diff --git a/README.md b/README.md index fc3a977..3f5ba95 100644 --- a/README.md +++ b/README.md @@ -22,7 +22,11 @@ Note: python-oletools is not related to OLETools published by BeCubed Software. News ---- -- **2015-05-29 v0.11**: Improved parsing of MHTML and ActiveMime/MSO files in +- **2015-06-19 v0.12**: [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba) can now deobfuscate VBA +expressions with any combination of Chr, Asc, Val, StrReverse, Environ, +, \&, using a VBA parser built with +[pyparsing](http://pyparsing.wikispaces.com). New options to display only the analysis results or only the macros source code. +The analysis is now done on all the VBA modules at once. +- 2015-05-29 v0.11: Improved parsing of MHTML and ActiveMime/MSO files in [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba), added several suspicious keywords to VBA scanner (thanks to @ozhermit and Davy Douhine for the suggestions) - 2015-05-06 v0.10: [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba) now supports Word MHTML files diff --git a/oletools/README.html b/oletools/README.html index 2e98a3e..78fcf2e 100644 --- a/oletools/README.html +++ b/oletools/README.html @@ -4,7 +4,8 @@

Note: python-oletools is not related to OLETools published by BeCubed Software.

News

+

pyparsing

+

Here is an example:

c:\>olevba.py \MalwareZoo\VBA\samples\*
diff --git a/oletools/doc/olevba.md b/oletools/doc/olevba.md
index 105eab2..043f4de 100644
--- a/oletools/doc/olevba.md
+++ b/oletools/doc/olevba.md
@@ -7,7 +7,7 @@ and detect security-related patterns such as **auto-executable macros**, **suspi
 VBA keywords** used by malware, anti-sandboxing and anti-virtualization techniques, 
 and potential **IOCs** (IP addresses, URLs, executable filenames, etc). 
 It also detects and decodes several common **obfuscation methods including Hex encoding,
-StrReverse, Base64, Dridex**, and extracts IOCs from decoded strings.
+StrReverse, Base64, Dridex, VBA expressions**, and extracts IOCs from decoded strings.
 
 It can be used either as a command-line tool, or as a python module from your own applications.
 
@@ -34,6 +34,8 @@ by John William Davison, with significant modifications.
 - Detect suspicious VBA keywords often used by malware
 - Detect anti-sandboxing and anti-virtualization techniques
 - Detect and decodes strings obfuscated with Hex/Base64/StrReverse/Dridex
+- Deobfuscates VBA expressions with any combination of Chr, Asc, Val, StrReverse, Environ, +, \&, using a VBA parser built with
+[pyparsing](http://pyparsing.wikispaces.com)
 - Extract IOCs/patterns of interest such as IP addresses, URLs, e-mail addresses and executable file names
 - Scan multiple files and sample collections (wildcards, recursive)
 - Triage mode for a summary view of multiple files
@@ -51,11 +53,11 @@ and how they are stored in MS Office documents.
 ## How it works
 
 1. olevba checks the file type: If it is an OLE file (i.e MS Office 97-2003), it is parsed right away.
-1. If it is a zip file (i.e. MS Office 2007+), olevba looks for all OLE files stored in it (e.g. vbaProject.bin), and opens them.
+1. If it is a zip file (i.e. MS Office 2007+), XML or MHTML, olevba looks for all OLE files stored in it (e.g. vbaProject.bin, editdata.mso), and opens them.
 1. olevba identifies all the VBA projects stored in the OLE structure.
 1. Each VBA project is parsed to find the corresponding OLE streams containing macro code.
 1. In each of these OLE streams, the VBA macro source code is extracted and decompressed (RLE compression).
-1. olevba looks for specific strings obfuscated with various algorithms (Hex, Base64, StrReverse, Dridex).
+1. olevba looks for specific strings obfuscated with various algorithms (Hex, Base64, StrReverse, Dridex, VBA expressions).
 1. olevba scans the macro source code and the deobfuscated strings to find suspicious keywords, auto-executable macros
 and potential IOCs (URLs, IP addresses, e-mail addresses, executable filenames, etc).
 
@@ -75,15 +77,21 @@ and potential IOCs (URLs, IP addresses, e-mail addresses, executable filenames, 
                             if the file is a zip archive, file(s) to be opened
                             within the zip. Wildcards * and ? are supported.
                             (default:*)
-      -t                    triage mode, display results as a summary table
+      -t, --triage          triage mode, display results as a summary table
                             (default for multiple files)
-      -d                    detailed mode, display full results (default for
+      -d, --detailed        detailed mode, display full results (default for
                             single file)
+      -a, --analysis        display only analysis results, not the macro source
+                            code
+      -c, --code            display only VBA source code, do not analyze it
       -i INPUT, --input=INPUT
                             input file containing VBA source code to be analyzed
                             (no parsing)
       --decode              display all the obfuscated strings with their decoded
-                            content (Hex, Base64, StrReverse, Dridex).          
+                            content (Hex, Base64, StrReverse, Dridex, VBA).
+      --attr                display the attribute lines at the beginning of VBA
+                            source code
+      --each                analyze each VBA module separately
                                               
 ### Examples
 
@@ -211,6 +219,7 @@ The following flags show the results of the analysis:
 - **H**: hex-encoded strings (potential obfuscation)
 - **B**: Base64-encoded strings (potential obfuscation)
 - **D**: Dridex-encoded strings (potential obfuscation)
+- **V**: VBA string expressions (potential obfuscation)
 
 Here is an example:
 
diff --git a/oletools/olevba.py b/oletools/olevba.py
index dc883b7..fb1dd29 100755
--- a/oletools/olevba.py
+++ b/oletools/olevba.py
@@ -145,6 +145,7 @@ __version__ = '0.31'
 
 #------------------------------------------------------------------------------
 # TODO:
+# + option --fast to disable VBA expressions parsing
 # + do not use logging, but a provided logger (null logger by default)
 # + setup logging (common with other oletools)
 # + add xor bruteforcing like bbharvest