Commit 8e04c154ec6208092b18565282e5fc4875d338f7
1 parent
2939f491
olevba: added several suspicious keywords, improved display
Showing
1 changed file
with
41 additions
and
14 deletions
oletools/olevba.py
| @@ -94,8 +94,9 @@ https://github.com/unixfreak0037/officeparser | @@ -94,8 +94,9 @@ https://github.com/unixfreak0037/officeparser | ||
| 94 | # 2015-01-03 v0.12 PL: - fixed detect_patterns to detect all patterns | 94 | # 2015-01-03 v0.12 PL: - fixed detect_patterns to detect all patterns |
| 95 | # - process_file: improved display, shows container file | 95 | # - process_file: improved display, shows container file |
| 96 | # - improved list of executable file extensions | 96 | # - improved list of executable file extensions |
| 97 | +# 2015-01-04 v0.13 PL: - added several suspicious keywords, improved display | ||
| 97 | 98 | ||
| 98 | -__version__ = '0.12' | 99 | +__version__ = '0.13' |
| 99 | 100 | ||
| 100 | #------------------------------------------------------------------------------ | 101 | #------------------------------------------------------------------------------ |
| 101 | # TODO: | 102 | # TODO: |
| @@ -151,37 +152,48 @@ FORM_EXTENSION = "frm" | @@ -151,37 +152,48 @@ FORM_EXTENSION = "frm" | ||
| 151 | # Keywords to detect auto-executable macros | 152 | # Keywords to detect auto-executable macros |
| 152 | AUTOEXEC_KEYWORDS = { | 153 | AUTOEXEC_KEYWORDS = { |
| 153 | # MS Word: | 154 | # MS Word: |
| 154 | - 'Macro triggered when the Word document is opened': | 155 | + 'Runs when the Word document is opened': |
| 155 | ('AutoExec', 'AutoOpen', 'Document_Open', 'DocumentOpen'), | 156 | ('AutoExec', 'AutoOpen', 'Document_Open', 'DocumentOpen'), |
| 156 | - 'Macro triggered when the Word document is closed': | 157 | + 'Runs when the Word document is closed': |
| 157 | ('AutoExit', 'AutoClose', 'Document_Close', 'DocumentBeforeClose'), | 158 | ('AutoExit', 'AutoClose', 'Document_Close', 'DocumentBeforeClose'), |
| 158 | - 'Macro triggered when the Word document is modified': | 159 | + 'Runs when the Word document is modified': |
| 159 | ('DocumentChange',), | 160 | ('DocumentChange',), |
| 160 | - 'Macro triggered when a new Word document is created': | 161 | + 'Runs when a new Word document is created': |
| 161 | ('AutoNew', 'Document_New', 'NewDocument'), | 162 | ('AutoNew', 'Document_New', 'NewDocument'), |
| 162 | 163 | ||
| 163 | # MS Excel: | 164 | # MS Excel: |
| 164 | - 'Macro triggered when the Excel Workbook is opened': | 165 | + 'Runs when the Excel Workbook is opened': |
| 165 | ('Auto_Open', 'Workbook_Open'), | 166 | ('Auto_Open', 'Workbook_Open'), |
| 166 | - 'Macro triggered when the Excel Workbook is closed': | 167 | + 'Runs when the Excel Workbook is closed': |
| 167 | ('Auto_Close', 'Workbook_Close'), | 168 | ('Auto_Close', 'Workbook_Close'), |
| 168 | 169 | ||
| 169 | #TODO: full list in MS specs?? | 170 | #TODO: full list in MS specs?? |
| 170 | } | 171 | } |
| 171 | 172 | ||
| 172 | # Suspicious Keywords that may be used by malware | 173 | # Suspicious Keywords that may be used by malware |
| 174 | +# See VBA language reference: http://msdn.microsoft.com/en-us/library/office/jj692818%28v=office.15%29.aspx | ||
| 173 | SUSPICIOUS_KEYWORDS = { | 175 | SUSPICIOUS_KEYWORDS = { |
| 174 | #TODO: use regex to support variable whitespaces | 176 | #TODO: use regex to support variable whitespaces |
| 175 | 'May read system environment variables': | 177 | 'May read system environment variables': |
| 176 | - ('environ',), | 178 | + ('Environ',), |
| 177 | 'May open a file': | 179 | 'May open a file': |
| 178 | - ('open',), | 180 | + ('Open',), |
| 179 | 'May write to a file (if combined with Open)': | 181 | 'May write to a file (if combined with Open)': |
| 180 | - ('write', 'put', 'output', 'print #'), | 182 | + #TODO: regex to find Open+Write on same line |
