From 9f16427f03c30dc61b503b3591ea46aa7ff3ba51 Mon Sep 17 00:00:00 2001
From: Philippe Lagadec <decalage2@users.noreply.github.com>
Date: Fri, 29 May 2015 22:27:59 +0200
Subject: [PATCH] olevba: added suspicious keyword suggested by @ozhermit

---
 oletools/olevba.py | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/oletools/olevba.py b/oletools/olevba.py
index d263a4c..950241d 100755
--- a/oletools/olevba.py
+++ b/oletools/olevba.py
@@ -136,8 +136,9 @@ https://github.com/unixfreak0037/officeparser
 #                        various data offsets (issue #12)
 #                      - improved detection of MSO files, avoiding incorrect
 #                        parsing errors (issue #7)
+# 2015-05-29 v0.30 PL: - added suspicious keywords suggested by @ozhermit
 
-__version__ = '0.29'
+__version__ = '0.30'
 
 #------------------------------------------------------------------------------
 # TODO:
@@ -305,7 +306,9 @@ SUSPICIOUS_KEYWORDS = {
         ('Lib',),
     'May download files from the Internet':
     #TODO: regex to find urlmon+URLDownloadToFileA on same line
-        ('URLDownloadToFileA', 'Msxml2.XMLHTTP', 'Microsoft.XMLHTTP'),
+        ('URLDownloadToFileA', 'Msxml2.XMLHTTP', 'Microsoft.XMLHTTP',
+        'User-Agent', # sample from @ozhermit: http://pastebin.com/MPc3iV6z
+        ),
     'May download files from the Internet using PowerShell':
     #sample: https://malwr.com/analysis/M2NjZWNmMjA0YjVjNGVhYmJlZmFhNWY4NmQxZDllZTY/
         ('New-Object System.Net.WebClient', 'DownloadFile'),
--
libgit2 0.21.4