From 8f37786d9504aff1c12b30434c8c3b63d5c968bd Mon Sep 17 00:00:00 2001
From: Philippe Lagadec <decalage2@users.noreply.github.com>
Date: Sat, 7 Feb 2015 14:45:10 +0100
Subject: [PATCH] olevba: added several suspicious keywords

---
 oletools/olevba.py | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/oletools/olevba.py b/oletools/olevba.py
index e4c8067..0f2f24d 100644
--- a/oletools/olevba.py
+++ b/oletools/olevba.py
@@ -119,6 +119,7 @@ https://github.com/unixfreak0037/officeparser
 #                      - exception handling in detect_base64_strings
 # 2015-02-07 v0.24 PL: - renamed option --hex to --decode, fixed display
 #                      - display exceptions with stack trace
+#                      - added several suspicious keywords
 
 __version__ = '0.24'
 
@@ -217,12 +218,14 @@ SUSPICIOUS_KEYWORDS = {
         ('FileCopy', 'CopyFile'),
         #FileCopy: http://msdn.microsoft.com/en-us/library/office/gg264390%28v=office.15%29.aspx
         #CopyFile: http://msdn.microsoft.com/en-us/library/office/gg264089%28v=office.15%29.aspx
+    'May delete a file':
+        ('Kill',),
     'May create a text file':
         ('CreateTextFile','ADODB.Stream', 'WriteText', 'SaveToFile'),
         #CreateTextFile: http://msdn.microsoft.com/en-us/library/office/gg264617%28v=office.15%29.aspx
         #ADODB.Stream sample: http://pastebin.com/Z4TMyuq6
     'May run an executable file or a system command':
-        ('Shell', 'vbNormalFocus', 'vbHide', 'vbMinimizedFocus', 'vbMaximizedFocus', 'vbNormalNoFocus',
+        ('Shell', 'vbNormal', 'vbNormalFocus', 'vbHide', 'vbMinimizedFocus', 'vbMaximizedFocus', 'vbNormalNoFocus',
          'vbMinimizedNoFocus', 'WScript.Shell', 'Run'),
         #Shell: http://msdn.microsoft.com/en-us/library/office/gg278437%28v=office.15%29.aspx
         #WScript.Shell+Run sample: http://pastebin.com/Z4TMyuq6
@@ -254,7 +257,8 @@ SUSPICIOUS_KEYWORDS = {
         ('CallByName',),
         #CallByName: http://msdn.microsoft.com/en-us/library/office/gg278760%28v=office.15%29.aspx
     'May attempt to obfuscate specific strings':
-        ('Chr', 'ChrB', 'ChrW', 'StrReverse'),
+        #TODO: regex to find several Chr*, not just one
+        ('Chr', 'ChrB', 'ChrW', 'StrReverse', 'Xor'),
         #Chr: http://msdn.microsoft.com/en-us/library/office/gg264465%28v=office.15%29.aspx
 }
 
--
libgit2 0.21.4