From 539454c92f279027caa5058a41d8e57f599bd464 Mon Sep 17 00:00:00 2001
From: decalage2 <decalage@laposte.net>
Date: Tue, 9 Oct 2018 21:23:53 +0200
Subject: [PATCH] olevba: added SUSPICIOUS_KEYWORDS_NOREGEX, backspace characters are reported as suspicious (issue #358)

---
 oletools/olevba.py | 8 ++++++++
 1 file changed, 8 insertions(+), 0 deletions(-)

diff --git a/oletools/olevba.py b/oletools/olevba.py
index a5b7be8..d47891d 100644
--- a/oletools/olevba.py
+++ b/oletools/olevba.py
@@ -700,6 +700,10 @@ SUSPICIOUS_KEYWORDS = {
          'DisableUnsafeLocationsInPV', 'blockcontentexecutionfrominternet'),
     'May attempt to modify the VBA code (self-modification)':
         ('VBProject', 'VBComponents', 'CodeModule', 'AddFromString'),
+}
+
+# Suspicious Keywords to be searched for directly as strings, without regex
+SUSPICIOUS_KEYWORDS_NOREGEX = {
     'May use special characters such as backspace to obfuscate code when printed on the console':
         ('\b',),
 }
@@ -1891,6 +1895,10 @@ def detect_suspicious(vba_code, obfuscation=None):
                 #if keyword.lower() in vba_code:
                 found_keyword = match.group()
                 results.append((found_keyword, description + obf_text))
+    for description, keywords in SUSPICIOUS_KEYWORDS_NOREGEX.items():
+        for keyword in keywords:
+            if keyword.lower() in vba_code:
+                results.append((keyword, description + obf_text))
     return results
 
 
--
libgit2 0.21.4