Phishing document deobfuscation and feature extraction method and its application in attack detection
By combining a multi-stage deobfuscation algorithm based on a large model and an abstract syntax tree with four-dimensional feature fusion and a composite deep learning model, the problem of insufficient detection accuracy and weak semantic understanding in phishing document detection is solved. This achieves high-precision phishing document attack identification and cross-platform deployment, especially reducing energy consumption and response time on mobile devices.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- GUIZHOU UNIV
- Filing Date
- 2025-07-09
- Publication Date
- 2026-06-09
Smart Images

Figure CN120850287B_ABST
Abstract
Description
Technical Field
[0001] This invention belongs to the field of security layer in the industrial internet, and particularly relates to the technical fields of attack detection, malicious code and intrusion detection in the industrial internet. In particular, it relates to a method for deobfuscating and extracting features from phishing documents and its application in attack detection. Background Technology
[0002] In the context of increasingly complex cybersecurity threats, phishing attacks have evolved into a highly covert and deceptive attack method. In particular, social engineering attacks using phishing documents embedded with malicious macro code have become a common intrusion method for attackers. Attackers can bypass traditional detection mechanisms by using macros and automated scripts within these documents, inducing users to execute malicious code, leading to system compromise, sensitive data leaks, and even triggering APT (Advanced Persistent Threat) attacks. Therefore, the detection and defense against phishing documents has become an important research direction in the field of cybersecurity.
[0003] Early phishing document detection methods relied heavily on rule matching and signature comparison. While simple to implement and effective for known samples, their accuracy and robustness were significantly insufficient when faced with obfuscated, distorted, or encrypted malicious documents. Furthermore, the maintenance and updating of the signature database increased the system's resource consumption.
[0004] To improve detection generalization capabilities, some studies have attempted to use behavior-based analysis methods, monitoring system calls, file read / write operations, and network requests during document execution to determine malicious intent. However, this method typically requires dynamically running the document, which not only impacts system performance but also introduces the problem of false positives and false negatives.
[0005] In recent years, deep learning technology has been introduced into the field of phishing document detection, improving detection capabilities to some extent by automatically extracting and modeling features of document content, structure, and execution semantics. Some methods combine models such as convolutional neural networks (CNNs) and recurrent neural networks (RNNs) to attempt to learn latent patterns from code sequences for identifying malicious macro behavior. However, these methods generally suffer from two shortcomings: first, they cannot effectively handle structural changes in obfuscated code, resulting in unstable extracted features; second, their multi-dimensional semantic modeling capabilities are limited, failing to fully capture deep contextual dependencies and cross-statement relationships in macro code.
[0006] In summary, existing phishing document detection technologies still suffer from insufficient accuracy, poor adaptability to variant samples, and weak semantic understanding capabilities when dealing with complex obfuscation techniques, diverse attack methods, and advanced persistent threats. Therefore, there is an urgent need for a comprehensive detection solution that integrates structural parsing, a multi-level deobfuscation mechanism driven by a large model, and deep learning detection capabilities. This solution would enable high-precision reconstruction and identification of malicious code processed by complex obfuscation techniques such as encryption, renaming, and control flow transformation in phishing documents, thereby effectively improving the accuracy and robustness of the detection system. Summary of the Invention
[0007] This invention aims to provide a method for deobfuscating and extracting features from phishing documents and its application in attack detection, thereby achieving automated detection and attack family classification of phishing documents. It solves the problems of insufficient detection accuracy, poor adaptability to variant samples, and weak semantic understanding in existing technologies, and improves the recognition accuracy and generalization ability of highly concealed and dynamically obfuscated phishing document attacks.
[0008] Based on a first key aspect of the present invention, a method for deobfuscating phishing documents is provided, comprising at least one or a combination of the following steps performed by a computer system:
[0009] Obfuscation macro code of phishing documents is obtained from computer systems. Pre-trained language models are used to build prompt engineering templates. Combined with large models, the obfuscation logic structure is analyzed and deobfuscation rules and restoration strategies are generated.
[0010] In a computer system, the obfuscated macro code is structured into an abstract syntax tree using a parsing tool. Based on regular expression matching of typical obfuscation patterns, and combined with function execution simulation and cell reference analysis, the structure is initially restored, the control flow semantics are restored, and the operation path is constructed.
[0011] In a computer system, based on demixing rules and an abstract syntax tree, the obfuscated structure is converted into readable macro statements, generating a sequence of macro code instructions to remove obfuscated semantics, and outputting the demixed semantic sequence.
[0012] As a further preferred option, in the aforementioned phishing document deobfuscation method, the step of constructing a prompt engineering template using a pre-trained language model includes: using a pre-trained language model, including DeepSeek and GPT, inputting obfuscated macro code formulas to enable it to understand the obfuscated logical structure, generating structural parsing prompts, outputting obfuscation resolution strategies for formula recognition, rewriting, and instruction restoration, and using them to control the parsing process.
[0013] As a further preferred solution, in the aforementioned method for deobfuscating phishing documents, the step of structuring the obfuscated macro code into an abstract syntax tree using a parsing tool includes: using the Lark parser, first performing preliminary structural restoration through typical macro obfuscation patterns including regular expression matching of CHAR() concatenation instructions and nested expressions, then simulating the function execution process, simulating custom function calls and macro jump logic to achieve control flow semantic restoration, and simultaneously analyzing cell references in formulas and the operation paths and reference relationships of formula structure construction, ultimately generating a complete abstract syntax tree.
[0014] Based on a second key aspect of the present invention, a method for extracting features from phishing documents is provided, comprising: executing the following steps by a computer system based on the macro code instruction sequence obtained by the aforementioned deobfuscation method:
[0015] Attack features are extracted from multiple view dimensions, including word features, token features, abstract syntax tree features, and relation features.
[0016] The word feature extraction includes preprocessing and tokenizing the macro code instruction sequence, extracting word units containing content such as commands, paths, and file operations, identifying high-frequency keywords through a word segmenter, and generating word vector representations that reflect the semantics of the code.
[0017] The extraction of token features includes identifying tokens representing functions or operations in the macro code instruction sequence, combining them with parameters to form a context call structure, scoring and ranking the attack tendency of tokens based on a preset keyword library and statistical model, and outputting a token vector representation.
[0018] The extraction of the abstract syntax tree features includes parsing the macro code instruction sequence into an abstract syntax tree (AST), extracting syntax features including the hierarchical structure of nodes in the tree, function nesting relationships, and clause positions, modeling the path structure, nesting levels, and child node patterns in the tree, and generating AST node vector representations.
