Commit 8af891f6dd6df35f829a6e202c17de4499c0b7f4
Committed by
GitHub
GitHub
1 parent
82c4f579
Update olevba.py
even after adding the raw string, _r'HKCU\Environment'_ and _r'HKEY_CURRENT_USER\Environment'_ do not match correctly. I temporarily removed them.
Showing
1 changed file
with
1 additions
and
2 deletions
oletools/olevba.py
| @@ -662,8 +662,7 @@ SUSPICIOUS_KEYWORDS = { | @@ -662,8 +662,7 @@ SUSPICIOUS_KEYWORDS = { | ||
| 662 | #TODO: use regex to support variable whitespaces | 662 | #TODO: use regex to support variable whitespaces |
| 663 | #http://www.certego.net/en/news/advanced-vba-macros/ | 663 | #http://www.certego.net/en/news/advanced-vba-macros/ |
| 664 | 'May read system environment variables': | 664 | 'May read system environment variables': |
| 665 | - ('Environ','Win32_Environment','Environment','ExpandEnvironmentStrings','HKCU\Environment', | ||
| 666 | - 'HKEY_CURRENT_USER\Environment'), | 665 | + ('Environ','Win32_Environment','Environment','ExpandEnvironmentStrings'), |
| 667 | 'May open a file': | 666 | 'May open a file': |
| 668 | ('Open',), | 667 | ('Open',), |
| 669 | 'May write to a file (if combined with Open)': | 668 | 'May write to a file (if combined with Open)': |