From 46b4b11da0e663152e7cc944bd6bfba3d1be5bf2 Mon Sep 17 00:00:00 2001
From: Philippe Lagadec <decalage2@users.noreply.github.com>
Date: Fri, 29 May 2015 22:36:35 +0200
Subject: [PATCH] olevba: added suspicious keywords - fixed issue #13

---
 oletools/olevba.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/oletools/olevba.py b/oletools/olevba.py
index ab80a95..89a3f53 100755
--- a/oletools/olevba.py
+++ b/oletools/olevba.py
@@ -137,7 +137,7 @@ https://github.com/unixfreak0037/officeparser
 #                      - improved detection of MSO files, avoiding incorrect
 #                        parsing errors (issue #7)
 # 2015-05-29 v0.30 PL: - added suspicious keywords suggested by @ozhermit,
-#                        Davy Douhine (issue #9)
+#                        Davy Douhine (issue #9), issue #13
 
 __version__ = '0.30'
 
@@ -311,7 +311,8 @@ SUSPICIOUS_KEYWORDS = {
     'May download files from the Internet':
     #TODO: regex to find urlmon+URLDownloadToFileA on same line
         ('URLDownloadToFileA', 'Msxml2.XMLHTTP', 'Microsoft.XMLHTTP',
-        'User-Agent', # sample from @ozhermit: http://pastebin.com/MPc3iV6z
+         'MSXML2.ServerXMLHTTP', # suggested in issue #13
+         'User-Agent', # sample from @ozhermit: http://pastebin.com/MPc3iV6z
         ),
     'May download files from the Internet using PowerShell':
     #sample: https://malwr.com/analysis/M2NjZWNmMjA0YjVjNGVhYmJlZmFhNWY4NmQxZDllZTY/
--
libgit2 0.21.4