Commit 539454c92f279027caa5058a41d8e57f599bd464
1 parent
552254f1
olevba: added SUSPICIOUS_KEYWORDS_NOREGEX, backspace characters are reported as …
…suspicious (issue #358)
Showing
1 changed file
with
8 additions
and
0 deletions
oletools/olevba.py
| ... | ... | @@ -700,6 +700,10 @@ SUSPICIOUS_KEYWORDS = { |
| 700 | 700 | 'DisableUnsafeLocationsInPV', 'blockcontentexecutionfrominternet'), |
| 701 | 701 | 'May attempt to modify the VBA code (self-modification)': |
| 702 | 702 | ('VBProject', 'VBComponents', 'CodeModule', 'AddFromString'), |
| 703 | +} | |
| 704 | + | |
| 705 | +# Suspicious Keywords to be searched for directly as strings, without regex | |
| 706 | +SUSPICIOUS_KEYWORDS_NOREGEX = { | |
| 703 | 707 | 'May use special characters such as backspace to obfuscate code when printed on the console': |
| 704 | 708 | ('\b',), |
| 705 | 709 | } |
| ... | ... | @@ -1891,6 +1895,10 @@ def detect_suspicious(vba_code, obfuscation=None): |
| 1891 | 1895 | #if keyword.lower() in vba_code: |
| 1892 | 1896 | found_keyword = match.group() |
| 1893 | 1897 | results.append((found_keyword, description + obf_text)) |
| 1898 | + for description, keywords in SUSPICIOUS_KEYWORDS_NOREGEX.items(): | |
| 1899 | + for keyword in keywords: | |
| 1900 | + if keyword.lower() in vba_code: | |
| 1901 | + results.append((keyword, description + obf_text)) | |
| 1894 | 1902 | return results |
| 1895 | 1903 | |
| 1896 | 1904 | ... | ... |