Commit ac8bddb77eecc3cc043f82bdc88fbff6700ba8af
1 parent
ab1ba65e
olevba: display VBA obfuscation flag in triage mode
Showing
1 changed file
with
15 additions
and
10 deletions
oletools/olevba.py
| @@ -1497,12 +1497,12 @@ class VBA_Scanner(object): | @@ -1497,12 +1497,12 @@ class VBA_Scanner(object): | ||
| 1497 | such as hex-encoded strings. | 1497 | such as hex-encoded strings. |
| 1498 | 1498 | ||
| 1499 | :return: tuple with the number of items found for each category: | 1499 | :return: tuple with the number of items found for each category: |
| 1500 | - (autoexec, suspicious, IOCs, hex, base64, dridex) | 1500 | + (autoexec, suspicious, IOCs, hex, base64, dridex, vba) |
| 1501 | """ | 1501 | """ |
| 1502 | self.scan() | 1502 | self.scan() |
| 1503 | return (len(self.autoexec_keywords), len(self.suspicious_keywords), | 1503 | return (len(self.autoexec_keywords), len(self.suspicious_keywords), |
| 1504 | len(self.iocs), len(self.hex_strings), len(self.base64_strings), | 1504 | len(self.iocs), len(self.hex_strings), len(self.base64_strings), |
| 1505 | - len(self.dridex_strings)) | 1505 | + len(self.dridex_strings), len(self.vba_strings)) |
| 1506 | 1506 | ||
| 1507 | 1507 | ||
| 1508 | def scan_vba(vba_code, include_decoded_strings): | 1508 | def scan_vba(vba_code, include_decoded_strings): |
| @@ -1925,6 +1925,7 @@ def process_file_triage(container, filename, data): | @@ -1925,6 +1925,7 @@ def process_file_triage(container, filename, data): | ||
| 1925 | nb_hexstrings = 0 | 1925 | nb_hexstrings = 0 |
| 1926 | nb_base64strings = 0 | 1926 | nb_base64strings = 0 |
| 1927 | nb_dridexstrings = 0 | 1927 | nb_dridexstrings = 0 |
| 1928 | + nb_vbastrings = 0 | ||
| 1928 | # ftype = 'Other' | 1929 | # ftype = 'Other' |
| 1929 | message = '' | 1930 | message = '' |
| 1930 | try: | 1931 | try: |
| @@ -1936,13 +1937,14 @@ def process_file_triage(container, filename, data): | @@ -1936,13 +1937,14 @@ def process_file_triage(container, filename, data): | ||
| 1936 | if vba_code.strip() != '': | 1937 | if vba_code.strip() != '': |
| 1937 | # analyse the whole code, filtered to avoid false positives: | 1938 | # analyse the whole code, filtered to avoid false positives: |
| 1938 | scanner = VBA_Scanner(filter_vba(vba_code)) | 1939 | scanner = VBA_Scanner(filter_vba(vba_code)) |
| 1939 | - autoexec, suspicious, iocs, hexstrings, base64strings, dridex = scanner.scan_summary() | 1940 | + autoexec, suspicious, iocs, hexstrings, base64strings, dridex, vbastrings = scanner.scan_summary() |
| 1940 | nb_autoexec += autoexec | 1941 | nb_autoexec += autoexec |
| 1941 | nb_suspicious += suspicious | 1942 | nb_suspicious += suspicious |
| 1942 | nb_iocs += iocs | 1943 | nb_iocs += iocs |
| 1943 | nb_hexstrings += hexstrings | 1944 | nb_hexstrings += hexstrings |
| 1944 | nb_base64strings += base64strings | 1945 | nb_base64strings += base64strings |
| 1945 | nb_dridexstrings += dridex | 1946 | nb_dridexstrings += dridex |
| 1947 | + nb_vbastrings += vbastrings | ||
| 1946 | if vba.type == TYPE_OLE: | 1948 | if vba.type == TYPE_OLE: |
| 1947 | flags = 'OLE:' | 1949 | flags = 'OLE:' |
| 1948 | elif vba.type == TYPE_OpenXML: | 1950 | elif vba.type == TYPE_OpenXML: |
| @@ -1951,7 +1953,7 @@ def process_file_triage(container, filename, data): | @@ -1951,7 +1953,7 @@ def process_file_triage(container, filename, data): | ||
| 1951 | flags = 'XML:' | 1953 | flags = 'XML:' |
| 1952 | elif vba.type == TYPE_MHTML: | 1954 | elif vba.type == TYPE_MHTML: |
| 1953 | flags = 'MHT:' | 1955 | flags = 'MHT:' |
| 1954 | - macros = autoexec = suspicious = iocs = hexstrings = base64obf = dridex = '-' | 1956 | + macros = autoexec = suspicious = iocs = hexstrings = base64obf = dridex = vba_obf = '-' |
| 1955 | if nb_macros: macros = 'M' | 1957 | if nb_macros: macros = 'M' |
| 1956 | if nb_autoexec: autoexec = 'A' | 1958 | if nb_autoexec: autoexec = 'A' |