[0019] The extraction of relational features includes extracting cross-cell and cross-function jump relationships and function dependencies in the macro code instruction sequence, constructing a macro-level semantic relational graph, representing information such as call flow and data flow through a graph neural network (GNN), and generating relational vector representations.
[0020] Finally, word vectors, token vectors, AST node vectors, and relation vectors are fused into a multi-view feature set.
[0021] As a further preferred option, in the aforementioned phishing document feature extraction method, the preprocessing and tokenization include: denoising the macro code instruction sequence to remove comments, blank lines, and meaningless symbols; using regular expression matching to segment continuous strings into independent word units; filtering common non-aggressive words through a stop word library, retaining word units containing sensitive operations; and using a Word2Vec or GloVe model to vectorize the filtered word units, generating word vector representations with uniform dimensions.
[0022] As a further preferred embodiment, in the aforementioned phishing document feature extraction method, the step of parsing the macro code instruction sequence into an abstract syntax tree (AST) includes:
[0023] The macro code instruction sequence was parsed using parsing tools including Lark and ANTLR to generate an AST structure containing instruction nodes, function call nodes, and cell reference nodes.
[0024] Extract parent-child relationships, sibling relationships, and hierarchical depth between nodes in the AST, and identify macro instruction nodes, function call nodes, and data operation nodes;
[0025] The Tree-LSTM or Graph2Vec model is used to model the AST node sequence, and the node type, position and context relationship are encoded into vectors to generate an AST vector representation that reflects the syntactic structure features.
[0026] Based on a third key aspect of the present invention, an application of a phishing document deobfuscation method and / or feature extraction method in attack detection is provided, comprising the following steps performed by a computer system:
[0027] Obfuscated macro code from a phishing document is obtained from a computer system. The obfuscated macro code is then deobfuscated using a phishing document deobfuscation method to obtain a deobfuscated macro code instruction sequence.
[0028] Based on the demixed macro code instruction sequence, multi-view features are extracted using the phishing document feature extraction method, including word features, token features, abstract syntax tree features, and relation features;
[0029] The multi-view features are input into the attack detection model, which performs feature fusion and classification on the multi-view features through a deep neural network and outputs the attack detection results of the phishing document.
[0030] The attack detection results include the attack category, attack confidence level, and determination of whether it is a phishing document.
[0031] As a further preferred embodiment, in the aforementioned application, the deep neural network of the attack detection model includes a local feature extraction layer, a global dependency modeling layer, and an attention fusion layer connected in sequence:
[0032] The local feature extraction layer uses a one-dimensional convolutional neural network to perform convolution operations on the input feature tensor to extract n-gram local context patterns.
[0033] The global dependency modeling layer uses bidirectional gated cyclic units to capture long-range dependencies in the sequence and outputs a hidden state sequence containing forward and backward information.
[0034] The attention fusion layer employs a multi-head self-attention mechanism to perform cross-position feature fusion on the hidden state sequence, generating a comprehensive feature vector containing global semantics. Finally, the comprehensive feature vector is mapped to the classification space through a fully connected layer and a Softmax function, outputting the attack detection result.
[0035] As a further preferred embodiment, in the aforementioned application, the attack detection includes the following steps performed by the computer system:
[0036] 1) The computer system preprocesses the input document to determine whether it has the ability to store and execute macro documents; after confirming the document characteristics, the system analyzes its macro execution entry point and potential triggering mechanism; for different document formats, it uses two methods, static parsing and interface simulation, to extract the embedded content.
[0037] 2) The extracted obfuscated macro code for phishing attacks is used to construct a prompt engineering template using a pre-trained language model, driving the automatic generation of corresponding deobfuscation rules and restoration strategies; the system uses the Lark parser to structure the phishing document formulas into a syntax tree to assist in rule matching and dynamic restoration operations; the restored structure is output as clear deobfuscated phishing document macro code, removing obfuscated semantics;
[0038] 3) Extract multi-view features, including word features, token features, abstract syntax tree features, and relation features;
[0039] 4) Constructing and inferring the detection model, including: the system concatenates multi-view features into a unified representation tensor feature tensor and inputs it into a deep neural network; concatenates vectors of each dimension to form a multimodal embedding representation matrix and extracts structural features; and models the feature tensor using a composite neural network architecture, including:
[0040] CNN layers are used to extract local contextual patterns;
[0041] BiGRU layers are used to capture global dependencies in sequences and generate hidden states containing forward and backward information.
[0042] The MHSA layer is used to focus on key attack features and suppress noise interference through a multi-head attention mechanism.
[0043] 5) The feature vectors output by the deep neural network are linearly transformed and mapped to the classification space. The Softmax function is used for multi-class prediction. The attack category, classification confidence and risk level of the phishing document are output. The document is combined with a preset threshold to determine whether it is a phishing attack carrier, and the detection results and evidence chain are provided.
[0044] Based on a fourth principal aspect of the present invention, a computer-readable storage medium is provided having a computer program stored thereon, which, when executed, implements the phishing document deobfuscation method as described above; or, when executed, implements the phishing document feature extraction method as described above; or, when executed, implements the application of the phishing document deobfuscation method and / or feature extraction method as described above in attack detection.
[0045] Compared with existing technologies, this invention overcomes the bottleneck of traditional phishing attack detection and the difficulty in identifying obfuscated documents. By combining four-dimensional feature fusion and a composite model architecture, it significantly improves the detection accuracy and robustness of phishing document attacks, specifically in the following aspects:
[0046] Compared with existing technologies, in terms of deobfuscation, this invention uses the Lark tool in collaboration with the XLM parser of a large model to generate an abstract syntax tree (AST), and combines a stack mechanism to simulate the execution of custom function calls, thereby achieving deep analysis of complex obfuscation techniques such as code encryption, function renaming, and variable substitution.
[0047] Moreover, compared to traditional deobfuscation methods based on regular expression matching, this invention, through LR / LALR parsing strategies and EBNF grammatical description, can accurately restore the code logic structure, overcoming the detection failure problem caused by code obfuscation.
[0048] In some typical application scenarios, for encrypted code, this invention can automatically identify and decrypt symmetric encrypted macro code through ciphertext feature analysis and key derivation algorithms, while traditional methods often require a pre-set key library and are difficult to deal with dynamic encryption scenarios.
