Commit 75e413f5505c40ad253c717a2848477f6f28e53a
1 parent
91642895
olevba: added suspicious keywords for sandboxing and virtualisation detection
Showing
1 changed file
with
44 additions
and
1 deletions
oletools/olevba.py
| ... | ... | @@ -125,8 +125,10 @@ https://github.com/unixfreak0037/officeparser |
| 125 | 125 | # - improved Base64 detection and decoding |
| 126 | 126 | # - fixed triage mode not to scan attrib lines |
| 127 | 127 | # 2015-03-04 v0.25 PL: - added support for Word 2003 XML |
| 128 | +# 2015-03-22 v0.26 PL: - added suspicious keywords for sandboxing and | |
| 129 | +# virtualisation detection | |
| 128 | 130 | |
| 129 | -__version__ = '0.25' | |
| 131 | +__version__ = '0.26' | |
| 130 | 132 | |
| 131 | 133 | #------------------------------------------------------------------------------ |
| 132 | 134 | # TODO: |
| ... | ... | @@ -261,6 +263,9 @@ SUSPICIOUS_KEYWORDS = { |
| 261 | 263 | 'vbMinimizedNoFocus', 'WScript.Shell', 'Run'), |
| 262 | 264 | #Shell: http://msdn.microsoft.com/en-us/library/office/gg278437%28v=office.15%29.aspx |
| 263 | 265 | #WScript.Shell+Run sample: http://pastebin.com/Z4TMyuq6 |
| 266 | + 'May run PowerShell commands': | |
| 267 | + #sample: https://malwr.com/analysis/M2NjZWNmMjA0YjVjNGVhYmJlZmFhNWY4NmQxZDllZTY/ | |
| 268 | + ('PowerShell', ), | |
| 264 | 269 | 'May hide the application': |
| 265 | 270 | ('Application.Visible', 'ShowWindow', 'SW_HIDE'), |
| 266 | 271 | 'May create a directory': |
| ... | ... | @@ -282,6 +287,9 @@ SUSPICIOUS_KEYWORDS = { |
| 282 | 287 | 'May download files from the Internet': |
| 283 | 288 | #TODO: regex to find urlmon+URLDownloadToFileA on same line |
| 284 | 289 | ('URLDownloadToFileA', 'Msxml2.XMLHTTP', 'Microsoft.XMLHTTP'), |
| 290 | + 'May download files from the Internet using PowerShell': | |
| 291 | + #sample: https://malwr.com/analysis/M2NjZWNmMjA0YjVjNGVhYmJlZmFhNWY4NmQxZDllZTY/ | |
| 292 | + ('New-Object System.Net.WebClient', 'DownloadFile'), | |
| 285 | 293 | 'May control another application by simulating user keystrokes': |
| 286 | 294 | ('SendKeys', 'AppActivate'), |
| 287 | 295 | #SendKeys: http://msdn.microsoft.com/en-us/library/office/gg278655%28v=office.15%29.aspx |
| ... | ... | @@ -292,6 +300,41 @@ SUSPICIOUS_KEYWORDS = { |
| 292 | 300 | #TODO: regex to find several Chr*, not just one |
| 293 | 301 | ('Chr', 'ChrB', 'ChrW', 'StrReverse', 'Xor'), |
| 294 | 302 | #Chr: http://msdn.microsoft.com/en-us/library/office/gg264465%28v=office.15%29.aspx |
| 303 | + 'May read or write registry keys': | |
| 304 | + #sample: https://malwr.com/analysis/M2NjZWNmMjA0YjVjNGVhYmJlZmFhNWY4NmQxZDllZTY/ | |
| 305 | + ('RegOpenKeyExA', 'RegOpenKeyEx', 'RegCloseKey'), | |
| 306 | + 'May read registry keys': | |
| 307 | + #sample: https://malwr.com/analysis/M2NjZWNmMjA0YjVjNGVhYmJlZmFhNWY4NmQxZDllZTY/ | |
| 308 | + ('RegQueryValueExA', 'RegQueryValueEx', | |
| 309 | + 'RegRead', #with Wscript.Shell | |
| 310 | + ), | |
| 311 | + 'May detect virtualisation': | |
| 312 | + #sample: https://malwr.com/analysis/M2NjZWNmMjA0YjVjNGVhYmJlZmFhNWY4NmQxZDllZTY/ | |
| 313 | + (r'SYSTEM\ControlSet001\Services\Disk\Enum', 'VIRTUAL', 'VMWARE', 'VBOX'), | |
| 314 | + 'May detect Anubis Sandbox': | |
| 315 | + #sample: https://malwr.com/analysis/M2NjZWNmMjA0YjVjNGVhYmJlZmFhNWY4NmQxZDllZTY/ | |
| 316 | + #NOTES: this sample also checks App.EXEName but that seems to be a bug, it works in VB6 but not in VBA | |
| 317 | + #ref: http://www.syssec-project.eu/m/page-media/3/disarm-raid11.pdf | |
| 318 | + ('GetVolumeInformationA', 'GetVolumeInformation', #with kernel32.dll | |
| 319 | + '1824245000', r'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId', | |
| 320 | + '76487-337-8429955-22614', 'andy', 'sample', r'C:\exec\exec.exe', 'popupkiller' | |
| 321 | + ), | |
| 322 | + 'May detect Sandboxie': | |
| 323 | + #sample: https://malwr.com/analysis/M2NjZWNmMjA0YjVjNGVhYmJlZmFhNWY4NmQxZDllZTY/ | |
| 324 | + #ref: http://www.cplusplus.com/forum/windows/96874/ | |
| 325 | + ('SbieDll.dll', 'SandboxieControlWndClass'), | |
| 326 | + 'May detect Sunbelt Sandbox': | |
| 327 | + #ref: http://www.cplusplus.com/forum/windows/96874/ | |
| 328 | + (r'C:\file.exe',), | |
| 329 | + 'May detect Norman Sandbox': | |
| 330 | + #ref: http://www.cplusplus.com/forum/windows/96874/ | |
| 331 | + ('currentuser',), | |
| 332 | + 'May detect CW Sandbox': | |
| 333 | + #ref: http://www.cplusplus.com/forum/windows/96874/ | |
| 334 | + ('Schmidti',), | |
| 335 | + 'May detect WinJail Sandbox': | |
| 336 | + #ref: http://www.cplusplus.com/forum/windows/96874/ | |
| 337 | + ('Afx:400000:0',), | |
| 295 | 338 | } |
| 296 | 339 | |
| 297 | 340 | # Regular Expression for a URL: | ... | ... |