From 5641d8d07d18957eac35bfd65c87c572b490890e Mon Sep 17 00:00:00 2001
From: Siddharth Dushantha <siddharth.dushantha@gmail.com>
Date: Tue, 6 May 2025 11:00:00 +0200
Subject: [PATCH] Replace char 27 (ESC) with \e

---
 oletools/olevba.py | 5 +++++
 1 file changed, 5 insertions(+), 0 deletions(-)

diff --git a/oletools/olevba.py b/oletools/olevba.py
index ca157b2..300c2fb 100644
--- a/oletools/olevba.py
+++ b/oletools/olevba.py
@@ -4112,6 +4112,11 @@ class VBA_Parser_CLI(VBA_Parser):
             for kw_type, keyword, description in results:
                 color_type = COLOR_TYPE.get(kw_type, None)
                 if color_type:
+
+                    # Prevent malicious actors from performing anti-analysis by replacing
+                    # character 27 (ESC) with \e.
+                    # See more: https://www.youtube.com/watch?v=3T2Al3jdY38
+                    vba_code = vba_code.replace("\x1b", "\\e")
                     vba_code = vba_code.replace(keyword, '{auto%s}%s{/%s}' % (color_type, keyword, color_type))
         return vba_code
 
--
libgit2 0.21.4