Commit da46fb84b5d596d5e335623a5baf7cebf062ad89
1 parent
ed936e16
olevba: updated suspicious keywords
Showing
1 changed file
with
2 additions
and
2 deletions
oletools/olevba.py
| ... | ... | @@ -169,7 +169,7 @@ https://github.com/unixfreak0037/officeparser |
| 169 | 169 | # 2016-04-19 v0.46 PL: - new option --deobf instead of --no-deobfuscate |
| 170 | 170 | # - updated suspicious keywords |
| 171 | 171 | |
| 172 | -__version__ = '0.46' | |
| 172 | +__version__ = '0.47' | |
| 173 | 173 | |
| 174 | 174 | #------------------------------------------------------------------------------ |
| 175 | 175 | # TODO: |
| ... | ... | @@ -373,7 +373,7 @@ SUSPICIOUS_KEYWORDS = { |
| 373 | 373 | #ADODB.Stream sample: http://pastebin.com/Z4TMyuq6 |
| 374 | 374 | 'May run an executable file or a system command': |
| 375 | 375 | ('Shell', 'vbNormal', 'vbNormalFocus', 'vbHide', 'vbMinimizedFocus', 'vbMaximizedFocus', 'vbNormalNoFocus', |
| 376 | - 'vbMinimizedNoFocus', 'WScript.Shell', 'Run'), | |
| 376 | + 'vbMinimizedNoFocus', 'WScript.Shell', 'Run', 'ShellExecute'), | |
| 377 | 377 | #Shell: http://msdn.microsoft.com/en-us/library/office/gg278437%28v=office.15%29.aspx |
| 378 | 378 | #WScript.Shell+Run sample: http://pastebin.com/Z4TMyuq6 |
| 379 | 379 | 'May run PowerShell commands': | ... | ... |