Commit 8f37786d9504aff1c12b30434c8c3b63d5c968bd
1 parent
f854f4df
olevba: added several suspicious keywords
Showing
1 changed file
with
6 additions
and
2 deletions
oletools/olevba.py
| ... | ... | @@ -119,6 +119,7 @@ https://github.com/unixfreak0037/officeparser |
| 119 | 119 | # - exception handling in detect_base64_strings |
| 120 | 120 | # 2015-02-07 v0.24 PL: - renamed option --hex to --decode, fixed display |
| 121 | 121 | # - display exceptions with stack trace |
| 122 | +# - added several suspicious keywords | |
| 122 | 123 | |
| 123 | 124 | __version__ = '0.24' |
| 124 | 125 | |
| ... | ... | @@ -217,12 +218,14 @@ SUSPICIOUS_KEYWORDS = { |
| 217 | 218 | ('FileCopy', 'CopyFile'), |
| 218 | 219 | #FileCopy: http://msdn.microsoft.com/en-us/library/office/gg264390%28v=office.15%29.aspx |
| 219 | 220 | #CopyFile: http://msdn.microsoft.com/en-us/library/office/gg264089%28v=office.15%29.aspx |
| 221 | + 'May delete a file': | |
| 222 | + ('Kill',), | |
| 220 | 223 | 'May create a text file': |
| 221 | 224 | ('CreateTextFile','ADODB.Stream', 'WriteText', 'SaveToFile'), |
| 222 | 225 | #CreateTextFile: http://msdn.microsoft.com/en-us/library/office/gg264617%28v=office.15%29.aspx |
| 223 | 226 | #ADODB.Stream sample: http://pastebin.com/Z4TMyuq6 |
| 224 | 227 | 'May run an executable file or a system command': |
| 225 | - ('Shell', 'vbNormalFocus', 'vbHide', 'vbMinimizedFocus', 'vbMaximizedFocus', 'vbNormalNoFocus', | |
| 228 | + ('Shell', 'vbNormal', 'vbNormalFocus', 'vbHide', 'vbMinimizedFocus', 'vbMaximizedFocus', 'vbNormalNoFocus', | |
| 226 | 229 | 'vbMinimizedNoFocus', 'WScript.Shell', 'Run'), |
| 227 | 230 | #Shell: http://msdn.microsoft.com/en-us/library/office/gg278437%28v=office.15%29.aspx |
| 228 | 231 | #WScript.Shell+Run sample: http://pastebin.com/Z4TMyuq6 |
| ... | ... | @@ -254,7 +257,8 @@ SUSPICIOUS_KEYWORDS = { |
| 254 | 257 | ('CallByName',), |
| 255 | 258 | #CallByName: http://msdn.microsoft.com/en-us/library/office/gg278760%28v=office.15%29.aspx |
| 256 | 259 | 'May attempt to obfuscate specific strings': |
| 257 | - ('Chr', 'ChrB', 'ChrW', 'StrReverse'), | |
| 260 | + #TODO: regex to find several Chr*, not just one | |
| 261 | + ('Chr', 'ChrB', 'ChrW', 'StrReverse', 'Xor'), | |
| 258 | 262 | #Chr: http://msdn.microsoft.com/en-us/library/office/gg264465%28v=office.15%29.aspx |
| 259 | 263 | } |
| 260 | 264 | ... | ... |