Commit b9b9af8c8df3d31907bcfb84db179e04ab756bb7
1 parent
0afa36b2
olevba: added keywords to detect self-modifying macros and attempts to disable m…
…acro security (issue #221)
Showing
1 changed file
with
10 additions
and
1 deletions
oletools/olevba.py
| ... | ... | @@ -200,8 +200,10 @@ from __future__ import print_function |
| 200 | 200 | # 2017-11-08 VB: - PR #124 adding user form parsing (Vincent Brillault) |
| 201 | 201 | # 2017-11-17 PL: - fixed a few issues with form parsing |
| 202 | 202 | # 2017-11-20 PL: - fixed issue #219, do not close the file too early |
| 203 | +# 2017-11-24 PL: - added keywords to detect self-modifying macros and | |
| 204 | +# attempts to disable macro security (issue #221) | |
| 203 | 205 | |
| 204 | -__version__ = '0.52dev5' | |
| 206 | +__version__ = '0.52dev7' | |
| 205 | 207 | |
| 206 | 208 | #------------------------------------------------------------------------------ |
| 207 | 209 | # TODO: |
| ... | ... | @@ -667,6 +669,13 @@ SUSPICIOUS_KEYWORDS = { |
| 667 | 669 | 'May detect WinJail Sandbox': |
| 668 | 670 | # ref: http://www.cplusplus.com/forum/windows/96874/ |
| 669 | 671 | ('Afx:400000:0',), |
| 672 | + 'May attempt to disable VBA macro security and Protected View': | |
| 673 | + # ref: http://blog.trendmicro.com/trendlabs-security-intelligence/qkg-filecoder-self-replicating-document-encrypting-ransomware/ | |
| 674 | + # ref: https://thehackernews.com/2017/11/ms-office-macro-malware.html | |
| 675 | + ('AccessVBOM', 'VBAWarnings', 'ProtectedView', 'DisableAttachementsInPV', 'DisableInternetFilesInPV', | |
| 676 | + 'DisableUnsafeLocationsInPV', 'blockcontentexecutionfrominternet'), | |
| 677 | + 'May attempt to modify the VBA code (self-modification)': | |
| 678 | + ('VBProject', 'VBComponents', 'CodeModule', 'AddFromString'), | |
| 670 | 679 | } |
| 671 | 680 | |
| 672 | 681 | # Regular Expression for a URL: | ... | ... |