001","display_name":"National Natural Science Foundation of China","ror":"https://ror.org/01h0zpd94"},{"id":"https://openalex.org/F4320329858","display_name":"Major Scientific and Technological Special Project of Guizhou Province","ror":null}],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":38,"referenced_works":["https://openalex.org/W2052176706","https://openalex.org/W2294586387","https://openalex.org/W2557716486","https://openalex.org/W2783139674","https://openalex.org/W2783707758","https://openalex.org/W2884157903","https://openalex.org/W2891782005","https://openalex.org/W2908514512","https://openalex.org/W2965263711","https://openalex.org/W2972512996","https://openalex.org/W3009252109","https://openalex.org/W3015700267","https://openalex.org/W3070794221","https://openalex.org/W3084472304","https://openalex.org/W3114105288","https://openalex.org/W3128866156","https://openalex.org/W3206877124","https://openalex.org/W4211235181","https://openalex.org/W4226163627","https://openalex.org/W4288057801","https://openalex.org/W4311165726","https://openalex.org/W4312816971","https://openalex.org/W4323338381","https://openalex.org/W4381890377","https://openalex.org/W4385802528","https://openalex.org/W4386041582","https://openalex.org/W4386951843","https://openalex.org/W4387453400","https://openalex.org/W4387587680","https://openalex.org/W4388464937","https://openalex.org/W4388562958","https://openalex.org/W4389352559","https://openalex.org/W4392095728","https://openalex.org/W4398151606","https://openalex.org/W4400490091","https://openalex.org/W4402158659","https://openalex.org/W4405182026","https://openalex.org/W6713671097"],"related_works":["https://openalex.org/W2030816003","https://openalex.org/W2097492617","https://openalex.org/W2753240997","https://openalex.org/W1764168690","https://openalex.org/W2537959205","https://openalex.org/W2740895074","https://openalex.org/W2772446090","https://openalex.org/W4284893819","https://openalex.org/W4239992647","https://openalex.org/W2150013480"],"abstract_inverted_index":{"Excel":[0,102],"4.0":[1,103],"Macro":[2,104],"leverages":[3],"XLM":[4,52,60,137,197,212,218],"code":[5,138,214],"to":[6,66,80,89,127,190],"directly":[7],"invoke":[8],"system":[9],"APIs":[10],"and":[11,26,43,63,70,92,112,123,136,160,174,201,215,221,231,246],"automate":[12],"complex":[13],"tasks,":[14],"making":[15],"it":[16],"a":[17,75,100,129,176],"widely":[18],"used":[19],"tool":[20],"in":[21,29,85,227],"phishing":[22],"attacks,":[23,87],"APT":[24,247],"campaigns,":[25],"IoT":[27,240],"intrusions":[28],"recent":[30],"years.":[31],"By":[32],"constructing":[33],"various":[34],"obfuscated":[35,211],"macro":[36],"malware,":[37],"attackers":[38],"can":[39],"easily":[40],"evade":[41],"firewalls":[42],"detection":[44,77,106,200,228],"systems,":[45],"thereby":[46],"achieving":[47],"persistent":[48],"attacks.":[49],"However,":[50],"existing":[51],"malware":[53,61,105,198,219],"defense":[54],"mechanisms":[55],"lack":[56],"in-depth":[57],"analysis":[58],"of":[59],"families":[62,220],"behaviors,":[64],"failing":[65],"integrate":[67],"multi-dimensional":[68],"features":[69,150],"semantic":[71,114,161,178,193],"relationships":[72],"effectively.":[73],"As":[74],"result,":[76],"systems":[78],"struggle":[79],"accurately":[81,216],"identify":[82],"malicious":[83,243],"operations":[84],"real-world":[86],"leading":[88],"low":[90],"robustness":[91],"accuracy.":[93],"To":[94],"this":[95],"end,":[96],"we":[97,141,165,185],"propose":[98],"XLM4Detector,":[99],"novel":[101],"framework":[107,234],"based":[108],"on":[109],"multi-stage":[110,130],"deobfuscation":[111,131,135],"multi-view":[113,177],"fusion.":[115],"First,":[116],"XLM4Detector":[117,208],"integrates":[118],"AST":[119],"analysis,":[120],"simulated":[121],"execution,":[122],"regular":[124],"expression":[125],"matching":[126],"construct":[128],"algorithm,":[132],"enabling":[133,196],"precise":[134],"extraction.":[139],"Second,":[140],"introduce":[142],"four":[143,167],"feature":[144,182],"extraction":[145],"methods":[146,226],"that":[147,207],"capture":[148,191],"fine-grained":[149],"at":[151],"the":[152],"word":[153],"(string),":[154],"token":[155],"(function),":[156],"abstract":[157],"syntax":[158],"tree,":[159],"relationship":[162],"levels.":[163],"Then,":[164],"design":[166],"embedding":[168],"representations":[169],"(XlmWord2Vec,":[170],"XlmToken2Vec,":[171],"XlmAst2Vec,":[172],"XlmRela2Vec)":[173],"employ":[175],"fusion":[179],"algorithm":[180],"for":[181,239],"alignment.":[183],"Finally,":[184],"develop":[186],"an":[187],"MHSACNN-BiGRU":[188],"model":[189],"hierarchical":[192],"relationships,":[194],"effectively":[195,209],"behavior":[199],"family":[202],"classification.":[203],"Experimental":[204],"results":[205],"demonstrate":[206],"reconstructs":[210],"source":[213],"detects":[217],"behaviors.":[222],"It":[223],"outperforms":[224],"state-of-the-art":[225],"accuracy,":[229],"robustness,":[230],"generalization.":[232],"Our":[233],"provides":[235],"critical":[236],"technical":[237],"support":[238],"security":[241],"defense,":[242],"document":[244],"detection,":[245],"tracking.":[248]},"counts_by_year":[{"year":2025,"cited_by_count":1}],"updated_date":"2025-11-06T03:46:38.306776","created_date":"2025-10-10T00:00:00"}