Commit ac8bddb77eecc3cc043f82bdc88fbff6700ba8af
1 parent
ab1ba65e
olevba: display VBA obfuscation flag in triage mode
Showing
1 changed file
with
15 additions
and
10 deletions
oletools/olevba.py
| ... | ... | @@ -1497,12 +1497,12 @@ class VBA_Scanner(object): |
| 1497 | 1497 | such as hex-encoded strings. |
| 1498 | 1498 | |
| 1499 | 1499 | :return: tuple with the number of items found for each category: |
| 1500 | - (autoexec, suspicious, IOCs, hex, base64, dridex) | |
| 1500 | + (autoexec, suspicious, IOCs, hex, base64, dridex, vba) | |
| 1501 | 1501 | """ |
| 1502 | 1502 | self.scan() |
| 1503 | 1503 | return (len(self.autoexec_keywords), len(self.suspicious_keywords), |
| 1504 | 1504 | len(self.iocs), len(self.hex_strings), len(self.base64_strings), |
| 1505 | - len(self.dridex_strings)) | |
| 1505 | + len(self.dridex_strings), len(self.vba_strings)) | |
| 1506 | 1506 | |
| 1507 | 1507 | |
| 1508 | 1508 | def scan_vba(vba_code, include_decoded_strings): |
| ... | ... | @@ -1925,6 +1925,7 @@ def process_file_triage(container, filename, data): |
| 1925 | 1925 | nb_hexstrings = 0 |
| 1926 | 1926 | nb_base64strings = 0 |
| 1927 | 1927 | nb_dridexstrings = 0 |
| 1928 | + nb_vbastrings = 0 | |
| 1928 | 1929 | # ftype = 'Other' |
| 1929 | 1930 | message = '' |
| 1930 | 1931 | try: |
| ... | ... | @@ -1936,13 +1937,14 @@ def process_file_triage(container, filename, data): |
| 1936 | 1937 | if vba_code.strip() != '': |
| 1937 | 1938 | # analyse the whole code, filtered to avoid false positives: |
| 1938 | 1939 | scanner = VBA_Scanner(filter_vba(vba_code)) |
| 1939 | - autoexec, suspicious, iocs, hexstrings, base64strings, dridex = scanner.scan_summary() | |
| 1940 | + autoexec, suspicious, iocs, hexstrings, base64strings, dridex, vbastrings = scanner.scan_summary() | |
| 1940 | 1941 | nb_autoexec += autoexec |
| 1941 | 1942 | nb_suspicious += suspicious |
| 1942 | 1943 | nb_iocs += iocs |
| 1943 | 1944 | nb_hexstrings += hexstrings |
| 1944 | 1945 | nb_base64strings += base64strings |
| 1945 | 1946 | nb_dridexstrings += dridex |
| 1947 | + nb_vbastrings += vbastrings | |
| 1946 | 1948 | if vba.type == TYPE_OLE: |
| 1947 | 1949 | flags = 'OLE:' |
| 1948 | 1950 | elif vba.type == TYPE_OpenXML: |
| ... | ... | @@ -1951,7 +1953,7 @@ def process_file_triage(container, filename, data): |
| 1951 | 1953 | flags = 'XML:' |
| 1952 | 1954 | elif vba.type == TYPE_MHTML: |
| 1953 | 1955 | flags = 'MHT:' |
| 1954 | - macros = autoexec = suspicious = iocs = hexstrings = base64obf = dridex = '-' | |
| 1956 | + macros = autoexec = suspicious = iocs = hexstrings = base64obf = dridex = vba_obf = '-' | |
| 1955 | 1957 | if nb_macros: macros = 'M' |
| 1956 | 1958 | if nb_autoexec: autoexec = 'A' |
| 1957 | 1959 | if nb_suspicious: suspicious = 'S' |
| ... | ... | @@ -1959,8 +1961,9 @@ def process_file_triage(container, filename, data): |
| 1959 | 1961 | if nb_hexstrings: hexstrings = 'H' |
| 1960 | 1962 | if nb_base64strings: base64obf = 'B' |
| 1961 | 1963 | if nb_dridexstrings: dridex = 'D' |
| 1962 | - flags += '%s%s%s%s%s%s%s' % (macros, autoexec, suspicious, iocs, hexstrings, | |
| 1963 | - base64obf, dridex) | |
| 1964 | + if nb_vbastrings: vba_obf = 'V' | |
| 1965 | + flags += '%s%s%s%s%s%s%s%s' % (macros, autoexec, suspicious, iocs, hexstrings, | |
| 1966 | + base64obf, dridex, vba_obf) | |
| 1964 | 1967 | |
| 1965 | 1968 | # macros = autoexec = suspicious = iocs = hexstrings = 'no' |
| 1966 | 1969 | # if nb_macros: macros = 'YES:%d' % nb_macros |
| ... | ... | @@ -1981,7 +1984,7 @@ def process_file_triage(container, filename, data): |
| 1981 | 1984 | #TODO: distinguish real errors from incorrect file types |
| 1982 | 1985 | flags = '!ERROR' |
| 1983 | 1986 | message = sys.exc_value |
| 1984 | - line = '%-11s %s' % (flags, filename) | |
| 1987 | + line = '%-12s %s' % (flags, filename) | |
| 1985 | 1988 | if message: |
| 1986 | 1989 | line += ' - %s' % message |
| 1987 | 1990 | print line |
| ... | ... | @@ -2059,8 +2062,8 @@ def main(): |
| 2059 | 2062 | # print '%-8s %-7s %-7s %-7s %-7s %-7s' % ('Type', 'Macros', 'AutoEx', 'Susp.', 'IOCs', 'HexStr') |
| 2060 | 2063 | # print '%-8s %-7s %-7s %-7s %-7s %-7s' % ('-'*8, '-'*7, '-'*7, '-'*7, '-'*7, '-'*7) |
| 2061 | 2064 | if not options.detailed_mode or options.triage_mode: |
| 2062 | - print '%-11s %-65s' % ('Flags', 'Filename') | |
| 2063 | - print '%-11s %-65s' % ('-' * 11, '-' * 65) | |
| 2065 | + print '%-12s %-65s' % ('Flags', 'Filename') | |
| 2066 | + print '%-12s %-65s' % ('-' * 11, '-' * 65) | |
| 2064 | 2067 | previous_container = None |
| 2065 | 2068 | count = 0 |
| 2066 | 2069 | container = filename = data = None |
| ... | ... | @@ -2082,7 +2085,9 @@ def main(): |
| 2082 | 2085 | process_file_triage(container, filename, data) |
| 2083 | 2086 | count += 1 |
| 2084 | 2087 | if not options.detailed_mode or options.triage_mode: |
| 2085 | - print '\n(Flags: OpX=OpenXML, XML=Word2003XML, MHT=MHTML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)\n' | |
| 2088 | + print '\n(Flags: OpX=OpenXML, XML=Word2003XML, MHT=MHTML, M=Macros, ' \ | |
| 2089 | + 'A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, ' \ | |
| 2090 | + 'B=Base64 strings, D=Dridex strings, V=VBA strings, ?=Unknown)\n' | |
| 2086 | 2091 | |
| 2087 | 2092 | if count == 1 and not options.triage_mode and not options.detailed_mode: |
| 2088 | 2093 | # if options -t and -d were not specified and it's a single file, print details: | ... | ... |