Peter M. Groen / oletools

Commit 84077c743b7f58506de4b326f6da91d2456b7818

Authored by Philippe Lagadec
1 parent 08c23bde

olevba: updated suspicious keywords

Inline Side-by-side
Showing 1 changed file with 11 additions and 3 deletions
oletools/olevba.py
  View file @84077c7
@@ -167,6 +167,7 @@ https://github.com/unixfreak0037/officeparser @@ -167,6 +167,7 @@ https://github.com/unixfreak0037/officeparser
167 # 2016-03-04 v0.45 CH: - added JSON output (by Christian Herdtweck) 167 # 2016-03-04 v0.45 CH: - added JSON output (by Christian Herdtweck)
168 # 2016-03-16 CH: - added option --no-deobfuscate (temporary) 168 # 2016-03-16 CH: - added option --no-deobfuscate (temporary)
169 # 2016-04-19 v0.46 PL: - new option --deobf instead of --no-deobfuscate 169 # 2016-04-19 v0.46 PL: - new option --deobf instead of --no-deobfuscate
  170 +# - updated suspicious keywords
170 171
171 __version__ = '0.46' 172 __version__ = '0.46'
172 173
@@ -378,8 +379,13 @@ SUSPICIOUS_KEYWORDS = { @@ -378,8 +379,13 @@ SUSPICIOUS_KEYWORDS = {
378 'May run PowerShell commands': 379 'May run PowerShell commands':
379 #sample: https://malwr.com/analysis/M2NjZWNmMjA0YjVjNGVhYmJlZmFhNWY4NmQxZDllZTY/ 380 #sample: https://malwr.com/analysis/M2NjZWNmMjA0YjVjNGVhYmJlZmFhNWY4NmQxZDllZTY/
380 #also: https://bitbucket.org/decalage/oletools/issues/14/olevba-library-update-ioc 381 #also: https://bitbucket.org/decalage/oletools/issues/14/olevba-library-update-ioc
381 - #TODO: add support for keywords starting with a non-alpha character, such as "-noexit"  
382 - ('PowerShell', 'noexit', 'ExecutionPolicy', 'noprofile'), 382 + # ref: https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/
  383 + # TODO: add support for keywords starting with a non-alpha character, such as "-noexit"
  384 + # TODO: '-command', '-EncodedCommand', '-scriptblock'
  385 + ('PowerShell', 'noexit', 'ExecutionPolicy', 'noprofile', 'command', 'EncodedCommand',
  386 + 'invoke-command', 'scriptblock', 'Invoke-Expression', 'AuthorizationManager'),
  387 + 'May run an executable file or a system command using PowerShell':
  388 + ('Start-Process',),
383 'May hide the application': 389 'May hide the application':
384 ('Application.Visible', 'ShowWindow', 'SW_HIDE'), 390 ('Application.Visible', 'ShowWindow', 'SW_HIDE'),
385 'May create a directory': 391 'May create a directory':
@@ -391,6 +397,8 @@ SUSPICIOUS_KEYWORDS = { @@ -391,6 +397,8 @@ SUSPICIOUS_KEYWORDS = {
391 ('Application.AltStartupPath',), 397 ('Application.AltStartupPath',),
392 'May create an OLE object': 398 'May create an OLE object':
393 ('CreateObject',), 399 ('CreateObject',),
  400 + 'May create an OLE object using PowerShell':
  401 + ('New-Object',),
394 'May run an application (if combined with CreateObject)': 402 'May run an application (if combined with CreateObject)':
395 ('Shell.Application',), 403 ('Shell.Application',),
396 'May enumerate application windows (if combined with Shell.Application object)': 404 'May enumerate application windows (if combined with Shell.Application object)':
@@ -409,7 +417,7 @@ SUSPICIOUS_KEYWORDS = { @@ -409,7 +417,7 @@ SUSPICIOUS_KEYWORDS = {
409 ), 417 ),
410 'May download files from the Internet using PowerShell': 418 'May download files from the Internet using PowerShell':
411 #sample: https://malwr.com/analysis/M2NjZWNmMjA0YjVjNGVhYmJlZmFhNWY4NmQxZDllZTY/ 419 #sample: https://malwr.com/analysis/M2NjZWNmMjA0YjVjNGVhYmJlZmFhNWY4NmQxZDllZTY/
412 - ('New-Object System.Net.WebClient', 'DownloadFile'), 420 + ('Net.WebClient', 'DownloadFile', 'DownloadString'),
413 'May control another application by simulating user keystrokes': 421 'May control another application by simulating user keystrokes':
414 ('SendKeys', 'AppActivate'), 422 ('SendKeys', 'AppActivate'),
415 #SendKeys: http://msdn.microsoft.com/en-us/library/office/gg278655%28v=office.15%29.aspx 423 #SendKeys: http://msdn.microsoft.com/en-us/library/office/gg278655%28v=office.15%29.aspx