[0049] In terms of feature extraction, this invention innovatively integrates word features, token features, AST features, and relational features to construct a four-dimensional feature vector space. Compared to existing technologies that rely on only a single feature, such as a function name or static string, this invention, through sequence vectors generated by AST post-order traversal, can capture the deep syntactic structure of the code; and by analyzing feature pairs through a co-occurrence relation matrix, it significantly improves the ability to identify modified malicious code. In practical applications, compared with existing similar methods, this technique significantly improves the detection accuracy on obfuscated sample sets and significantly reduces the false positive rate.
[0050] In attack detection, the CNN-BiGRU-MHSA composite model constructed in this invention achieves multi-level feature interaction through convolutional layers to extract local features, BiGRU to capture long-range dependencies, and MHSA to model global relationships. Compared to existing single CNN or RNN models, this architecture, when processing macro code sequences, can both preserve key local patterns through max pooling layers and capture semantic relationships in the code context through bidirectional GRU and multi-head self-attention mechanisms. Tests on eight malicious family datasets show that the model of this invention achieves an F1-score of 96.3%, a significant improvement over single models.
[0051] This invention achieves hardware independence through a modular design, supporting cross-platform deployment on personal computers, servers, and mobile smart devices. Compared to traditional detection schemes that rely on dedicated hardware acceleration, this invention optimizes computing resource allocation strategies (such as dynamically adjusting the number of hidden units in the BiGRU layer on mobile devices), reducing power consumption on mobile devices by 42% and shortening response time to less than 150ms while maintaining detection performance. This lightweight design enables malicious macro detection to cover mobile office scenarios, filling a gap in existing technologies for mobile protection.
[0052] This invention significantly improves the model's generalization ability to novel malware families through a multi-view fusion algorithm and an adaptive learning rate strategy. In a six-month continuous attack-defense adversarial test, the model's detection accuracy for unknown variants remained stable at over 94%, far exceeding traditional methods based on static feature libraries (average 78%). Furthermore, through cross-entropy loss function and backpropagation optimization, the model can converge within 100,000 iterations, improving training efficiency by 35% compared to similar methods. This adaptive capability ensures the continued effectiveness of this invention in a rapidly evolving network environment with malicious code.
[0053] In summary, the outstanding innovations of this invention are: (1) the first multi-stage de-obfuscation algorithm based on a large model and an abstract syntax tree, which breaks through the limitations of traditional static analysis in identifying complex obfuscation techniques; (2) the construction of a four-dimensional feature space and a composite deep learning model to achieve multi-level feature fusion from grammatical structure to semantic relations; and (3) the first extension of the ability to detect malicious phishing documents to mobile terminals through hardware-independent design and lightweight optimization.
[0054] Compared to existing technologies, this invention achieves significant progress in detection accuracy, generalization ability, and deployment flexibility, providing a novel solution for addressing advanced persistent threats (APTs). Attached Figure Description
[0055] Figure 1 This invention illustrates a phishing document code feature extraction module in one embodiment.
[0056] Figure 2 This invention illustrates a phishing document code deobfuscation module based on a large model, which combines the large model to generate a deobfuscation strategy to achieve multi-level deobfuscation.
[0057] Figure 3 This invention illustrates a multi-view feature extraction and fusion representation module in one embodiment of the present invention. The phishing document feature extraction identifies four dimensions of features: words, tokens, abstract syntax trees, and semantic relationships. Four feature embedding algorithms are constructed to achieve key feature extraction and vector representation of phishing documents.
[0058] Figure 4 This invention illustrates a deep learning model construction and phishing document attack family detection module in one embodiment of the present invention. The system constructs a composite model of multi-head self-attention (MHSA), convolutional neural network (CNN), and bidirectional GRU (BiGRU) to achieve intelligent detection of phishing document attacks. Detailed Implementation
[0059] The preferred embodiments of the present invention will be described in detail below to provide a clearer understanding of the purpose, features, and advantages of the invention. It should be understood that the following embodiments are not intended to limit the scope of the invention, but are merely illustrative of the essential spirit of the technical solution of the invention.
[0060] In the following description, certain specific details are set forth for the purpose of illustrating various disclosed embodiments in order to provide a thorough understanding of the various disclosed embodiments. However, those skilled in the art will recognize that embodiments may be practiced without one or more of these specific details. In other instances, well-known techniques associated with this application may not have been shown or described in detail to avoid unnecessarily obscuring the description of the embodiments.
[0061] Throughout this specification, references to "an embodiment" or "an embodiment" indicate that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment. Therefore, the appearance of "in an embodiment" or "an embodiment" in various places throughout the specification does not necessarily refer to the same embodiment. Furthermore, a particular feature, structure, or characteristic may be combined in any manner in one or more embodiments.
[0062] The overall concept of this invention includes the following parts:
[0063] In its first part, this invention proposes a method for deobfuscating phishing documents, which includes at least one or a combination of the following steps performed by a computer system:
[0064] Obfuscation macro code of phishing documents is obtained from computer systems. Pre-trained language models are used to build prompt engineering templates, and the obfuscation logic structure is analyzed to generate deobfuscation rules and restoration strategies.
[0065] In a computer system, the obfuscated macro code is structured into an abstract syntax tree using a parsing tool. Based on regular expression matching of typical obfuscation patterns, and combined with function execution simulation and cell reference analysis, the structure is initially restored, the control flow semantics are restored, and the operation path is constructed.
[0066] In a computer system, based on demixing rules and an abstract syntax tree, the obfuscated structure is converted into readable macro statements, generating a sequence of macro code instructions to remove obfuscated semantics, and outputting the demixed semantic sequence.
[0067] In the above scheme, the present invention achieves automated deobfuscation of obfuscated macro code in phishing documents by combining pre-trained language models with structured parsing technology, thereby eliminating its semantic concealment and exposing the real attack logic.
[0068] The principle is as follows: First, a pre-trained language model is used to understand the logical structure of the obfuscated code and generate targeted deobfuscation rules and strategies. Then, the code is converted into an abstract syntax tree through a parsing tool. Combined with pattern matching, function simulation and reference analysis, the obfuscated structure is restored layer by layer, and finally a readable macro code instruction sequence is output.
[0069] Among them, "de-obfuscation rules" refers to the processing methods for specific obfuscation patterns such as CHAR concatenation and nested expressions. For example, the character concatenation rule that restores CHAR(67)&CHAR(97) to "Ca". "Restore strategy" refers to the priority or steps that guide the parsing process. For example, the process strategy of prioritizing control flow jump instructions and then processing data operation instructions. The two together drive the progressive restoration of obfuscated code from structure to semantics.
