Peter M. Groen / oletools

Commit 539454c92f279027caa5058a41d8e57f599bd464

Authored by decalage2
1 parent 552254f1

olevba: added SUSPICIOUS_KEYWORDS_NOREGEX, backspace characters are reported as … 

…suspicious (issue #358)
Inline Side-by-side
Showing 1 changed file with 8 additions and 0 deletions
oletools/olevba.py
  View file @539454c
@@ -700,6 +700,10 @@ SUSPICIOUS_KEYWORDS = { @@ -700,6 +700,10 @@ SUSPICIOUS_KEYWORDS = {
700 'DisableUnsafeLocationsInPV', 'blockcontentexecutionfrominternet'), 700 'DisableUnsafeLocationsInPV', 'blockcontentexecutionfrominternet'),
701 'May attempt to modify the VBA code (self-modification)': 701 'May attempt to modify the VBA code (self-modification)':
702 ('VBProject', 'VBComponents', 'CodeModule', 'AddFromString'), 702 ('VBProject', 'VBComponents', 'CodeModule', 'AddFromString'),
  703 +}
  704 +
  705 +# Suspicious Keywords to be searched for directly as strings, without regex
  706 +SUSPICIOUS_KEYWORDS_NOREGEX = {
703 'May use special characters such as backspace to obfuscate code when printed on the console': 707 'May use special characters such as backspace to obfuscate code when printed on the console':
704 ('\b',), 708 ('\b',),
705 } 709 }
@@ -1891,6 +1895,10 @@ def detect_suspicious(vba_code, obfuscation=None): @@ -1891,6 +1895,10 @@ def detect_suspicious(vba_code, obfuscation=None):
1891 #if keyword.lower() in vba_code: 1895 #if keyword.lower() in vba_code:
1892 found_keyword = match.group() 1896 found_keyword = match.group()
1893 results.append((found_keyword, description + obf_text)) 1897 results.append((found_keyword, description + obf_text))
  1898 + for description, keywords in SUSPICIOUS_KEYWORDS_NOREGEX.items():
  1899 + for keyword in keywords:
  1900 + if keyword.lower() in vba_code:
  1901 + results.append((keyword, description + obf_text))
1894 return results 1902 return results
1895 1903
1896 1904