Commit da3d95e679343fbe59c1e3a7eb4e723711b3e770
1 parent
e7748962
olevba: added detection of ExecuteExcel4Macro (issue #374), fixed false positive…
… detection of backspace chars (issue #358)
Showing
1 changed file
with
7 additions
and
3 deletions
oletools/olevba.py
| @@ -216,7 +216,7 @@ from __future__ import print_function | @@ -216,7 +216,7 @@ from __future__ import print_function | ||
| 216 | # 2019-03-18 PL: - added XLM/XLF macros detection for Excel OLE files | 216 | # 2019-03-18 PL: - added XLM/XLF macros detection for Excel OLE files |
| 217 | # 2019-03-25 CH: - added decryption of password-protected files | 217 | # 2019-03-25 CH: - added decryption of password-protected files |
| 218 | 218 | ||
| 219 | -__version__ = '0.54dev13' | 219 | +__version__ = '0.54dev14' |
| 220 | 220 | ||
| 221 | #------------------------------------------------------------------------------ | 221 | #------------------------------------------------------------------------------ |
| 222 | # TODO: | 222 | # TODO: |
| @@ -652,7 +652,7 @@ SUSPICIOUS_KEYWORDS = { | @@ -652,7 +652,7 @@ SUSPICIOUS_KEYWORDS = { | ||
| 652 | # ShellExecute: https://twitter.com/StanHacked/status/1075088449768693762 | 652 | # ShellExecute: https://twitter.com/StanHacked/status/1075088449768693762 |
| 653 | 'May run an executable file or a system command': | 653 | 'May run an executable file or a system command': |
| 654 | ('Shell', 'vbNormal', 'vbNormalFocus', 'vbHide', 'vbMinimizedFocus', 'vbMaximizedFocus', 'vbNormalNoFocus', | 654 | ('Shell', 'vbNormal', 'vbNormalFocus', 'vbHide', 'vbMinimizedFocus', 'vbMaximizedFocus', 'vbNormalNoFocus', |
| 655 | - 'vbMinimizedNoFocus', 'WScript.Shell', 'Run', 'ShellExecute'), | 655 | + 'vbMinimizedNoFocus', 'WScript.Shell', 'Run', 'ShellExecute', 'ShellExecuteA', 'shell32'), |
| 656 | # MacScript: see https://msdn.microsoft.com/en-us/library/office/gg264812.aspx | 656 | # MacScript: see https://msdn.microsoft.com/en-us/library/office/gg264812.aspx |
| 657 | 'May run an executable file or a system command on a Mac': | 657 | 'May run an executable file or a system command on a Mac': |
| 658 | ('MacScript',), | 658 | ('MacScript',), |
| @@ -685,6 +685,8 @@ SUSPICIOUS_KEYWORDS = { | @@ -685,6 +685,8 @@ SUSPICIOUS_KEYWORDS = { | ||
| 685 | ('New-Object',), | 685 | ('New-Object',), |
| 686 | 'May run an application (if combined with CreateObject)': | 686 | 'May run an application (if combined with CreateObject)': |
| 687 | ('Shell.Application',), | 687 | ('Shell.Application',), |
| 688 | + 'May run an Excel 4 Macro (aka XLM/XLF)': | ||
| 689 | + ('ExecuteExcel4Macro',), | ||
| 688 | 'May enumerate application windows (if combined with Shell.Application object)': | 690 | 'May enumerate application windows (if combined with Shell.Application object)': |
| 689 | ('Windows', 'FindWindow'), | 691 | ('Windows', 'FindWindow'), |
| 690 | 'May run code from a DLL': | 692 | 'May run code from a DLL': |
| @@ -2115,7 +2117,9 @@ def detect_suspicious(vba_code, obfuscation=None): | @@ -2115,7 +2117,9 @@ def detect_suspicious(vba_code, obfuscation=None): | ||
| 2115 | for description, keywords in SUSPICIOUS_KEYWORDS_NOREGEX.items(): | 2117 | for description, keywords in SUSPICIOUS_KEYWORDS_NOREGEX.items(): |
| 2116 | for keyword in keywords: | 2118 | for keyword in keywords: |
| 2117 | if keyword.lower() in vba_code: | 2119 | if keyword.lower() in vba_code: |
| 2118 | - results.append((keyword, description + obf_text)) | 2120 | + # avoid reporting backspace chars out of plain VBA code: |
| 2121 | + if not(keyword=='\b' and obfuscation is not None): | ||
| 2122 | + results.append((keyword, description + obf_text)) | ||
| 2119 | return results | 2123 | return results |
| 2120 | 2124 | ||
| 2121 | 2125 |