[0070] The deobfuscation rules and restoration strategies are output after constructing a prompt engineering template through a pre-trained language model: the obfuscated macro code is input into the model, and the model understands the obfuscated logical structure (such as CHAR concatenation and nested expressions) based on the prompt engineering, generates structured parsing prompts, and then outputs executable obfuscation de-obfuscation strategy text, such as character concatenation restoration rules for CHAR functions and hierarchical parsing strategies for nested functions. This strategy is output in the form of a rule set or instruction sequence, which is used to control the deconstruction process of the obfuscated code by the subsequent parsing module, realizing targeted guidance from obfuscation pattern recognition to semantic restoration.
[0071] The following is an example:
[0072] In a corporate cybersecurity scenario, a financial institution received a suspected phishing email with a document named "Financial Statements.xlsm" attached. The security detection system automatically triggered the deobfuscation process described in this invention:
[0073] First, the document pre-inspection module identifies the file as an Excel file that supports macro execution. The obfuscated macro code is extracted, revealing numerous nested expressions such as "=CHAR(67)&CHAR(97)&CHAR(108)&CHAR(99).exe". When faced with this scenario, the computer system calls a pre-trained language model (such as GPT-4) to construct a prompt template. After inputting the obfuscated code, the model analyzes its obfuscation logic, which uses the CHAR function to concatenate the executable program path, and automatically generates deobfuscation rules and restoration strategies for CHAR concatenation.
[0074] Subsequently, the system used a parsing tool to structure the obfuscated macro code. During this process, the system used regular expressions to match the CHAR concatenation pattern, initially restoring it to "Calc.exe". Simultaneously, it simulated the execution of the macro function, discovering a custom function call triggered by the Auto_Open event. This function used the GOTO command to jump to a hidden worksheet and perform malicious operations.
[0075] The system combines cell reference analysis to construct a complete operation path, and finally converts the obfuscated structure into a readable macro statement "EXECUTE ("Calc.exe")", outputting the deobfuscated semantic sequence to expose its malicious behavior of attempting to launch the calculator program.
[0076] In the above scheme, as a preferred embodiment, the step of constructing the prompt engineering template using a pre-trained language model includes: using a pre-trained language model, including DeepSeek and GPT, inputting obfuscated macro code formulas, enabling it to understand the obfuscated logical structure, generating structural parsing prompts, outputting obfuscation resolution strategies for formula recognition, rewriting, and instruction restoration, and using them to control the parsing process.
[0077] Suppose that in a endpoint security scenario, the antivirus software of a manufacturing company scans an employee's computer and finds a document named "Purchase List.xls" containing complex obfuscated macro code. The possible implementation process is as follows:
[0078] The antivirus software extracted the obfuscated macro code and found the instruction "=FORMULA(RUN(CHAR(112)&CHAR(111)&CHAR(119)&CHAR(101)&CHAR(114)&CHAR(115)&CHAR(104)&CHAR(101)&CHAR(108)&CHAR(108)))". The system called a DeepSeek pre-trained model. After inputting this obfuscation formula, the model parsed the obfuscation logic, which involved concatenating "powershell" using the CHAR function and combining it with the RUN instruction. It generated a structure parsing hint and output a resolution strategy to identify the FORMULA function and CHAR concatenation, controlling subsequent parsing processes to prioritize such nested structures.
[0079] Furthermore, based on the model-generated strategy, the system performs targeted parsing of the obfuscated code. One possible approach is to restore characters such as CHAR (112) to CHAR (111) to letters such as "p", "o", and "w" in sequence, concatenate them to form "powershell", identify the execution intent of the RUN function, and finally restore the obfuscated instruction to "RUN ("powershell")", clearly indicating its attack behavior of attempting to call PowerShell to execute malicious scripts, providing clear semantic basis for subsequent attack detection.
[0080] In the above scheme, as a preferred option, the step of structuring the obfuscated macro code into an abstract syntax tree using a parsing tool includes: using the Lark parser, first performing preliminary structural restoration through typical macro obfuscation patterns including regular expression matching CHAR() concatenation instructions and nested expressions, then simulating the function execution process, simulating custom function calls and macro jump logic to achieve control flow semantic restoration, and simultaneously analyzing cell references in formulas and the operation path and reference relationships of formula structure construction, finally generating a complete abstract syntax tree.
[0081] One possible implementation is as follows: In an email security gateway scenario, an internet company intercepts an email with the subject "Important Notice" and the attachment "notification.docm" contains macro code.
[0082] A possible implementation of the method according to the present invention is as follows: The gateway system uses the Lark parser to process obfuscated macro code. First, it matches the nested expression "=CHAR (100)&CHAR (111)&CHAR (99)&CHAR (46)&CHAR (115)&CHAR (116)&CHAR (114)(CHAR (67)&CHAR (97)&CHAR (108)&CHAR (99))" using regular expressions, initially restoring it to the structure "doc.str (Calc)". Next, the system simulates the function execution process and finds that "doc.str" is a user-defined function whose function is to call an external program with the characters within the parentheses as parameters.
[0083] Meanwhile, the system analyzed cell reference relationships and discovered that the macro code dynamically controlled the jump target through the value of cell Sheet1!A1. Combined with the macro jump logic, a complete control flow path was constructed. Finally, the Lark parser generated an abstract syntax tree, restoring the obfuscated code to the readable instruction "CALL doc.str ("Calc.exe")", clarifying its attack logic of calling the calculator program through a custom function, and providing an unobfuscated code foundation for subsequent multi-view feature extraction.
[0084] In its first part, this invention proposes a method for extracting features from phishing documents, comprising: based on the macro code instruction sequence obtained by the aforementioned deobfuscation method, a computer system executes the following steps:
[0085] Attack features are extracted from multiple view dimensions, including word features, token features, abstract syntax tree features, and relation features.
[0086] The word feature extraction includes preprocessing and tokenizing the macro code instruction sequence, extracting word units containing content such as commands, paths, and file operations, identifying high-frequency keywords through a word segmenter, and generating word vector representations that reflect the semantics of the code.
[0087] The extraction of token features includes identifying tokens representing functions or operations in the macro code instruction sequence, combining them with parameters to form a context call structure, scoring and ranking the attack tendency of tokens based on a preset keyword library and statistical model, and outputting a token vector representation.
[0088] The extraction of the abstract syntax tree features includes parsing the macro code instruction sequence into an abstract syntax tree (AST), extracting syntax features including the hierarchical structure of nodes in the tree, function nesting relationships, and clause positions, modeling the path structure, nesting levels, and child node patterns in the tree, and generating AST node vector representations.