| 1957 | if nb_suspicious: suspicious = 'S' | 1959 | if nb_suspicious: suspicious = 'S' |
| @@ -1959,8 +1961,9 @@ def process_file_triage(container, filename, data): | @@ -1959,8 +1961,9 @@ def process_file_triage(container, filename, data): | ||
| 1959 | if nb_hexstrings: hexstrings = 'H' | 1961 | if nb_hexstrings: hexstrings = 'H' |
| 1960 | if nb_base64strings: base64obf = 'B' | 1962 | if nb_base64strings: base64obf = 'B' |
| 1961 | if nb_dridexstrings: dridex = 'D' | 1963 | if nb_dridexstrings: dridex = 'D' |
| 1962 | - flags += '%s%s%s%s%s%s%s' % (macros, autoexec, suspicious, iocs, hexstrings, | ||
| 1963 | - base64obf, dridex) | 1964 | + if nb_vbastrings: vba_obf = 'V' |
| 1965 | + flags += '%s%s%s%s%s%s%s%s' % (macros, autoexec, suspicious, iocs, hexstrings, | ||
| 1966 | + base64obf, dridex, vba_obf) | ||
| 1964 | 1967 | ||
| 1965 | # macros = autoexec = suspicious = iocs = hexstrings = 'no' | 1968 | # macros = autoexec = suspicious = iocs = hexstrings = 'no' |
| 1966 | # if nb_macros: macros = 'YES:%d' % nb_macros | 1969 | # if nb_macros: macros = 'YES:%d' % nb_macros |
| @@ -1981,7 +1984,7 @@ def process_file_triage(container, filename, data): | @@ -1981,7 +1984,7 @@ def process_file_triage(container, filename, data): | ||
| 1981 | #TODO: distinguish real errors from incorrect file types | 1984 | #TODO: distinguish real errors from incorrect file types |
| 1982 | flags = '!ERROR' | 1985 | flags = '!ERROR' |
| 1983 | message = sys.exc_value | 1986 | message = sys.exc_value |
| 1984 | - line = '%-11s %s' % (flags, filename) | 1987 | + line = '%-12s %s' % (flags, filename) |
| 1985 | if message: | 1988 | if message: |
| 1986 | line += ' - %s' % message | 1989 | line += ' - %s' % message |
| 1987 | print line | 1990 | print line |
| @@ -2059,8 +2062,8 @@ def main(): | @@ -2059,8 +2062,8 @@ def main(): | ||
| 2059 | # print '%-8s %-7s %-7s %-7s %-7s %-7s' % ('Type', 'Macros', 'AutoEx', 'Susp.', 'IOCs', 'HexStr') | 2062 | # print '%-8s %-7s %-7s %-7s %-7s %-7s' % ('Type', 'Macros', 'AutoEx', 'Susp.', 'IOCs', 'HexStr') |
| 2060 | # print '%-8s %-7s %-7s %-7s %-7s %-7s' % ('-'*8, '-'*7, '-'*7, '-'*7, '-'*7, '-'*7) | 2063 | # print '%-8s %-7s %-7s %-7s %-7s %-7s' % ('-'*8, '-'*7, '-'*7, '-'*7, '-'*7, '-'*7) |
| 2061 | if not options.detailed_mode or options.triage_mode: | 2064 | if not options.detailed_mode or options.triage_mode: |
| 2062 | - print '%-11s %-65s' % ('Flags', 'Filename') | ||
| 2063 | - print '%-11s %-65s' % ('-' * 11, '-' * 65) | 2065 | + print '%-12s %-65s' % ('Flags', 'Filename') |
| 2066 | + print '%-12s %-65s' % ('-' * 11, '-' * 65) | ||
| 2064 | previous_container = None | 2067 | previous_container = None |
| 2065 | count = 0 | 2068 | count = 0 |
| 2066 | container = filename = data = None | 2069 | container = filename = data = None |
| @@ -2082,7 +2085,9 @@ def main(): | @@ -2082,7 +2085,9 @@ def main(): | ||
| 2082 | process_file_triage(container, filename, data) | 2085 | process_file_triage(container, filename, data) |
| 2083 | count += 1 | 2086 | count += 1 |
| 2084 | if not options.detailed_mode or options.triage_mode: | 2087 | if not options.detailed_mode or options.triage_mode: |
| 2085 | - print '\n(Flags: OpX=OpenXML, XML=Word2003XML, MHT=MHTML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)\n' | 2088 | + print '\n(Flags: OpX=OpenXML, XML=Word2003XML, MHT=MHTML, M=Macros, ' \ |
| 2089 | + 'A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, ' \ | ||
| 2090 | + 'B=Base64 strings, D=Dridex strings, V=VBA strings, ?=Unknown)\n' | ||
| 2086 | 2091 | ||
| 2087 | if count == 1 and not options.triage_mode and not options.detailed_mode: | 2092 | if count == 1 and not options.triage_mode and not options.detailed_mode: |
| 2088 | # if options -t and -d were not specified and it's a single file, print details: | 2093 | # if options -t and -d were not specified and it's a single file, print details: |