Commit 4c98aa7a771f03d008a0b114f48f72b782660ed2
1 parent
6b3088fe
olevba: improved the detection of IOCs obfuscated with hex strings and StrReverse
Showing
1 changed file
with
15 additions
and
7 deletions
oletools/olevba.py
| ... | ... | @@ -106,8 +106,10 @@ https://github.com/unixfreak0037/officeparser |
| 106 | 106 | # - added scan_vba to run all detection algorithms |
| 107 | 107 | # - decoded hex strings are now also scanned + reversed |
| 108 | 108 | # 2015-01-23 v0.18 PL: - fixed issue #3, case-insensitive search in code_modules |
| 109 | +# 2015-01-24 v0.19 PL: - improved the detection of IOCs obfuscated with hex | |
| 110 | +# strings and StrReverse | |
| 109 | 111 | |
| 110 | -__version__ = '0.18' | |
| 112 | +__version__ = '0.19' | |
| 111 | 113 | |
| 112 | 114 | #------------------------------------------------------------------------------ |
| 113 | 115 | # TODO: |
| ... | ... | @@ -903,13 +905,19 @@ def scan_vba(vba_code): |
| 903 | 905 | """ |
| 904 | 906 | # First, detect and extract hex-encoded strings: |
| 905 | 907 | hex_strings = detect_hex_strings(vba_code) |
| 908 | + # detect if the code contains StrReverse: | |
| 909 | + if 'strreverse' in vba_code.lower(): strreverse = True | |
| 910 | + else: strreverse = False | |
| 906 | 911 | # Then append the decoded strings to the VBA code, to detect obfuscated IOCs and keywords: |
| 907 | 912 | for encoded, decoded in hex_strings: |
| 908 | 913 | vba_code += '\n'+decoded |
| 909 | - #TODO: also add reverse strings (before and after decoding), for StrReverse obfuscation | |
| 910 | - #TODO: only do it if StrReverse found in code? | |
| 911 | - vba_code += '\n'+decoded[::-1] | |
| 912 | - vba_code += '\n'+binascii.unhexlify(encoded[::-1]) | |
| 914 | + # if the code contains "StrReverse", also append the hex strings in reverse order: | |
| 915 | + if strreverse: | |
| 916 | + # StrReverse after hex decoding: | |
| 917 | + vba_code += '\n'+decoded[::-1] | |
| 918 | + # StrReverse before hex decoding: | |
| 919 | + vba_code += '\n'+binascii.unhexlify(encoded[::-1]) | |
| 920 | + #example: https://malwr.com/analysis/NmFlMGI4YTY1YzYyNDkwNTg1ZTBiZmY5OGI3YjlhYzU/ | |
| 913 | 921 | autoexec_keywords = detect_autoexec(vba_code) |
| 914 | 922 | suspicious_keywords = detect_suspicious(vba_code) |
| 915 | 923 | # If hex-encoded strings were discovered, add an item to suspicious keywords: |
| ... | ... | @@ -924,8 +932,8 @@ def scan_vba(vba_code): |
| 924 | 932 | for pattern_type, value in patterns: |
| 925 | 933 | results.append(('IOC', value, pattern_type)) |
| 926 | 934 | # Only if option --hex: |
| 927 | - for encoded, decoded in hex_strings: | |
| 928 | - results.append(('Hex String', repr(decoded), encoded)) | |
| 935 | + # for encoded, decoded in hex_strings: | |
| 936 | + # results.append(('Hex String', repr(decoded), encoded)) | |
| 929 | 937 | return results |
| 930 | 938 | |
| 931 | 939 | ... | ... |