Commit 1586b7e92ed1b3dde56911fed719e29267f249b0
1 parent
518dae05
olevba: added several suspicious keywords
Showing
1 changed file
with
7 additions
and
3 deletions
oletools/olevba.py
| @@ -100,6 +100,7 @@ https://github.com/unixfreak0037/officeparser | @@ -100,6 +100,7 @@ https://github.com/unixfreak0037/officeparser | ||
| 100 | # specified codepage and unicode stream names | 100 | # specified codepage and unicode stream names |
| 101 | # 2015-01-11 v0.15 PL: - added new triage mode, options -t and -d | 101 | # 2015-01-11 v0.15 PL: - added new triage mode, options -t and -d |
| 102 | # 2015-01-16 v0.16 PL: - fix for issue #3 (exception when module name="text") | 102 | # 2015-01-16 v0.16 PL: - fix for issue #3 (exception when module name="text") |
| 103 | +# - added several suspicious keywords | ||
| 103 | 104 | ||
| 104 | __version__ = '0.16' | 105 | __version__ = '0.16' |
| 105 | 106 | ||
| @@ -199,11 +200,14 @@ SUSPICIOUS_KEYWORDS = { | @@ -199,11 +200,14 @@ SUSPICIOUS_KEYWORDS = { | ||
| 199 | #FileCopy: http://msdn.microsoft.com/en-us/library/office/gg264390%28v=office.15%29.aspx | 200 | #FileCopy: http://msdn.microsoft.com/en-us/library/office/gg264390%28v=office.15%29.aspx |
| 200 | #CopyFile: http://msdn.microsoft.com/en-us/library/office/gg264089%28v=office.15%29.aspx | 201 | #CopyFile: http://msdn.microsoft.com/en-us/library/office/gg264089%28v=office.15%29.aspx |
| 201 | 'May create a text file': | 202 | 'May create a text file': |
| 202 | - ('CreateTextFile',), | 203 | + ('CreateTextFile','ADODB.Stream', 'WriteText', 'SaveToFile'), |
| 203 | #CreateTextFile: http://msdn.microsoft.com/en-us/library/office/gg264617%28v=office.15%29.aspx | 204 | #CreateTextFile: http://msdn.microsoft.com/en-us/library/office/gg264617%28v=office.15%29.aspx |
| 205 | + #ADODB.Stream sample: http://pastebin.com/Z4TMyuq6 | ||
| 204 | 'May run an executable file or a system command': | 206 | 'May run an executable file or a system command': |
| 205 | - ('Shell', 'vbNormalFocus', 'vbHide', 'vbMinimizedFocus', 'vbMaximizedFocus', 'vbNormalNoFocus', 'vbMinimizedNoFocus'), | 207 | + ('Shell', 'vbNormalFocus', 'vbHide', 'vbMinimizedFocus', 'vbMaximizedFocus', 'vbNormalNoFocus', |
| 208 | + 'vbMinimizedNoFocus', 'WScript.Shell', 'Run'), | ||
| 206 | #Shell: http://msdn.microsoft.com/en-us/library/office/gg278437%28v=office.15%29.aspx | 209 | #Shell: http://msdn.microsoft.com/en-us/library/office/gg278437%28v=office.15%29.aspx |
| 210 | + #WScript.Shell+Run sample: http://pastebin.com/Z4TMyuq6 | ||
| 207 | 'May hide the application': | 211 | 'May hide the application': |
| 208 | ('Application.Visible', 'ShowWindow', 'SW_HIDE'), | 212 | ('Application.Visible', 'ShowWindow', 'SW_HIDE'), |
| 209 | 'May create a directory': | 213 | 'May create a directory': |
| @@ -232,7 +236,7 @@ SUSPICIOUS_KEYWORDS = { | @@ -232,7 +236,7 @@ SUSPICIOUS_KEYWORDS = { | ||
| 232 | ('CallByName',), | 236 | ('CallByName',), |
| 233 | #CallByName: http://msdn.microsoft.com/en-us/library/office/gg278760%28v=office.15%29.aspx | 237 | #CallByName: http://msdn.microsoft.com/en-us/library/office/gg278760%28v=office.15%29.aspx |
| 234 | 'May attempt to obfuscate specific strings': | 238 | 'May attempt to obfuscate specific strings': |
| 235 | - ('Chr', 'ChrB', 'ChrW'), | 239 | + ('Chr', 'ChrB', 'ChrW', 'StrReverse'), |
| 236 | #Chr: http://msdn.microsoft.com/en-us/library/office/gg264465%28v=office.15%29.aspx | 240 | #Chr: http://msdn.microsoft.com/en-us/library/office/gg264465%28v=office.15%29.aspx |
| 237 | } | 241 | } |
| 238 | 242 |