Commit da3d95e679343fbe59c1e3a7eb4e723711b3e770
1 parent
e7748962
olevba: added detection of ExecuteExcel4Macro (issue #374), fixed false positive…
… detection of backspace chars (issue #358)
Showing
1 changed file
with
7 additions
and
3 deletions
oletools/olevba.py
| ... | ... | @@ -216,7 +216,7 @@ from __future__ import print_function |
| 216 | 216 | # 2019-03-18 PL: - added XLM/XLF macros detection for Excel OLE files |
| 217 | 217 | # 2019-03-25 CH: - added decryption of password-protected files |
| 218 | 218 | |
| 219 | -__version__ = '0.54dev13' | |
| 219 | +__version__ = '0.54dev14' | |
| 220 | 220 | |
| 221 | 221 | #------------------------------------------------------------------------------ |
| 222 | 222 | # TODO: |
| ... | ... | @@ -652,7 +652,7 @@ SUSPICIOUS_KEYWORDS = { |
| 652 | 652 | # ShellExecute: https://twitter.com/StanHacked/status/1075088449768693762 |
| 653 | 653 | 'May run an executable file or a system command': |
| 654 | 654 | ('Shell', 'vbNormal', 'vbNormalFocus', 'vbHide', 'vbMinimizedFocus', 'vbMaximizedFocus', 'vbNormalNoFocus', |
| 655 | - 'vbMinimizedNoFocus', 'WScript.Shell', 'Run', 'ShellExecute'), | |
| 655 | + 'vbMinimizedNoFocus', 'WScript.Shell', 'Run', 'ShellExecute', 'ShellExecuteA', 'shell32'), | |
| 656 | 656 | # MacScript: see https://msdn.microsoft.com/en-us/library/office/gg264812.aspx |
| 657 | 657 | 'May run an executable file or a system command on a Mac': |
| 658 | 658 | ('MacScript',), |
| ... | ... | @@ -685,6 +685,8 @@ SUSPICIOUS_KEYWORDS = { |
| 685 | 685 | ('New-Object',), |
| 686 | 686 | 'May run an application (if combined with CreateObject)': |
| 687 | 687 | ('Shell.Application',), |
| 688 | + 'May run an Excel 4 Macro (aka XLM/XLF)': | |
| 689 | + ('ExecuteExcel4Macro',), | |
| 688 | 690 | 'May enumerate application windows (if combined with Shell.Application object)': |
| 689 | 691 | ('Windows', 'FindWindow'), |
| 690 | 692 | 'May run code from a DLL': |
| ... | ... | @@ -2115,7 +2117,9 @@ def detect_suspicious(vba_code, obfuscation=None): |
| 2115 | 2117 | for description, keywords in SUSPICIOUS_KEYWORDS_NOREGEX.items(): |
| 2116 | 2118 | for keyword in keywords: |
| 2117 | 2119 | if keyword.lower() in vba_code: |
| 2118 | - results.append((keyword, description + obf_text)) | |
| 2120 | + # avoid reporting backspace chars out of plain VBA code: | |
| 2121 | + if not(keyword=='\b' and obfuscation is not None): | |
| 2122 | + results.append((keyword, description + obf_text)) | |
| 2119 | 2123 | return results |
| 2120 | 2124 | |
| 2121 | 2125 | ... | ... |