From b933bc98eea3aedced9baeaa17e616178c301a75 Mon Sep 17 00:00:00 2001
From: Philippe Lagadec <decalage2@users.noreply.github.com>
Date: Thu, 25 Dec 2014 16:35:28 +0100
Subject: [PATCH] olevba: improved auto-executable macros detection with regex

---
 oletools/olevba.py | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/oletools/olevba.py b/oletools/olevba.py
index e2392cc..6c4c8fc 100644
--- a/oletools/olevba.py
+++ b/oletools/olevba.py
@@ -746,13 +746,16 @@ def detect_autoexec(vba_code):
     :param vba_code: str, VBA source code
     :return: list of str tuples (keyword, description)
     """
-    #TODO: use regex to find keywords with word boundaries
+    #TODO: merge code with detect_suspicious
     # case-insensitive search
-    vba_code = vba_code.lower()
+    #vba_code = vba_code.lower()
     results = []
     for description, keywords in AUTOEXEC_KEYWORDS.items():
         for keyword in keywords:
-            if keyword.lower() in vba_code:
+            #TODO: if keyword is already a compiled regex, use it as-is
+            # search using regex to detect word boundaries:
+            if re.search(r'(?i)\b'+keyword+r'\b', vba_code):
+            #if keyword.lower() in vba_code:
                 results.append((keyword, description))
     return results
 
@@ -765,12 +768,12 @@ def detect_suspicious(vba_code):
     :param vba_code: str, VBA source code
     :return: list of str tuples (keyword, description)
     """
-    #TODO: use regex to find keywords with word boundaries
     # case-insensitive search
     #vba_code = vba_code.lower()
     results = []
     for description, keywords in SUSPICIOUS_KEYWORDS.items():
         for keyword in keywords:
+            # search using regex to detect word boundaries:
             if re.search(r'(?i)\b'+keyword+r'\b', vba_code):
             #if keyword.lower() in vba_code:
                 results.append((keyword, description))
--
libgit2 0.21.4