Commit 8e04c154ec6208092b18565282e5fc4875d338f7
1 parent
2939f491
olevba: added several suspicious keywords, improved display
Showing
1 changed file
with
41 additions
and
14 deletions
oletools/olevba.py
| ... | ... | @@ -94,8 +94,9 @@ https://github.com/unixfreak0037/officeparser |
| 94 | 94 | # 2015-01-03 v0.12 PL: - fixed detect_patterns to detect all patterns |
| 95 | 95 | # - process_file: improved display, shows container file |
| 96 | 96 | # - improved list of executable file extensions |
| 97 | +# 2015-01-04 v0.13 PL: - added several suspicious keywords, improved display | |
| 97 | 98 | |
| 98 | -__version__ = '0.12' | |
| 99 | +__version__ = '0.13' | |
| 99 | 100 | |
| 100 | 101 | #------------------------------------------------------------------------------ |
| 101 | 102 | # TODO: |
| ... | ... | @@ -151,37 +152,48 @@ FORM_EXTENSION = "frm" |
| 151 | 152 | # Keywords to detect auto-executable macros |
| 152 | 153 | AUTOEXEC_KEYWORDS = { |
| 153 | 154 | # MS Word: |
| 154 | - 'Macro triggered when the Word document is opened': | |
| 155 | + 'Runs when the Word document is opened': | |
| 155 | 156 | ('AutoExec', 'AutoOpen', 'Document_Open', 'DocumentOpen'), |
| 156 | - 'Macro triggered when the Word document is closed': | |
| 157 | + 'Runs when the Word document is closed': | |
| 157 | 158 | ('AutoExit', 'AutoClose', 'Document_Close', 'DocumentBeforeClose'), |
| 158 | - 'Macro triggered when the Word document is modified': | |
| 159 | + 'Runs when the Word document is modified': | |
| 159 | 160 | ('DocumentChange',), |
| 160 | - 'Macro triggered when a new Word document is created': | |
| 161 | + 'Runs when a new Word document is created': | |
| 161 | 162 | ('AutoNew', 'Document_New', 'NewDocument'), |
| 162 | 163 | |
| 163 | 164 | # MS Excel: |
| 164 | - 'Macro triggered when the Excel Workbook is opened': | |
| 165 | + 'Runs when the Excel Workbook is opened': | |
| 165 | 166 | ('Auto_Open', 'Workbook_Open'), |
| 166 | - 'Macro triggered when the Excel Workbook is closed': | |
| 167 | + 'Runs when the Excel Workbook is closed': | |
| 167 | 168 | ('Auto_Close', 'Workbook_Close'), |
| 168 | 169 | |
| 169 | 170 | #TODO: full list in MS specs?? |
| 170 | 171 | } |
| 171 | 172 | |
| 172 | 173 | # Suspicious Keywords that may be used by malware |
| 174 | +# See VBA language reference: http://msdn.microsoft.com/en-us/library/office/jj692818%28v=office.15%29.aspx | |
| 173 | 175 | SUSPICIOUS_KEYWORDS = { |
| 174 | 176 | #TODO: use regex to support variable whitespaces |
| 175 | 177 | 'May read system environment variables': |
| 176 | - ('environ',), | |
| 178 | + ('Environ',), | |
| 177 | 179 | 'May open a file': |
| 178 | - ('open',), | |
| 180 | + ('Open',), | |
| 179 | 181 | 'May write to a file (if combined with Open)': |
| 180 | - ('write', 'put', 'output', 'print #'), | |
| 182 | + #TODO: regex to find Open+Write on same line | |
| 183 | + ('Write', 'Put', 'Output', 'Print #'), | |
| 181 | 184 | 'May read or write a binary file (if combined with Open)': |
| 182 | - ('binary',), | |
| 185 | + #TODO: regex to find Open+Binary on same line | |
| 186 | + ('Binary',), | |
| 187 | + 'May copy a file': | |
| 188 | + ('FileCopy', 'CopyFile'), | |
| 189 | + #FileCopy: http://msdn.microsoft.com/en-us/library/office/gg264390%28v=office.15%29.aspx | |
| 190 | + #CopyFile: http://msdn.microsoft.com/en-us/library/office/gg264089%28v=office.15%29.aspx | |
| 191 | + 'May create a text file': | |
| 192 | + ('CreateTextFile'), | |
| 193 | + #CreateTextFile: http://msdn.microsoft.com/en-us/library/office/gg264617%28v=office.15%29.aspx | |
| 183 | 194 | 'May run an executable file or a system command': |
| 184 | - ('shell', 'vbnormalfocus'), | |
| 195 | + ('Shell', 'vbNormalFocus', 'vbHide', 'vbMinimizedFocus', 'vbMaximizedFocus', 'vbNormalNoFocus', 'vbMinimizedNoFocus'), | |
| 196 | + #Shell: http://msdn.microsoft.com/en-us/library/office/gg278437%28v=office.15%29.aspx | |
| 185 | 197 | 'May hide the application': |
| 186 | 198 | ('Application.Visible', 'ShowWindow', 'SW_HIDE'), |
| 187 | 199 | 'May create a directory': |
| ... | ... | @@ -196,7 +208,22 @@ SUSPICIOUS_KEYWORDS = { |
| 196 | 208 | 'May run an application (if combined with CreateObject)': |
| 197 | 209 | ('Shell.Application',), |
| 198 | 210 | 'May enumerate application windows (if combined with Shell.Application object)': |
| 199 | - ('.Windows', 'FindWindow'), | |
| 211 | + ('Windows', 'FindWindow'), | |
| 212 | + 'May run code from a DLL': | |
| 213 | + #TODO: regex to find declare+lib on same line | |
| 214 | + ('Lib',), | |
| 215 | + 'May download files from the Internet': | |
| 216 | + #TODO: regex to find urlmon+URLDownloadToFileA on same line | |
| 217 | + ('URLDownloadToFileA',), | |
| 218 | + 'May control another application by simulating user keystrokes': | |
| 219 | + ('SendKeys', 'AppActivate'), | |
| 220 | + #SendKeys: http://msdn.microsoft.com/en-us/library/office/gg278655%28v=office.15%29.aspx | |
| 221 | + 'May attempt to obfuscate malicious function calls': | |
| 222 | + ('CallByName'), | |
| 223 | + #CallByName: http://msdn.microsoft.com/en-us/library/office/gg278760%28v=office.15%29.aspx | |
| 224 | + 'May attempt to obfuscate specific strings': | |
| 225 | + ('Chr', 'ChrB', 'ChrW'), | |
| 226 | + #Chr: http://msdn.microsoft.com/en-us/library/office/gg264465%28v=office.15%29.aspx | |
| 200 | 227 | } |
| 201 | 228 | |
| 202 | 229 | # Patterns to be extracted (IP addresses, URLs, etc) |
| ... | ... | @@ -1072,7 +1099,7 @@ def process_file (container, filename, data): |
| 1072 | 1099 | t.align = 'l' |
| 1073 | 1100 | t.max_width['Type'] = 10 |
| 1074 | 1101 | t.max_width['Keyword'] = 20 |
| 1075 | - t.max_width['Description'] = 40 | |
| 1102 | + t.max_width['Description'] = 39 | |
| 1076 | 1103 | for keyword, description in autoexec_keywords: |
| 1077 | 1104 | t.add_row(('AutoExec', keyword, description)) |
| 1078 | 1105 | for keyword, description in suspicious_keywords: | ... | ... |