Commit 4c98aa7a771f03d008a0b114f48f72b782660ed2
1 parent
6b3088fe
olevba: improved the detection of IOCs obfuscated with hex strings and StrReverse
Showing
1 changed file
with
15 additions
and
7 deletions
oletools/olevba.py
| @@ -106,8 +106,10 @@ https://github.com/unixfreak0037/officeparser | @@ -106,8 +106,10 @@ https://github.com/unixfreak0037/officeparser | ||
| 106 | # - added scan_vba to run all detection algorithms | 106 | # - added scan_vba to run all detection algorithms |
| 107 | # - decoded hex strings are now also scanned + reversed | 107 | # - decoded hex strings are now also scanned + reversed |
| 108 | # 2015-01-23 v0.18 PL: - fixed issue #3, case-insensitive search in code_modules | 108 | # 2015-01-23 v0.18 PL: - fixed issue #3, case-insensitive search in code_modules |
| 109 | +# 2015-01-24 v0.19 PL: - improved the detection of IOCs obfuscated with hex | ||
| 110 | +# strings and StrReverse | ||
| 109 | 111 | ||
| 110 | -__version__ = '0.18' | 112 | +__version__ = '0.19' |
| 111 | 113 | ||
| 112 | #------------------------------------------------------------------------------ | 114 | #------------------------------------------------------------------------------ |
| 113 | # TODO: | 115 | # TODO: |
| @@ -903,13 +905,19 @@ def scan_vba(vba_code): | @@ -903,13 +905,19 @@ def scan_vba(vba_code): | ||
| 903 | """ | 905 | """ |
| 904 | # First, detect and extract hex-encoded strings: | 906 | # First, detect and extract hex-encoded strings: |
| 905 | hex_strings = detect_hex_strings(vba_code) | 907 | hex_strings = detect_hex_strings(vba_code) |
| 908 | + # detect if the code contains StrReverse: | ||
| 909 | + if 'strreverse' in vba_code.lower(): strreverse = True | ||
| 910 | + else: strreverse = False | ||
| 906 | # Then append the decoded strings to the VBA code, to detect obfuscated IOCs and keywords: | 911 | # Then append the decoded strings to the VBA code, to detect obfuscated IOCs and keywords: |
| 907 | for encoded, decoded in hex_strings: | 912 | for encoded, decoded in hex_strings: |
| 908 | vba_code += '\n'+decoded | 913 | vba_code += '\n'+decoded |
| 909 | - #TODO: also add reverse strings (before and after decoding), for StrReverse obfuscation | ||
| 910 | - #TODO: only do it if StrReverse found in code? | ||
| 911 | - vba_code += '\n'+decoded[::-1] | ||
| 912 | - vba_code += '\n'+binascii.unhexlify(encoded[::-1]) | 914 | + # if the code contains "StrReverse", also append the hex strings in reverse order: |
| 915 | + if strreverse: | ||
| 916 | + # StrReverse after hex decoding: | ||
| 917 | + vba_code += '\n'+decoded[::-1] | ||
| 918 | + # StrReverse before hex decoding: | ||
| 919 | + vba_code += '\n'+binascii.unhexlify(encoded[::-1]) | ||
| 920 | + #example: https://malwr.com/analysis/NmFlMGI4YTY1YzYyNDkwNTg1ZTBiZmY5OGI3YjlhYzU/ | ||
| 913 | autoexec_keywords = detect_autoexec(vba_code) | 921 | autoexec_keywords = detect_autoexec(vba_code) |
| 914 | suspicious_keywords = detect_suspicious(vba_code) | 922 | suspicious_keywords = detect_suspicious(vba_code) |
| 915 | # If hex-encoded strings were discovered, add an item to suspicious keywords: | 923 | # If hex-encoded strings were discovered, add an item to suspicious keywords: |
| @@ -924,8 +932,8 @@ def scan_vba(vba_code): | @@ -924,8 +932,8 @@ def scan_vba(vba_code): | ||
| 924 | for pattern_type, value in patterns: | 932 | for pattern_type, value in patterns: |
| 925 | results.append(('IOC', value, pattern_type)) | 933 | results.append(('IOC', value, pattern_type)) |
| 926 | # Only if option --hex: | 934 | # Only if option --hex: |
| 927 | - for encoded, decoded in hex_strings: | ||
| 928 | - results.append(('Hex String', repr(decoded), encoded)) | 935 | + # for encoded, decoded in hex_strings: |
| 936 | + # results.append(('Hex String', repr(decoded), encoded)) | ||
| 929 | return results | 937 | return results |
| 930 | 938 | ||
| 931 | 939 |