SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsThis paper investigates a novel tactic in phishing operations where threat actors intentionally corrupt document and archive files, such as DOCX, DOCM, PDF, and ZIP , to evade antivirus (AV) and email filtering systems. These files, though malformed, are recoverable by native tools like Microsoft Word, Adobe Reader, and WinRAR. As a result, malicious payloads can still execute after delivery. Building on prior findings by Any.Run (Any.Run, 2024), this study expands the corruption methodology to include multiple structural modifications and evaluates their impact on AV detection via VirusTotal and behavior in the Any.Run sandbox. A custom corruption suite and detection tool were developed to automate corruption detection and analyze results across formats.