Commit ba73ec7efa06c4ee4dcd1cfd8bced5c69373d6e5
1 parent
4d9182e6
change type of strings of vba
Showing
1 changed file
with
12 additions
and
12 deletions
oletools/olevba3.py
| @@ -1774,7 +1774,7 @@ def detect_hex_strings(vba_code): | @@ -1774,7 +1774,7 @@ def detect_hex_strings(vba_code): | ||
| 1774 | value = match.group() | 1774 | value = match.group() |
| 1775 | if value not in found: | 1775 | if value not in found: |
| 1776 | decoded = binascii.unhexlify(value) | 1776 | decoded = binascii.unhexlify(value) |
| 1777 | - results.append((value, decoded)) | 1777 | + results.append((value, decoded.decode('utf-8','replace'))) |
| 1778 | found.add(value) | 1778 | found.add(value) |
| 1779 | return results | 1779 | return results |
| 1780 | 1780 | ||
| @@ -1799,7 +1799,7 @@ def detect_base64_strings(vba_code): | @@ -1799,7 +1799,7 @@ def detect_base64_strings(vba_code): | ||
| 1799 | if value not in found and value.lower() not in BASE64_WHITELIST: | 1799 | if value not in found and value.lower() not in BASE64_WHITELIST: |
| 1800 | try: | 1800 | try: |
| 1801 | decoded = base64.b64decode(value) | 1801 | decoded = base64.b64decode(value) |
| 1802 | - results.append((value, decoded)) | 1802 | + results.append((value, decoded.decode('utf-8','replace'))) |
| 1803 | found.add(value) | 1803 | found.add(value) |
| 1804 | except (TypeError, ValueError) as exc: | 1804 | except (TypeError, ValueError) as exc: |
| 1805 | log.debug('Failed to base64-decode (%s)' % exc) | 1805 | log.debug('Failed to base64-decode (%s)' % exc) |
| @@ -1959,10 +1959,10 @@ class VBA_Scanner(object): | @@ -1959,10 +1959,10 @@ class VBA_Scanner(object): | ||
| 1959 | """ | 1959 | """ |
| 1960 | # join long lines ending with " _": | 1960 | # join long lines ending with " _": |
| 1961 | self.code = vba_collapse_long_lines(vba_code) | 1961 | self.code = vba_collapse_long_lines(vba_code) |
| 1962 | - self.code_hex = b'' | ||
| 1963 | - self.code_hex_rev = b'' | ||
| 1964 | - self.code_rev_hex = b'' | ||
| 1965 | - self.code_base64 = b'' | 1962 | + self.code_hex = '' |
| 1963 | + self.code_hex_rev = '' | ||
| 1964 | + self.code_rev_hex = '' | ||
| 1965 | + self.code_base64 = '' | ||
| 1966 | self.code_dridex = '' | 1966 | self.code_dridex = '' |
| 1967 | self.code_vba = '' | 1967 | self.code_vba = '' |
| 1968 | self.strReverse = None | 1968 | self.strReverse = None |
| @@ -1995,19 +1995,19 @@ class VBA_Scanner(object): | @@ -1995,19 +1995,19 @@ class VBA_Scanner(object): | ||
| 1995 | if 'strreverse' in self.code.lower(): self.strReverse = True | 1995 | if 'strreverse' in self.code.lower(): self.strReverse = True |
| 1996 | # Then append the decoded strings to the VBA code, to detect obfuscated IOCs and keywords: | 1996 | # Then append the decoded strings to the VBA code, to detect obfuscated IOCs and keywords: |
| 1997 | for encoded, decoded in self.hex_strings: | 1997 | for encoded, decoded in self.hex_strings: |
| 1998 | - self.code_hex += b'\n' + decoded | 1998 | + self.code_hex += '\n' + decoded |
| 1999 | # if the code contains "StrReverse", also append the hex strings in reverse order: | 1999 | # if the code contains "StrReverse", also append the hex strings in reverse order: |
| 2000 | if self.strReverse: | 2000 | if self.strReverse: |
| 2001 | # StrReverse after hex decoding: | 2001 | # StrReverse after hex decoding: |
| 2002 | - self.code_hex_rev += b'\n' + decoded[::-1] | 2002 | + self.code_hex_rev += '\n' + decoded[::-1] |
| 2003 | # StrReverse before hex decoding: | 2003 | # StrReverse before hex decoding: |
| 2004 | - self.code_rev_hex += b'\n' + binascii.unhexlify(encoded[::-1]) | 2004 | + self.code_rev_hex += '\n' + str(binascii.unhexlify(encoded[::-1])) |
| 2005 | #example: https://malwr.com/analysis/NmFlMGI4YTY1YzYyNDkwNTg1ZTBiZmY5OGI3YjlhYzU/ | 2005 | #example: https://malwr.com/analysis/NmFlMGI4YTY1YzYyNDkwNTg1ZTBiZmY5OGI3YjlhYzU/ |
| 2006 | #TODO: also append the full code reversed if StrReverse? (risk of false positives?) | 2006 | #TODO: also append the full code reversed if StrReverse? (risk of false positives?) |
| 2007 | # Detect Base64-encoded strings | 2007 | # Detect Base64-encoded strings |
| 2008 | self.base64_strings = detect_base64_strings(self.code) | 2008 | self.base64_strings = detect_base64_strings(self.code) |
| 2009 | for encoded, decoded in self.base64_strings: | 2009 | for encoded, decoded in self.base64_strings: |
| 2010 | - self.code_base64 += b'\n' + decoded | 2010 | + self.code_base64 += '\n' + decoded |
| 2011 | # Detect Dridex-encoded strings | 2011 | # Detect Dridex-encoded strings |
| 2012 | self.dridex_strings = detect_dridex_strings(self.code) | 2012 | self.dridex_strings = detect_dridex_strings(self.code) |
| 2013 | for encoded, decoded in self.dridex_strings: | 2013 | for encoded, decoded in self.dridex_strings: |
| @@ -2026,10 +2026,10 @@ class VBA_Scanner(object): | @@ -2026,10 +2026,10 @@ class VBA_Scanner(object): | ||
| 2026 | 2026 | ||
| 2027 | for code, obfuscation in ( | 2027 | for code, obfuscation in ( |
| 2028 | (self.code, None), | 2028 | (self.code, None), |
| 2029 | - (self.code_hex.decode('utf-8','replace'), 'Hex'), | 2029 | + (self.code_hex, 'Hex'), |
| 2030 | (self.code_hex_rev, 'Hex+StrReverse'), | 2030 | (self.code_hex_rev, 'Hex+StrReverse'), |
| 2031 | (self.code_rev_hex, 'StrReverse+Hex'), | 2031 | (self.code_rev_hex, 'StrReverse+Hex'), |
| 2032 | - (self.code_base64.decode('utf-8', 'replace'), 'Base64'), | 2032 | + (self.code_base64, 'Base64'), |
| 2033 | (self.code_dridex, 'Dridex'), | 2033 | (self.code_dridex, 'Dridex'), |
| 2034 | (self.code_vba, 'VBA expression'), | 2034 | (self.code_vba, 'VBA expression'), |
| 2035 | ): | 2035 | ): |