Commit 1586b7e92ed1b3dde56911fed719e29267f249b0
1 parent
518dae05
olevba: added several suspicious keywords
Showing
1 changed file
with
7 additions
and
3 deletions
oletools/olevba.py
| ... | ... | @@ -100,6 +100,7 @@ https://github.com/unixfreak0037/officeparser |
| 100 | 100 | # specified codepage and unicode stream names |
| 101 | 101 | # 2015-01-11 v0.15 PL: - added new triage mode, options -t and -d |
| 102 | 102 | # 2015-01-16 v0.16 PL: - fix for issue #3 (exception when module name="text") |
| 103 | +# - added several suspicious keywords | |
| 103 | 104 | |
| 104 | 105 | __version__ = '0.16' |
| 105 | 106 | |
| ... | ... | @@ -199,11 +200,14 @@ SUSPICIOUS_KEYWORDS = { |
| 199 | 200 | #FileCopy: http://msdn.microsoft.com/en-us/library/office/gg264390%28v=office.15%29.aspx |
| 200 | 201 | #CopyFile: http://msdn.microsoft.com/en-us/library/office/gg264089%28v=office.15%29.aspx |
| 201 | 202 | 'May create a text file': |
| 202 | - ('CreateTextFile',), | |
| 203 | + ('CreateTextFile','ADODB.Stream', 'WriteText', 'SaveToFile'), | |
| 203 | 204 | #CreateTextFile: http://msdn.microsoft.com/en-us/library/office/gg264617%28v=office.15%29.aspx |
| 205 | + #ADODB.Stream sample: http://pastebin.com/Z4TMyuq6 | |
| 204 | 206 | 'May run an executable file or a system command': |
| 205 | - ('Shell', 'vbNormalFocus', 'vbHide', 'vbMinimizedFocus', 'vbMaximizedFocus', 'vbNormalNoFocus', 'vbMinimizedNoFocus'), | |
| 207 | + ('Shell', 'vbNormalFocus', 'vbHide', 'vbMinimizedFocus', 'vbMaximizedFocus', 'vbNormalNoFocus', | |
| 208 | + 'vbMinimizedNoFocus', 'WScript.Shell', 'Run'), | |
| 206 | 209 | #Shell: http://msdn.microsoft.com/en-us/library/office/gg278437%28v=office.15%29.aspx |
| 210 | + #WScript.Shell+Run sample: http://pastebin.com/Z4TMyuq6 | |
| 207 | 211 | 'May hide the application': |
| 208 | 212 | ('Application.Visible', 'ShowWindow', 'SW_HIDE'), |
| 209 | 213 | 'May create a directory': |
| ... | ... | @@ -232,7 +236,7 @@ SUSPICIOUS_KEYWORDS = { |
| 232 | 236 | ('CallByName',), |
| 233 | 237 | #CallByName: http://msdn.microsoft.com/en-us/library/office/gg278760%28v=office.15%29.aspx |
| 234 | 238 | 'May attempt to obfuscate specific strings': |
| 235 | - ('Chr', 'ChrB', 'ChrW'), | |
| 239 | + ('Chr', 'ChrB', 'ChrW', 'StrReverse'), | |
| 236 | 240 | #Chr: http://msdn.microsoft.com/en-us/library/office/gg264465%28v=office.15%29.aspx |
| 237 | 241 | } |
| 238 | 242 | ... | ... |