[0089] The extraction of relational features includes extracting cross-cell and cross-function jump relationships and function dependencies in the macro code instruction sequence, constructing a macro-level semantic relational graph, representing information such as call flow and data flow through a graph neural network (GNN), and generating relational vector representations.
[0090] Finally, word vectors, token vectors, AST node vectors, and relation vectors are fused into a multi-view feature set.
[0091] From the overall concept of the invention, the phishing document feature extraction method of the present invention is based on the core idea of multi-dimensional feature complementarity. By constructing a three-dimensional feature system covering characters, functions, syntax and semantic relationships, it achieves a comprehensive representation of the attack logic of phishing documents.
[0092] The principle is as follows: word features capture sensitive instruction fragments at the original character level, such as "cmd" and "exe", inheriting the intuitiveness of traditional keyword detection; token features start from the semantic unit of function call, analyze the operation behavior and parameter combination, such as "EXEC (calc)", and break through the limitations of simple string matching; AST features extract code organization patterns through syntax tree structure, such as nesting level and node dependency, revealing the hidden attack logic; relation features model cross-unit interaction with graph structure, restore the semantic association of the attack chain.
[0093] The four types of features are modeled hierarchically from the bottom up, forming a complete feature chain from lexical to semantic, and finally fused into a multi-view feature set, providing the detection model with input that has both detailed and global perspectives.
[0094] Suppose that in a bank's email security detection scenario, the security system intercepts a phishing email disguised as a "payroll notification". The attachment "June 2025 Payroll.xlsm" is deobfuscated to reveal a macro code instruction sequence: "EXECUTE("cmd.exe / c powershell -Command Invoke-WebRequest……")".
[0095] The system performs feature extraction according to the method of this invention: During word feature extraction, the instruction sequence is segmented into word units such as "EXECUTE", "cmd.exe", and "powershell", and the sensitive keywords "powershell" and "Invoke-WebRequest" are identified; In token feature extraction, the function call token "EXECUTE" and its parameter "cmd.exe / c powershell..." are identified, and its attack tendency score is determined to be 0.95 based on the keyword database; AST feature extraction parses the instruction into a syntax tree, extracts the hierarchical structure of the EXECUTE node nested with the powershell command, and the number of nesting levels is 2; Relationship feature extraction finds that the macro triggers the EXECUTE call through the Auto_Open event, constructs a relationship graph, and finally integrates the four types of features to generate a multi-view feature set.
[0096] In the above scheme, as a preferred embodiment, the preprocessing and tokenization in the aforementioned phishing document feature extraction method includes: denoising the macro code instruction sequence to remove comments, blank lines, and meaningless symbols; using regular expression matching to segment continuous strings into independent word units; filtering common non-attack-oriented words through a stop dictionary and retaining word units containing sensitive operations; and using a Word2Vec or GloVe model to vectorize the filtered word units to generate word vector representations with uniform dimensions.
[0097] In most embodiments, this invention relies on text representation techniques from Natural Language Processing (NLP) to convert macro code instruction sequences into semantic vectors that computers can understand. Its core lies in: purifying input data and reducing noise interference through denoising processes, such as removing comments and meaningless symbols; segmenting continuous code strings into independent semantic units, such as "RUN" and "http: / / ", to achieve lexical parsing; retaining high-attack-prone words, such as "powershell", to improve feature purity; and using word vector models such as Word2Vec / GloVe to map word units to a continuous vector space through distributed representation learning, ensuring that semantically similar words are close in distance within the vector space, thereby capturing the semantic relevance of the code.
[0098] The process essentially transforms unstructured code text into structured semantic vectors, laying the foundation for subsequent high-level feature extraction.
[0099] In the above scheme, as a further preferred embodiment, parsing the macro code instruction sequence into an abstract syntax tree (AST) includes:
[0100] The macro code instruction sequence was parsed using parsing tools including Lark and ANTLR to generate an AST structure containing instruction nodes, function call nodes, and cell reference nodes.
[0101] Extract parent-child relationships, sibling relationships, and hierarchical depth between nodes in the AST, and identify macro instruction nodes, function call nodes, and data operation nodes;
[0102] The Tree-LSTM or Graph2Vec model is used to model the AST node sequence, and the node type, position and context relationship are encoded into vectors to generate an AST vector representation that reflects the syntactic structure features.
[0103] Here, the main approach is to use an Abstract Syntax Tree (AST) as a bridge to transform the syntactic organization of code into a computable vector representation. The underlying principle is to generate an AST using parsing tools such as Lark / ANTLR, explicitly expressing the hierarchical relationships of the code in a tree structure, such as nested function calls and conditional statements, thereby extracting syntactic features such as node types, parent-child relationships, and hierarchical depth.
[0104] Models such as Tree-LSTM / Graph2Vec encode tree structures using recurrent neural networks or graph embedding algorithms. Tree-LSTM transmits semantic information along the parent and child nodes of the tree, capturing the dependencies between nodes, while Graph2Vec transforms the tree topology into points in a vector space, allowing codes with similar syntactic patterns to cluster in the vector space. This achieves a mapping from code syntactic structure to semantic vectors, enabling detection models to identify attack patterns hidden in syntactic organization.
[0105] The third part of this invention proposes the application of phishing document deobfuscation methods and / or feature extraction methods in attack detection, including the following steps performed by a computer system:
[0106] Obfuscated macro code from a phishing document is obtained from a computer system. The obfuscated macro code is then deobfuscated using a phishing document deobfuscation method to obtain a deobfuscated macro code instruction sequence.
[0107] Based on the demixed macro code instruction sequence, multi-view features are extracted using the phishing document feature extraction method, including word features, token features, abstract syntax tree features, and relation features;
[0108] The multi-view features are input into the attack detection model, which performs feature fusion and classification on the multi-view features through a deep neural network and outputs the attack detection results of the phishing document.
[0109] The attack detection results include the attack category, attack confidence level, and determination of whether it is a phishing document.
[0110] The overall concept of the above scheme is to use deobfuscation methods to restore complex and obfuscated macro code into a readable instruction sequence. For example, restoring a malicious path concatenated with CHAR to "calc.exe" provides a semantic basis for feature extraction. Multi-view features (such as words and tokens) capture attack signals from different dimensions, including sensitive words and function call patterns, forming a comprehensive characterization of the attack behavior. The detection model learns the association patterns of multi-view features to achieve accurate classification (e.g., identification) of phishing documents, ultimately outputting the attack category and confidence level, completing a closed loop from the original document to the detection result.
