From da46fb84b5d596d5e335623a5baf7cebf062ad89 Mon Sep 17 00:00:00 2001
From: Philippe Lagadec <decalage2@users.noreply.github.com>
Date: Sat, 30 Apr 2016 07:12:40 +0200
Subject: [PATCH] olevba: updated suspicious keywords

---
 oletools/olevba.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/oletools/olevba.py b/oletools/olevba.py
index cd304d0..496b7dc 100755
--- a/oletools/olevba.py
+++ b/oletools/olevba.py
@@ -169,7 +169,7 @@ https://github.com/unixfreak0037/officeparser
 # 2016-04-19 v0.46 PL: - new option --deobf instead of --no-deobfuscate
 #                      - updated suspicious keywords
 
-__version__ = '0.46'
+__version__ = '0.47'
 
 #------------------------------------------------------------------------------
 # TODO:
@@ -373,7 +373,7 @@ SUSPICIOUS_KEYWORDS = {
     #ADODB.Stream sample: http://pastebin.com/Z4TMyuq6
     'May run an executable file or a system command':
         ('Shell', 'vbNormal', 'vbNormalFocus', 'vbHide', 'vbMinimizedFocus', 'vbMaximizedFocus', 'vbNormalNoFocus',
-         'vbMinimizedNoFocus', 'WScript.Shell', 'Run'),
+         'vbMinimizedNoFocus', 'WScript.Shell', 'Run', 'ShellExecute'),
     #Shell: http://msdn.microsoft.com/en-us/library/office/gg278437%28v=office.15%29.aspx
     #WScript.Shell+Run sample: http://pastebin.com/Z4TMyuq6
     'May run PowerShell commands':
--
libgit2 0.21.4