Peter M. Groen / oletools

Commit 9f16427f03c30dc61b503b3591ea46aa7ff3ba51

Authored by Philippe Lagadec
1 parent 75259a45

olevba: added suspicious keyword suggested by @ozhermit

Inline Side-by-side
Showing 1 changed file with 5 additions and 2 deletions
oletools/olevba.py
  View file @9f16427
@@ -136,8 +136,9 @@ https://github.com/unixfreak0037/officeparser @@ -136,8 +136,9 @@ https://github.com/unixfreak0037/officeparser
136 # various data offsets (issue #12) 136 # various data offsets (issue #12)
137 # - improved detection of MSO files, avoiding incorrect 137 # - improved detection of MSO files, avoiding incorrect
138 # parsing errors (issue #7) 138 # parsing errors (issue #7)
  139 +# 2015-05-29 v0.30 PL: - added suspicious keywords suggested by @ozhermit
139 140
140 -__version__ = '0.29' 141 +__version__ = '0.30'
141 142
142 #------------------------------------------------------------------------------ 143 #------------------------------------------------------------------------------
143 # TODO: 144 # TODO:
@@ -305,7 +306,9 @@ SUSPICIOUS_KEYWORDS = { @@ -305,7 +306,9 @@ SUSPICIOUS_KEYWORDS = {
305 ('Lib',), 306 ('Lib',),
306 'May download files from the Internet': 307 'May download files from the Internet':
307 #TODO: regex to find urlmon+URLDownloadToFileA on same line 308 #TODO: regex to find urlmon+URLDownloadToFileA on same line
308 - ('URLDownloadToFileA', 'Msxml2.XMLHTTP', 'Microsoft.XMLHTTP'), 309 + ('URLDownloadToFileA', 'Msxml2.XMLHTTP', 'Microsoft.XMLHTTP',
  310 + 'User-Agent', # sample from @ozhermit: http://pastebin.com/MPc3iV6z
  311 + ),
309 'May download files from the Internet using PowerShell': 312 'May download files from the Internet using PowerShell':
310 #sample: https://malwr.com/analysis/M2NjZWNmMjA0YjVjNGVhYmJlZmFhNWY4NmQxZDllZTY/ 313 #sample: https://malwr.com/analysis/M2NjZWNmMjA0YjVjNGVhYmJlZmFhNWY4NmQxZDllZTY/
311 ('New-Object System.Net.WebClient', 'DownloadFile'), 314 ('New-Object System.Net.WebClient', 'DownloadFile'),