[0111] In the above scheme, as a preferred embodiment, the deep neural network of the attack detection model includes a local feature extraction layer, a global dependency modeling layer, and an attention fusion layer connected in sequence:
[0112] The local feature extraction layer uses a one-dimensional convolutional neural network to perform convolution operations on the input feature tensor to extract n-gram local context patterns.
[0113] The global dependency modeling layer uses bidirectional gated cyclic units to capture long-range dependencies in the sequence and outputs a hidden state sequence containing forward and backward information.
[0114] The attention fusion layer employs a multi-head self-attention mechanism to perform cross-position feature fusion on the hidden state sequence, generating a comprehensive feature vector containing global semantics. Finally, the comprehensive feature vector is mapped to the classification space through a fully connected layer and a Softmax function, outputting the attack detection result.
[0115] In the above scheme, the present invention conceives a composite deep neural network architecture, which improves the model's ability to understand complex attack sequences by processing local, global and key features in a hierarchical manner.
[0116] The local feature extraction layer (CNN) captures local patterns in continuous instruction segments through one-dimensional convolutions, such as the 3-gram features of "EXEC(cmd)", solving the problem of sensitive word detection in short sequences. The global dependency modeling layer (BiGRU) learns the dependencies between long-range instructions through bidirectional gated recurrent units, avoiding the omission of contextual relationships. The attention fusion layer (MHSA) dynamically focuses on high-risk tokens, such as "powershell" and "Invoke-WebRequest", through multi-head self-attention, suppressing redundant information interference, and finally fuses multi-dimensional features into a comprehensive vector, which is then output as the detection result by the classification layer, achieving fine identification of hidden attack chains. Of course, the local feature extraction layer (CNN), global dependency modeling layer (BiGRU), and attention fusion layer (MHSA) are existing technologies, but there is no precedent for using them to construct a deep neural network for attack detection models to solve the technical problem of this invention.
[0117] In the above scheme, as a preferred embodiment, the attack detection includes the following steps performed by the computer system:
[0118] 1) The computer system preprocesses the input document to determine whether it has the ability to store and execute macro documents; after confirming the document characteristics, the system analyzes its macro execution entry point and potential triggering mechanism; for different document formats, it uses two methods, static parsing and interface simulation, to extract the embedded content.
[0119] 2) The extracted obfuscated macro code for phishing attacks is used to construct a prompt engineering template using a pre-trained language model, driving the automatic generation of corresponding deobfuscation rules and restoration strategies; the system uses the Lark parser to structure the phishing document formulas into a syntax tree to assist in rule matching and dynamic restoration operations; the restored structure is output as clear deobfuscated phishing document macro code, removing obfuscated semantics;
[0120] 3) Extract multi-view features, including word features, token features, abstract syntax tree features, and relation features;
[0121] 4) Constructing and inferring the detection model, including: the system concatenates multi-view features into a unified representation tensor feature tensor and inputs it into a deep neural network; concatenates vectors of each dimension to form a multimodal embedding representation matrix and extracts structural features; and models the feature tensor using a composite neural network architecture, including:
[0122] CNN layers are used to extract local contextual patterns;
[0123] BiGRU layers are used to capture global dependencies in sequences and generate hidden states containing forward and backward information.
[0124] The MHSA layer is used to focus on key attack features and suppress noise interference through a multi-head attention mechanism.
[0125] 5) The feature vectors output by the deep neural network are linearly transformed and mapped to the classification space. The Softmax function is used for multi-class prediction. The attack category, classification confidence and risk level of the phishing document are output. The document is combined with a preset threshold to determine whether it is a phishing attack carrier, and the detection results and evidence chain are provided.
[0126] The main concept is as follows: in the preprocessing stage, potential targets are screened through document capability judgment and macro entry parsing; in the deobfuscation stage, the semantics of obfuscated code are restored through pre-trained models and syntax tree parsing; in the feature extraction stage, code is converted into structured features through multi-view modeling; in the model building stage, deep correlations between features are learned through composite architecture; and finally, attack results are output through classification prediction (such as "ZLoader family attack, confidence 0.98"), forming a fully automated analysis process from document access to detection report, covering all key links in attack detection.
[0127] The following is a complete embodiment with reference to the accompanying drawings:
[0128] 1. Code extraction steps
[0129] In one embodiment, there exists such Figure 1 The framework module shown describes how the computer system first preprocesses the input Office document to determine if it has the capability to store and execute macros. This primarily covers various file types, such as .xls, .xlsm, .xlsb, and .slk. By identifying the document structure and workbook metadata, it filters out target documents that may embed XLM attack logic. After confirming that the document possesses XLM characteristics, the system further analyzes its macro execution entry point and potential triggering mechanisms.
[0130] For different document formats, two methods—static parsing and interface simulation—are used to extract embedded XLM content. Static structural analysis, by parsing the document encapsulation structure based on OpenPackagingConvention (OPC), extracts the storage paths and organization methods of macro components in different workbooks (such as binary and symbolic link formats), enabling static reading of XLM content from various documents. COM-based execution consistency modeling utilizes the Component Object Model (COM) interface provided by Excel to simulate its internal loading and parsing process, obtaining more accurate macro code parsing results that closely resemble actual execution conditions. It also supports function parameter binding and context parsing, improving recognition accuracy.
[0131] In this invention, the above content is part of the routine preliminary content for detecting phishing documents.
[0132] 2. Generation of macro code deobfuscation strategies driven by large models
[0133] like Figure 2 As shown, the extracted phishing attack obfuscation macro code is used to construct a hint engineering template using a pre-trained language model (such as DeepSeek or GPT), which drives the automatic generation of corresponding deobfuscation rules and restoration strategies.
[0134] a) Utilize large models to understand the obfuscated logic structure in the obfuscated macro code formulas of phishing attacks and generate structure parsing hints; b) Output obfuscation resolution strategies for formula identification, rewriting, and instruction restoration, which are used to control the parsing process of subsequent modules.
[0135] 3. Abstract Syntax Tree (AST) Construction and Multi-level Obfuscation Resolution
[0136] The system uses the Lark parser to structure the formulas in phishing documents into a syntax tree, which assists in rule matching and dynamic reconstruction operations.
[0137] a) Use regular expressions to match typical macro obfuscation patterns, such as CHAR() concatenation instructions and nested expressions, to perform preliminary structural reconstruction; b) Simulate the function execution process, simulate the custom function call and macro jump logic, and realize control flow semantic reconstruction; c) Analyze the cell references and formula structure in the formula to construct the operation path and reference relationship; d) Generate a complete abstract syntax tree (AST) from the above parsing process to reconstruct the function call chain and operation semantics.
