Commit 46b4b11da0e663152e7cc944bd6bfba3d1be5bf2
1 parent
cf11d960
olevba: added suspicious keywords - fixed issue #13
Showing
1 changed file
with
3 additions
and
2 deletions
oletools/olevba.py
| @@ -137,7 +137,7 @@ https://github.com/unixfreak0037/officeparser | @@ -137,7 +137,7 @@ https://github.com/unixfreak0037/officeparser | ||
| 137 | # - improved detection of MSO files, avoiding incorrect | 137 | # - improved detection of MSO files, avoiding incorrect |
| 138 | # parsing errors (issue #7) | 138 | # parsing errors (issue #7) |
| 139 | # 2015-05-29 v0.30 PL: - added suspicious keywords suggested by @ozhermit, | 139 | # 2015-05-29 v0.30 PL: - added suspicious keywords suggested by @ozhermit, |
| 140 | -# Davy Douhine (issue #9) | 140 | +# Davy Douhine (issue #9), issue #13 |
| 141 | 141 | ||
| 142 | __version__ = '0.30' | 142 | __version__ = '0.30' |
| 143 | 143 | ||
| @@ -311,7 +311,8 @@ SUSPICIOUS_KEYWORDS = { | @@ -311,7 +311,8 @@ SUSPICIOUS_KEYWORDS = { | ||
| 311 | 'May download files from the Internet': | 311 | 'May download files from the Internet': |
| 312 | #TODO: regex to find urlmon+URLDownloadToFileA on same line | 312 | #TODO: regex to find urlmon+URLDownloadToFileA on same line |
| 313 | ('URLDownloadToFileA', 'Msxml2.XMLHTTP', 'Microsoft.XMLHTTP', | 313 | ('URLDownloadToFileA', 'Msxml2.XMLHTTP', 'Microsoft.XMLHTTP', |
| 314 | - 'User-Agent', # sample from @ozhermit: http://pastebin.com/MPc3iV6z | 314 | + 'MSXML2.ServerXMLHTTP', # suggested in issue #13 |
| 315 | + 'User-Agent', # sample from @ozhermit: http://pastebin.com/MPc3iV6z | ||
| 315 | ), | 316 | ), |
| 316 | 'May download files from the Internet using PowerShell': | 317 | 'May download files from the Internet using PowerShell': |
| 317 | #sample: https://malwr.com/analysis/M2NjZWNmMjA0YjVjNGVhYmJlZmFhNWY4NmQxZDllZTY/ | 318 | #sample: https://malwr.com/analysis/M2NjZWNmMjA0YjVjNGVhYmJlZmFhNWY4NmQxZDllZTY/ |