| 183 | + ('Write', 'Put', 'Output', 'Print #'), | ||
| 181 | 'May read or write a binary file (if combined with Open)': | 184 | 'May read or write a binary file (if combined with Open)': |
| 182 | - ('binary',), | 185 | + #TODO: regex to find Open+Binary on same line |
| 186 | + ('Binary',), | ||
| 187 | + 'May copy a file': | ||
| 188 | + ('FileCopy', 'CopyFile'), | ||
| 189 | + #FileCopy: http://msdn.microsoft.com/en-us/library/office/gg264390%28v=office.15%29.aspx | ||
| 190 | + #CopyFile: http://msdn.microsoft.com/en-us/library/office/gg264089%28v=office.15%29.aspx | ||
| 191 | + 'May create a text file': | ||
| 192 | + ('CreateTextFile'), | ||
| 193 | + #CreateTextFile: http://msdn.microsoft.com/en-us/library/office/gg264617%28v=office.15%29.aspx | ||
| 183 | 'May run an executable file or a system command': | 194 | 'May run an executable file or a system command': |
| 184 | - ('shell', 'vbnormalfocus'), | 195 | + ('Shell', 'vbNormalFocus', 'vbHide', 'vbMinimizedFocus', 'vbMaximizedFocus', 'vbNormalNoFocus', 'vbMinimizedNoFocus'), |
| 196 | + #Shell: http://msdn.microsoft.com/en-us/library/office/gg278437%28v=office.15%29.aspx | ||
| 185 | 'May hide the application': | 197 | 'May hide the application': |
| 186 | ('Application.Visible', 'ShowWindow', 'SW_HIDE'), | 198 | ('Application.Visible', 'ShowWindow', 'SW_HIDE'), |
| 187 | 'May create a directory': | 199 | 'May create a directory': |
| @@ -196,7 +208,22 @@ SUSPICIOUS_KEYWORDS = { | @@ -196,7 +208,22 @@ SUSPICIOUS_KEYWORDS = { | ||
| 196 | 'May run an application (if combined with CreateObject)': | 208 | 'May run an application (if combined with CreateObject)': |
| 197 | ('Shell.Application',), | 209 | ('Shell.Application',), |
| 198 | 'May enumerate application windows (if combined with Shell.Application object)': | 210 | 'May enumerate application windows (if combined with Shell.Application object)': |
| 199 | - ('.Windows', 'FindWindow'), | 211 | + ('Windows', 'FindWindow'), |
| 212 | + 'May run code from a DLL': | ||
| 213 | + #TODO: regex to find declare+lib on same line | ||
| 214 | + ('Lib',), | ||
| 215 | + 'May download files from the Internet': | ||
| 216 | + #TODO: regex to find urlmon+URLDownloadToFileA on same line | ||
| 217 | + ('URLDownloadToFileA',), | ||
| 218 | + 'May control another application by simulating user keystrokes': | ||
| 219 | + ('SendKeys', 'AppActivate'), | ||
| 220 | + #SendKeys: http://msdn.microsoft.com/en-us/library/office/gg278655%28v=office.15%29.aspx | ||
| 221 | + 'May attempt to obfuscate malicious function calls': | ||
| 222 | + ('CallByName'), | ||
| 223 | + #CallByName: http://msdn.microsoft.com/en-us/library/office/gg278760%28v=office.15%29.aspx | ||
| 224 | + 'May attempt to obfuscate specific strings': | ||
| 225 | + ('Chr', 'ChrB', 'ChrW'), | ||
| 226 | + #Chr: http://msdn.microsoft.com/en-us/library/office/gg264465%28v=office.15%29.aspx | ||
| 200 | } | 227 | } |
| 201 | 228 | ||
| 202 | # Patterns to be extracted (IP addresses, URLs, etc) | 229 | # Patterns to be extracted (IP addresses, URLs, etc) |
| @@ -1072,7 +1099,7 @@ def process_file (container, filename, data): | @@ -1072,7 +1099,7 @@ def process_file (container, filename, data): | ||
| 1072 | t.align = 'l' | 1099 | t.align = 'l' |
| 1073 | t.max_width['Type'] = 10 | 1100 | t.max_width['Type'] = 10 |
| 1074 | t.max_width['Keyword'] = 20 | 1101 | t.max_width['Keyword'] = 20 |
| 1075 | - t.max_width['Description'] = 40 | 1102 | + t.max_width['Description'] = 39 |
| 1076 | for keyword, description in autoexec_keywords: | 1103 | for keyword, description in autoexec_keywords: |
| 1077 | t.add_row(('AutoExec', keyword, description)) | 1104 | t.add_row(('AutoExec', keyword, description)) |
| 1078 | for keyword, description in suspicious_keywords: | 1105 | for keyword, description in suspicious_keywords: |