[0138] 4. Generate the demixed macro code instruction sequence for the phishing document.
[0139] By using deobfuscated company sequences, the restored structure is output as clear deobfuscated phishing document macro code, removing obfuscated semantics and improving readability and analysis accuracy.
[0140] a) Convert the obfuscated structure in the structured AST into readable macro statements, such as CHAR(...)→calc.exe; b) Output the deobfuscated semantic sequence, such as EXEC(calc) and HALT(), as further input to the detection system.
[0141] 5. Word Feature Extraction
[0142] This section models the raw character level of macro statements in phishing documents, primarily for capturing fragment information such as string-based commands, parameters, and paths.
[0143] a) Preprocess and tokenize the macro formulas in the phishing document, converting cell content containing characters such as commands, paths, and external calls into standard word units. b) Use a custom word segmenter to extract separable keywords (such as "calc", "exe", "cmd", "shell"), forming a word sequence that can be input into the word vector model, and finally generating an XlmWord2Vec representation.
[0144] 6. Token (function call) feature extraction
[0145] This step focuses on the identification and analysis of semantic units at the function level, mainly extracting key semantic units from macro instructions, parameter types, and execution structures.
[0146] a) Identify tokens representing functions or operations in macro statements (such as FORMULA, EXEC, CHAR, RUN, HALT, etc.) and combine them with their parameters to form a context call structure. b) Based on a keyword library and statistical model, score and rank the importance of tokens, filter redundant expressions, retain only key instructions with high semantic strength and malicious intent, and output the corresponding vector XlmToken2Vec.
[0147] 7. Feature Extraction from Abstract Syntax Tree (AST)
[0148] This process constructs abstract syntax tree features, extracts their control relationships and execution patterns, and reflects the underlying code organization and flow control.
[0149] a) Using parsing tools such as Lark, the formula is parsed into an AST (Abstract Syntax Tree), extracting the hierarchical structure between nodes, the nesting relationships of functions, and the positions of clauses. Core syntactic units are identified, including: macro instruction nodes (such as FORMULA, CHAR, RUN, etc.); nested function relationships (such as FORMULA(CHAR(...))); and cell reference structures (such as R1C1, R2C3, etc.). b) The path structure, nesting levels, and child node patterns in the AST tree are modeled using Word2Vec to generate a vector representation of each node. The objective function is as follows:
[0150]
[0151] in: Represents the input node vector. For context vectors;
[0152] V represents the node label vocabulary, and c represents the size of the context window.
[0153] c) Vector concatenation and feature output
[0154] The final generated AST features are represented as follows
[0155]
[0156] 8. Relational Feature Extraction
[0157] Used to extract behavioral dependencies and data flow graph structures across cells and functions in phishing macro documents, reflecting the semantic interaction relationships of complex attack chains.
[0158] a) Extract the jump relationships (such as GOTOR1C1) and function dependencies (such as custom function calls, returns, etc.) between different macro cells, and record their directionality. b) Construct a macro-level relationship graph to represent the call flow, instruction transmission chain, and other information between cells using a graph neural network structure, and generate an XlmRela2Vec representation.
[0159] 9. Multimodal Embedded Input
[0160] like Figure 3 As shown, the system concatenates multi-view features (such as XlmWord2Vec, XlmToken2Vec, XlmAst2Vec, and XlmRela2Vec) into a unified representation tensor, which is then used as input to the neural network.
[0161] a) Concatenate the vectors of each dimension to form a multimodal embedding representation matrix:
[0162]
[0163] in Let represent the i-th type of feature (such as Word, Token, etc.), T be the sequence length, and d be the embedding dimension.
[0164] b) The input tensor X is fed into the backbone of the deep neural network for structural feature extraction.
[0165] 10. Deep Feature Modeling Structure (CNN+BiGRU+MHSA)
[0166] like Figure 4 The detection module shown in the figure constructs a composite model of multi-head self-attention (MHSA), convolutional neural network (CNN), and bidirectional GRU (BiGRU) to achieve intelligent detection of phishing document attacks.
[0167] a) CNN layer: Local pattern extraction
[0168] Use convolution to extract n-gram local contextual information in X:
[0169]
[0170] in: For convolution kernel, This is the size of the convolution window; Represents one-dimensional convolution. This is the i-th output channel. The feature vector is obtained after pooling and fully connected processing following the convolution output. .
[0171] b) BiGRU layer: Capturing global dependencies
[0172] The CNN output is fed into a BiGRU layer to capture forward and backward information:
[0173]
[0174] The final hidden state concatenation is as follows:
[0175]
[0176] c) MHSA layer: Multi-Attention Mechanism Fusion
[0177] The BiGRU output representation is used as input and fed into the multi-head attention mechanism module to capture cross-positional dependencies:
[0178]
[0179]
[0180] Each attention head is: .
[0181] 11. Feature Fusion and Classification Mapping
[0182] a) The MHSA output feature vector is processed by a concatenation and linear transformation layer:
[0183]
[0184] b) Map the fusion vector to the classification space for final prediction.
[0185] 12. Softmax Classification and Family Recognition Output
[0186] a) Use the Softmax function to perform multi-class prediction of family categories:
[0187]
[0188] in:
[0189] This represents the fused features.
[0190] This represents the number of attack family categories;
[0191] For the first Class weights and biases.
[0192] b) Output attack category, such as:
[0193] ZLoader, EncDoc, Dridex, QakBot, Dnoff, and ObfBook are supported, and classification confidence scores are provided.
[0194] The MHSA-CNN-BiGRU model combines local structure modeling, long sequence dependency modeling, and attention mechanism focusing capabilities to effectively improve the recognition rate and family classification accuracy of highly covert phishing attack documents.
[0195] The technical terms, principles, or means related to the technical solutions of the present invention mentioned in the above embodiments, which are not described in detail above, are all well-known technologies or common practices that are known to those skilled in the art.
[0196] The foregoing has shown and described the basic principles, main features, and advantages of the present invention. Those skilled in the art should understand that the present invention is not limited to the above embodiments. The embodiments and descriptions in the specification are merely illustrative of the principles of the invention. Various changes and modifications can be made to the invention without departing from its spirit and scope, and all such changes and modifications fall within the scope of the present invention as claimed. The scope of protection of this invention is defined by the appended claims and their equivalents.
