Commit a42f5500823187d9583b645fb053bac3f9909591
1 parent
dcce7d95
adjust CALL and REGISTER command detections to avoid false positives
Showing
1 changed file
with
10 additions
and
6 deletions
oletools/olevba.py
| ... | ... | @@ -634,7 +634,7 @@ AUTOEXEC_KEYWORDS = { |
| 634 | 634 | 'Runs when the Excel Workbook is closed': |
| 635 | 635 | ('Auto_Close', 'Workbook_Close'), |
| 636 | 636 | #Worksheet_Calculate to Autoexec: see http://www.certego.net/en/news/advanced-vba-macros/ |
| 637 | - 'May runs when an Excel WorkSheet is open': | |
| 637 | + 'May run when an Excel WorkSheet is opened': | |
| 638 | 638 | ('Worksheet_Calculate',), |
| 639 | 639 | } |
| 640 | 640 | |
| ... | ... | @@ -713,10 +713,8 @@ SUSPICIOUS_KEYWORDS = { |
| 713 | 713 | 'invoke-command', 'scriptblock', 'Invoke-Expression', 'AuthorizationManager'), |
| 714 | 714 | 'May run an executable file or a system command using PowerShell': |
| 715 | 715 | ('Start-Process',), |
| 716 | - 'May run an executable file or a system command using Excel 4 Macros (XLM/XLF)': | |
| 717 | - ('EXEC',), | |
| 718 | 716 | 'May call a DLL using Excel 4 Macros (XLM/XLF)': |
| 719 | - ('REGISTER', 'CALL'), | |
| 717 | + ('CALL',), | |
| 720 | 718 | 'May hide the application': |
| 721 | 719 | ('Application.Visible', 'ShowWindow', 'SW_HIDE'), |
| 722 | 720 | 'May create a directory': |
| ... | ... | @@ -745,8 +743,6 @@ SUSPICIOUS_KEYWORDS = { |
| 745 | 743 | 'May run code from a library on a Mac': |
| 746 | 744 | #TODO: regex to find declare+lib on same line - see mraptor |
| 747 | 745 | ('libc.dylib', 'dylib'), |
| 748 | - 'May run code from a DLL using Excel 4 Macros (XLM/XLF)': | |
| 749 | - ('REGISTER',), | |
| 750 | 746 | 'May inject code into another process': |
| 751 | 747 | ('CreateThread', 'CreateUserThread', 'VirtualAlloc', # (issue #9) suggested by Davy Douhine - used by MSF payload |
| 752 | 748 | 'VirtualAllocEx', 'RtlMoveMemory', 'WriteProcessMemory', |
| ... | ... | @@ -829,6 +825,14 @@ SUSPICIOUS_KEYWORDS_REGEX = { |
| 829 | 825 | ), |
| 830 | 826 | 'May run an executable file or a system command on a Mac (if combined with libc.dylib)': |
| 831 | 827 | ('system', 'popen', r'exec[lv][ep]?'), |
| 828 | + 'May run an executable file or a system command using Excel 4 Macros (XLM/XLF)': | |
| 829 | + (r'(?<!Could contain following functions: )EXEC',), | |
| 830 | + 'Could contain a function that allows to run an executable file or a system command using Excel 4 Macros (XLM/XLF)': | |
| 831 | + (r'Could contain following functions: EXEC',), | |
| 832 | + 'May call a DLL using Excel 4 Macros (XLM/XLF)': | |
| 833 | + (r'(?<!Could contain following functions: )REGISTER',), | |
| 834 | + 'Could contain a function that allows to call a DLL using Excel 4 Macros (XLM/XLF)': | |
| 835 | + (r'Could contain following functions: REGISTER',), | |
| 832 | 836 | } |
| 833 | 837 | |
| 834 | 838 | # Suspicious Keywords to be searched for directly as strings, without regex | ... | ... |