Peter M. Groen / oletools

Commit 8f37786d9504aff1c12b30434c8c3b63d5c968bd

Authored by Philippe Lagadec
1 parent f854f4df

olevba: added several suspicious keywords

Inline Side-by-side
Showing 1 changed file with 6 additions and 2 deletions
oletools/olevba.py
  View file @8f37786
@@ -119,6 +119,7 @@ https://github.com/unixfreak0037/officeparser @@ -119,6 +119,7 @@ https://github.com/unixfreak0037/officeparser
119 # - exception handling in detect_base64_strings 119 # - exception handling in detect_base64_strings
120 # 2015-02-07 v0.24 PL: - renamed option --hex to --decode, fixed display 120 # 2015-02-07 v0.24 PL: - renamed option --hex to --decode, fixed display
121 # - display exceptions with stack trace 121 # - display exceptions with stack trace
  122 +# - added several suspicious keywords
122 123
123 __version__ = '0.24' 124 __version__ = '0.24'
124 125
@@ -217,12 +218,14 @@ SUSPICIOUS_KEYWORDS = { @@ -217,12 +218,14 @@ SUSPICIOUS_KEYWORDS = {
217 ('FileCopy', 'CopyFile'), 218 ('FileCopy', 'CopyFile'),
218 #FileCopy: http://msdn.microsoft.com/en-us/library/office/gg264390%28v=office.15%29.aspx 219 #FileCopy: http://msdn.microsoft.com/en-us/library/office/gg264390%28v=office.15%29.aspx
219 #CopyFile: http://msdn.microsoft.com/en-us/library/office/gg264089%28v=office.15%29.aspx 220 #CopyFile: http://msdn.microsoft.com/en-us/library/office/gg264089%28v=office.15%29.aspx
  221 + 'May delete a file':
  222 + ('Kill',),
220 'May create a text file': 223 'May create a text file':
221 ('CreateTextFile','ADODB.Stream', 'WriteText', 'SaveToFile'), 224 ('CreateTextFile','ADODB.Stream', 'WriteText', 'SaveToFile'),
222 #CreateTextFile: http://msdn.microsoft.com/en-us/library/office/gg264617%28v=office.15%29.aspx 225 #CreateTextFile: http://msdn.microsoft.com/en-us/library/office/gg264617%28v=office.15%29.aspx
223 #ADODB.Stream sample: http://pastebin.com/Z4TMyuq6 226 #ADODB.Stream sample: http://pastebin.com/Z4TMyuq6
224 'May run an executable file or a system command': 227 'May run an executable file or a system command':
225 - ('Shell', 'vbNormalFocus', 'vbHide', 'vbMinimizedFocus', 'vbMaximizedFocus', 'vbNormalNoFocus', 228 + ('Shell', 'vbNormal', 'vbNormalFocus', 'vbHide', 'vbMinimizedFocus', 'vbMaximizedFocus', 'vbNormalNoFocus',
226 'vbMinimizedNoFocus', 'WScript.Shell', 'Run'), 229 'vbMinimizedNoFocus', 'WScript.Shell', 'Run'),
227 #Shell: http://msdn.microsoft.com/en-us/library/office/gg278437%28v=office.15%29.aspx 230 #Shell: http://msdn.microsoft.com/en-us/library/office/gg278437%28v=office.15%29.aspx
228 #WScript.Shell+Run sample: http://pastebin.com/Z4TMyuq6 231 #WScript.Shell+Run sample: http://pastebin.com/Z4TMyuq6
@@ -254,7 +257,8 @@ SUSPICIOUS_KEYWORDS = { @@ -254,7 +257,8 @@ SUSPICIOUS_KEYWORDS = {
254 ('CallByName',), 257 ('CallByName',),
255 #CallByName: http://msdn.microsoft.com/en-us/library/office/gg278760%28v=office.15%29.aspx 258 #CallByName: http://msdn.microsoft.com/en-us/library/office/gg278760%28v=office.15%29.aspx
256 'May attempt to obfuscate specific strings': 259 'May attempt to obfuscate specific strings':
257 - ('Chr', 'ChrB', 'ChrW', 'StrReverse'), 260 + #TODO: regex to find several Chr*, not just one
  261 + ('Chr', 'ChrB', 'ChrW', 'StrReverse', 'Xor'),
258 #Chr: http://msdn.microsoft.com/en-us/library/office/gg264465%28v=office.15%29.aspx 262 #Chr: http://msdn.microsoft.com/en-us/library/office/gg264465%28v=office.15%29.aspx
259 } 263 }
260 264