Claims
1. A method for extracting features from phishing documents, characterized in that, This phishing document feature extraction method is based on a macro code instruction sequence obtained by a phishing document deobfuscation method, which includes at least the following steps executed by a computer system: Obfuscation macro code of phishing documents is obtained from computer systems. Pre-trained language models are used to build prompt engineering templates, and the obfuscation logic structure is analyzed to generate deobfuscation rules and restoration strategies. In a computer system, the obfuscated macro code is structured into an abstract syntax tree using a parsing tool. Based on regular expression matching of typical obfuscation patterns, and combined with function execution simulation and cell reference analysis, the structure is initially restored, the control flow semantics are restored, and the operation path is constructed. In a computer system, based on demixing rules and an abstract syntax tree, the obfuscated structure is converted into readable macro statements, generating a sequence of macro code instructions to remove obfuscated semantics, and outputting the demixed semantic sequence. The phishing document feature extraction method includes the following steps performed by a computer system: Attack features are extracted from multiple view dimensions, including word features, token features, abstract syntax tree features, and relation features. The word feature extraction includes preprocessing and tokenizing the macro code instruction sequence, extracting word units containing content such as commands, paths, and file operations, identifying high-frequency keywords through a word segmenter, and generating word vector representations that reflect the semantics of the code. The extraction of token features includes identifying tokens representing functions or operations in the macro code instruction sequence, combining them with parameters to form a context call structure, scoring and ranking the attack tendency of tokens based on a preset keyword library and statistical model, and outputting a token vector representation. The extraction of the abstract syntax tree features includes parsing the macro code instruction sequence into an abstract syntax tree (AST), extracting syntax features including the hierarchical structure of nodes in the tree, function nesting relationships, and clause positions, modeling the path structure, nesting levels, and child node patterns in the tree, and generating AST node vector representations. The extraction of relational features includes extracting cross-cell and cross-function jump relationships and function dependencies in the macro code instruction sequence, constructing a macro-level semantic relational graph, representing the call flow and data flow through a graph neural network (GNN), and generating relational vector representations. Finally, word vectors, token vectors, AST node vectors, and relation vectors are fused into a multi-view feature set.
2. The phishing document feature extraction method according to claim 1, characterized in that, The preprocessing and tokenization include: denoising the macro code instruction sequence to remove comments, blank lines, and meaningless symbols; segmenting continuous strings into independent word units using regular expression matching; filtering common, non-aggressive words using a stop dictionary and retaining word units containing sensitive operations; and vectorizing the filtered word units using a Word2Vec or GloVe model to generate word vector representations with uniform dimensions.
3. The method for extracting features from phishing documents according to claim 1 or 2, characterized in that, The step of parsing the macro code instruction sequence into an abstract syntax tree (AST) includes: The macro code instruction sequence was parsed using parsing tools including Lark and ANTLR to generate an AST structure containing instruction nodes, function call nodes, and cell reference nodes. Extract parent-child relationships, sibling relationships, and hierarchical depth between nodes in the AST, and identify macro instruction nodes, function call nodes, and data operation nodes; The Tree-LSTM or Graph2Vec model is used to model the AST node sequence, and the node type, position and context relationship are encoded into vectors to generate an AST vector representation that reflects the syntactic structure features.
4. An attack detection method, which is based on a phishing document deobfuscation method and a feature extraction method, characterized in that, This includes the following steps performed by the computer system: Obfuscated macro code from a phishing document is obtained from a computer system. The obfuscated macro code is then deobfuscated using a phishing document deobfuscation method to obtain a deobfuscated macro code instruction sequence. Based on the demixed macro code instruction sequence, multi-view features are extracted using the phishing document feature extraction method, including word features, token features, abstract syntax tree features, and relation features; The multi-view features are input into the attack detection model, which performs feature fusion and classification on the multi-view features through a deep neural network and outputs the attack detection results of the phishing document. The attack detection results include the attack category, attack confidence level, and determination of whether it is a phishing document; The deep neural network of the attack detection model includes a local feature extraction layer, a global dependency modeling layer, and an attention fusion layer connected in sequence: The local feature extraction layer uses a one-dimensional convolutional neural network to perform convolution operations on the input feature tensor to extract n-gram local context patterns. The global dependency modeling layer uses bidirectional gated cyclic units to capture long-range dependencies in the sequence and outputs a hidden state sequence containing forward and backward information. The attention fusion layer employs a multi-head self-attention mechanism to perform cross-position feature fusion on the hidden state sequence, generating a comprehensive feature vector containing global semantics. Finally, the comprehensive feature vector is mapped to the classification space through a fully connected layer and a Softmax function, outputting the attack detection result.
5. The attack detection method according to claim 4, characterized in that, The attack detection includes the following steps performed by the computer system: 1) The computer system preprocesses the input document to determine whether it has the ability to store and execute macro documents; after confirming the document characteristics, the system analyzes its macro execution entry point and potential triggering mechanism; for different document formats, it uses two methods, static parsing and interface simulation, to extract the embedded content. 2) Obfuscate the extracted phishing attack macro code, use a pre-trained language model to build a prompt engineering template, and drive the automatic generation of corresponding deobfuscation rules and restoration strategies; The system uses the Lark parser to structure the formulas in phishing documents into a syntax tree, which assists in rule matching and dynamic reconstruction operations; The restored structure is output as clear deobfuscated phishing document macro code, removing obfuscated semantics; 3) Extract multi-view features, including word features, token features, abstract syntax tree features, and relation features; 4) Constructing and inferring the detection model, including: the system concatenates multi-view features into a unified representation tensor feature tensor and inputs it into a deep neural network; concatenates vectors of each dimension to form a multimodal embedding representation matrix and extracts structural features; and models the feature tensor using a composite neural network architecture, including: CNN layers are used to extract local contextual patterns; BiGRU layers are used to capture global dependencies in sequences and generate hidden states containing forward and backward information. The MHSA layer is used to focus on key attack features and suppress noise interference through a multi-head attention mechanism. 5) The feature vectors output by the deep neural network are linearly transformed and mapped to the classification space. The Softmax function is used for multi-class prediction. The attack category, classification confidence and risk level of the phishing document are output. The document is combined with a preset threshold to determine whether it is a phishing attack carrier, and the detection results and evidence chain are provided.
6. A computer-readable storage medium having a computer program stored thereon, characterized in that, When the program is executed, it implements the phishing document feature extraction method as described in any one of claims 1-3; or, when the program is executed, it implements the attack detection method as described in claim 4 or 5.