Commit 6569631d775f368adf3cd06f5d00fd445582abf4
1 parent
e6d5614b
olevba: remove duplicate IOCs from results
Showing
1 changed file
with
15 additions
and
4 deletions
oletools/olevba.py
| @@ -148,12 +148,12 @@ https://github.com/unixfreak0037/officeparser | @@ -148,12 +148,12 @@ https://github.com/unixfreak0037/officeparser | ||
| 148 | # 2015-09-06 PL: - improved VBA_Parser, refactored the main functions | 148 | # 2015-09-06 PL: - improved VBA_Parser, refactored the main functions |
| 149 | # 2015-09-13 PL: - moved main functions to a class VBA_Parser_CLI | 149 | # 2015-09-13 PL: - moved main functions to a class VBA_Parser_CLI |
| 150 | # - fixed issue when analysis was done twice | 150 | # - fixed issue when analysis was done twice |
| 151 | +# 2015-09-15 PL: - remove duplicate IOCs from results | ||
| 151 | 152 | ||
| 152 | __version__ = '0.33' | 153 | __version__ = '0.33' |
| 153 | 154 | ||
| 154 | #------------------------------------------------------------------------------ | 155 | #------------------------------------------------------------------------------ |
| 155 | # TODO: | 156 | # TODO: |
| 156 | -# + dedup deobfuscation results | ||
| 157 | # + option --fast to disable VBA expressions parsing | 157 | # + option --fast to disable VBA expressions parsing |
| 158 | # + do not use logging, but a provided logger (null logger by default) | 158 | # + do not use logging, but a provided logger (null logger by default) |
| 159 | # + setup logging (common with other oletools) | 159 | # + setup logging (common with other oletools) |
| @@ -1561,12 +1561,23 @@ class VBA_Scanner(object): | @@ -1561,12 +1561,23 @@ class VBA_Scanner(object): | ||
| 1561 | if self.vba_strings: | 1561 | if self.vba_strings: |
| 1562 | self.suspicious_keywords.append(('VBA obfuscated Strings', | 1562 | self.suspicious_keywords.append(('VBA obfuscated Strings', |
| 1563 | 'VBA string expressions were detected, may be used to obfuscate strings (option --decode to see all)')) | 1563 | 'VBA string expressions were detected, may be used to obfuscate strings (option --decode to see all)')) |
| 1564 | + # use a set to avoid duplicate keywords | ||
| 1565 | + keyword_set = set() | ||
| 1564 | for keyword, description in self.autoexec_keywords: | 1566 | for keyword, description in self.autoexec_keywords: |
| 1565 | - results.append(('AutoExec', keyword, description)) | 1567 | + if keyword not in keyword_set: |
| 1568 | + results.append(('AutoExec', keyword, description)) | ||
| 1569 | + keyword_set.add(keyword) | ||
| 1570 | + keyword_set = set() | ||
| 1566 | for keyword, description in self.suspicious_keywords: | 1571 | for keyword, description in self.suspicious_keywords: |
| 1567 | - results.append(('Suspicious', keyword, description)) | 1572 | + if keyword not in keyword_set: |
| 1573 | + results.append(('Suspicious', keyword, description)) | ||
| 1574 | + keyword_set.add(keyword) | ||
| 1575 | + keyword_set = set() | ||
| 1568 | for pattern_type, value in self.iocs: | 1576 | for pattern_type, value in self.iocs: |
| 1569 | - results.append(('IOC', value, pattern_type)) | 1577 | + if value not in keyword_set: |
| 1578 | + results.append(('IOC', value, pattern_type)) | ||
| 1579 | + keyword_set.add(value) | ||
| 1580 | + | ||
| 1570 | # include decoded strings only if they are printable or if --decode option: | 1581 | # include decoded strings only if they are printable or if --decode option: |
| 1571 | for encoded, decoded in self.hex_strings: | 1582 | for encoded, decoded in self.hex_strings: |
| 1572 | if include_decoded_strings or is_printable(decoded): | 1583 | if include_decoded_strings or is_printable(decoded): |