Commit 6569631d775f368adf3cd06f5d00fd445582abf4
1 parent
e6d5614b
olevba: remove duplicate IOCs from results
Showing
1 changed file
with
15 additions
and
4 deletions
oletools/olevba.py
| ... | ... | @@ -148,12 +148,12 @@ https://github.com/unixfreak0037/officeparser |
| 148 | 148 | # 2015-09-06 PL: - improved VBA_Parser, refactored the main functions |
| 149 | 149 | # 2015-09-13 PL: - moved main functions to a class VBA_Parser_CLI |
| 150 | 150 | # - fixed issue when analysis was done twice |
| 151 | +# 2015-09-15 PL: - remove duplicate IOCs from results | |
| 151 | 152 | |
| 152 | 153 | __version__ = '0.33' |
| 153 | 154 | |
| 154 | 155 | #------------------------------------------------------------------------------ |
| 155 | 156 | # TODO: |
| 156 | -# + dedup deobfuscation results | |
| 157 | 157 | # + option --fast to disable VBA expressions parsing |
| 158 | 158 | # + do not use logging, but a provided logger (null logger by default) |
| 159 | 159 | # + setup logging (common with other oletools) |
| ... | ... | @@ -1561,12 +1561,23 @@ class VBA_Scanner(object): |
| 1561 | 1561 | if self.vba_strings: |
| 1562 | 1562 | self.suspicious_keywords.append(('VBA obfuscated Strings', |
| 1563 | 1563 | 'VBA string expressions were detected, may be used to obfuscate strings (option --decode to see all)')) |
| 1564 | + # use a set to avoid duplicate keywords | |
| 1565 | + keyword_set = set() | |
| 1564 | 1566 | for keyword, description in self.autoexec_keywords: |
| 1565 | - results.append(('AutoExec', keyword, description)) | |
| 1567 | + if keyword not in keyword_set: | |
| 1568 | + results.append(('AutoExec', keyword, description)) | |
| 1569 | + keyword_set.add(keyword) | |
| 1570 | + keyword_set = set() | |
| 1566 | 1571 | for keyword, description in self.suspicious_keywords: |
| 1567 | - results.append(('Suspicious', keyword, description)) | |
| 1572 | + if keyword not in keyword_set: | |
| 1573 | + results.append(('Suspicious', keyword, description)) | |
| 1574 | + keyword_set.add(keyword) | |
| 1575 | + keyword_set = set() | |
| 1568 | 1576 | for pattern_type, value in self.iocs: |
| 1569 | - results.append(('IOC', value, pattern_type)) | |
| 1577 | + if value not in keyword_set: | |
| 1578 | + results.append(('IOC', value, pattern_type)) | |
| 1579 | + keyword_set.add(value) | |
| 1580 | + | |
| 1570 | 1581 | # include decoded strings only if they are printable or if --decode option: |
| 1571 | 1582 | for encoded, decoded in self.hex_strings: |
| 1572 | 1583 | if include_decoded_strings or is_printable(decoded): | ... | ... |