Peter M. Groen / oletools

Commit be1d483055898fc16720dec82e18e310cfe318dc

Authored by Philippe Lagadec
1 parent 782a5267

olevba: removed .application from the list of executable extensions, scan reversed hex strings

Inline Side-by-side
Showing 1 changed file with 7 additions and 5 deletions
oletools/olevba.py
  View file @be1d483
@@ -104,7 +104,7 @@ https://github.com/unixfreak0037/officeparser @@ -104,7 +104,7 @@ https://github.com/unixfreak0037/officeparser
104 # - added option -i to analyze VBA source code directly 104 # - added option -i to analyze VBA source code directly
105 # 2015-01-17 v0.17 PL: - removed .com from the list of executable extensions 105 # 2015-01-17 v0.17 PL: - removed .com from the list of executable extensions
106 # - added scan_vba to run all detection algorithms 106 # - added scan_vba to run all detection algorithms
107 -# - decoded hex strings are now also scanned 107 +# - decoded hex strings are now also scanned + reversed
108 108
109 __version__ = '0.17' 109 __version__ = '0.17'
110 110
@@ -114,7 +114,6 @@ __version__ = '0.17' @@ -114,7 +114,6 @@ __version__ = '0.17'
114 # + setup logging (common with other oletools) 114 # + setup logging (common with other oletools)
115 115
116 # TODO later: 116 # TODO later:
117 -# + append decoded hex strings to VBA code, in order to detect IOCs and suspicious keywords  
118 # + do not show hex strings by default (add option --hex) 117 # + do not show hex strings by default (add option --hex)
119 # + performance improvement: instead of searching each keyword separately, 118 # + performance improvement: instead of searching each keyword separately,
120 # first split vba code into a list of words (per line), then check each 119 # first split vba code into a list of words (per line), then check each
@@ -251,8 +250,8 @@ RE_PATTERNS = ( @@ -251,8 +250,8 @@ RE_PATTERNS = (
251 ('IPv4 address', re.compile(r"\b(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\b")), 250 ('IPv4 address', re.compile(r"\b(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\b")),
252 ('E-mail address', re.compile(r'(?i)\b[A-Z0-9._%+-]+@(?:[A-Z0-9-]+\.)+(?:[A-Z]{2,12}|XN--[A-Z0-9]{4,18})\b')), 251 ('E-mail address', re.compile(r'(?i)\b[A-Z0-9._%+-]+@(?:[A-Z0-9-]+\.)+(?:[A-Z]{2,12}|XN--[A-Z0-9]{4,18})\b')),
253 # ('Domain name', re.compile(r'(?=^.{1,254}$)(^(?:(?!\d+\.|-)[a-zA-Z0-9_\-]{1,63}(?<!-)\.?)+(?:[a-zA-Z]{2,})$)')), 252 # ('Domain name', re.compile(r'(?=^.{1,254}$)(^(?:(?!\d+\.|-)[a-zA-Z0-9_\-]{1,63}(?<!-)\.?)+(?:[a-zA-Z]{2,})$)')),
254 - # Executable file name with known extensions (except .com which is present in many URLs):  
255 - ("Executable file name", re.compile(r"(?i)\b\w+\.(EXE|PIF|APPLICATION|GADGET|MSI|MSP|MSC|VB|VBS|JS|VBE|JSE|WS|WSF|WSC|WSH|BAT|CMD|DLL|SCR|HTA|CPL|CLASS|JAR|PS1|PS1XML|PS2|PS2XML|PSC1|PSC2|SCF|LNK|INF|REG)\b")), 253 + # Executable file name with known extensions (except .com which is present in many URLs, and .application):
  254 + ("Executable file name", re.compile(r"(?i)\b\w+\.(EXE|PIF|GADGET|MSI|MSP|MSC|VB|VBS|JS|VBE|JSE|WS|WSF|WSC|WSH|BAT|CMD|DLL|SCR|HTA|CPL|CLASS|JAR|PS1|PS1XML|PS2|PS2XML|PSC1|PSC2|SCF|LNK|INF|REG)\b")),
256 # Sources: http://www.howtogeek.com/137270/50-file-extensions-that-are-potentially-dangerous-on-windows/ 255 # Sources: http://www.howtogeek.com/137270/50-file-extensions-that-are-potentially-dangerous-on-windows/
257 #TODO: https://support.office.com/en-us/article/Blocked-attachments-in-Outlook-3811cddc-17c3-4279-a30c-060ba0207372#__attachment_file_types 256 #TODO: https://support.office.com/en-us/article/Blocked-attachments-in-Outlook-3811cddc-17c3-4279-a30c-060ba0207372#__attachment_file_types
258 #('Hex string', re.compile(r'(?:[0-9A-Fa-f]{2}){4,}')), 257 #('Hex string', re.compile(r'(?:[0-9A-Fa-f]{2}){4,}')),
@@ -901,7 +900,9 @@ def scan_vba(vba_code): @@ -901,7 +900,9 @@ def scan_vba(vba_code):
901 # Then append the decoded strings to the VBA code, to detect obfuscated IOCs and keywords: 900 # Then append the decoded strings to the VBA code, to detect obfuscated IOCs and keywords:
902 for encoded, decoded in hex_strings: 901 for encoded, decoded in hex_strings:
903 vba_code += '\n'+decoded 902 vba_code += '\n'+decoded
904 - #TODO: also add reverse strings (before and after decoding), for StrReverse obfuscation 903 + #TODO: also add reverse strings (before and after decoding), for StrReverse obfuscation
  904 + #TODO: only do it if StrReverse found in code?
  905 + vba_code += '\n'+decoded[::-1]
905 autoexec_keywords = detect_autoexec(vba_code) 906 autoexec_keywords = detect_autoexec(vba_code)
906 suspicious_keywords = detect_suspicious(vba_code) 907 suspicious_keywords = detect_suspicious(vba_code)
907 # If hex-encoded strings were discovered, add an item to suspicious keywords: 908 # If hex-encoded strings were discovered, add an item to suspicious keywords:
@@ -1230,6 +1231,7 @@ def process_file_triage (container, filename, data): @@ -1230,6 +1231,7 @@ def process_file_triage (container, filename, data):
1230 for (subfilename, stream_path, vba_filename, vba_code) in vba.extract_macros(): 1231 for (subfilename, stream_path, vba_filename, vba_code) in vba.extract_macros():
1231 nb_macros += 1 1232 nb_macros += 1
1232 if vba_code.strip() != '': 1233 if vba_code.strip() != '':
  1234 + #TODO: same changes as scan_vba, or modify scan_vba to return these counts
1233 nb_autoexec += len(detect_autoexec(vba_code)) 1235 nb_autoexec += len(detect_autoexec(vba_code))
1234 nb_suspicious += len(detect_suspicious(vba_code)) 1236 nb_suspicious += len(detect_suspicious(vba_code))
1235 nb_iocs += len(detect_patterns(vba_code)) 1237 nb_iocs += len(detect_patterns(vba_code))