Commit dcce7d95a18b6a4b8aed92585df8b01482a3bf0f
Committed by
Matteo Lodi
Matteo Lodi
1 parent
fa1dfdf9
added several improvements based on our tests: https://www.certego.net/en/news/advanced-vba-macros/
Showing
1 changed file
with
27 additions
and
6 deletions
oletools/olevba.py
| ... | ... | @@ -633,6 +633,9 @@ AUTOEXEC_KEYWORDS = { |
| 633 | 633 | # TODO: "Auto_Ope" is temporarily here because of a bug in plugin_biff, which misses the last byte in "Auto_Open"... |
| 634 | 634 | 'Runs when the Excel Workbook is closed': |
| 635 | 635 | ('Auto_Close', 'Workbook_Close'), |
| 636 | + #Worksheet_Calculate to Autoexec: see http://www.certego.net/en/news/advanced-vba-macros/ | |
| 637 | + 'May runs when an Excel WorkSheet is open': | |
| 638 | + ('Worksheet_Calculate',), | |
| 636 | 639 | } |
| 637 | 640 | |
| 638 | 641 | # Keywords to detect auto-executable macros |
| ... | ... | @@ -649,15 +652,17 @@ AUTOEXEC_KEYWORDS_REGEX = { |
| 649 | 652 | r'\w+_FileDownload', r'\w+_NavigateComplete2', r'\w+_NavigateError', |
| 650 | 653 | r'\w+_ProgressChange', r'\w+_PropertyChange', r'\w+_SetSecureLockIcon', |
| 651 | 654 | r'\w+_StatusTextChange', r'\w+_TitleChange', r'\w+_MouseMove', r'\w+_MouseEnter', |
| 652 | - r'\w+_MouseLeave', r'\w+_Layout', r'\w+_OnConnecting'), | |
| 655 | + r'\w+_MouseLeave', r'\w+_Layout', r'\w+_OnConnecting', r'\w+_FollowHyperlink', r'\w+_ContentControlOnEnter'), | |
| 653 | 656 | } |
| 654 | 657 | |
| 655 | 658 | # Suspicious Keywords that may be used by malware |
| 656 | 659 | # See VBA language reference: http://msdn.microsoft.com/en-us/library/office/jj692818%28v=office.15%29.aspx |
| 657 | 660 | SUSPICIOUS_KEYWORDS = { |
| 658 | 661 | #TODO: use regex to support variable whitespaces |
| 662 | + #http://www.certego.net/en/news/advanced-vba-macros/ | |
| 659 | 663 | 'May read system environment variables': |
| 660 | - ('Environ',), | |
| 664 | + ('Environ','Win32_Environment','Environment','ExpandEnvironmentStrings','HKCU\Environment', | |
| 665 | + 'HKEY_CURRENT_USER\Environment'), | |
| 661 | 666 | 'May open a file': |
| 662 | 667 | ('Open',), |
| 663 | 668 | 'May write to a file (if combined with Open)': |
| ... | ... | @@ -667,22 +672,35 @@ SUSPICIOUS_KEYWORDS = { |
| 667 | 672 | #TODO: regex to find Open+Binary on same line |
| 668 | 673 | ('Binary',), |
| 669 | 674 | 'May copy a file': |
| 670 | - ('FileCopy', 'CopyFile'), | |
| 675 | + ('FileCopy', 'CopyFile','CopyHere','CopyFolder'), | |
| 671 | 676 | #FileCopy: http://msdn.microsoft.com/en-us/library/office/gg264390%28v=office.15%29.aspx |
| 672 | 677 | #CopyFile: http://msdn.microsoft.com/en-us/library/office/gg264089%28v=office.15%29.aspx |
| 678 | + #CopyHere, MoveHere, MoveHere and MoveFolder exploitation: see http://www.certego.net/en/news/advanced-vba-macros/ | |
| 679 | + 'May move a file': | |
| 680 | + ('MoveHere', 'MoveFile', 'MoveFolder'), | |
| 673 | 681 | 'May delete a file': |
| 674 | 682 | ('Kill',), |
| 675 | 683 | 'May create a text file': |
| 676 | 684 | ('CreateTextFile', 'ADODB.Stream', 'WriteText', 'SaveToFile'), |
| 677 | 685 | #CreateTextFile: http://msdn.microsoft.com/en-us/library/office/gg264617%28v=office.15%29.aspx |
| 678 | 686 | #ADODB.Stream sample: http://pastebin.com/Z4TMyuq6 |
| 679 | - # ShellExecute: https://twitter.com/StanHacked/status/1075088449768693762 | |
| 687 | + #ShellExecute: https://twitter.com/StanHacked/status/1075088449768693762 | |
| 688 | + #InvokeVerb, InvokeVerbEx, DoIt and ControlPanelItem: see http://www.certego.net/en/news/advanced-vba-macros/ | |
| 689 | + | |
| 680 | 690 | 'May run an executable file or a system command': |
| 681 | 691 | ('Shell', 'vbNormal', 'vbNormalFocus', 'vbHide', 'vbMinimizedFocus', 'vbMaximizedFocus', 'vbNormalNoFocus', |
| 682 | - 'vbMinimizedNoFocus', 'WScript.Shell', 'Run', 'ShellExecute', 'ShellExecuteA', 'shell32'), | |
| 692 | + 'vbMinimizedNoFocus', 'WScript.Shell', 'Run', 'ShellExecute', 'ShellExecuteA', 'shell32','InvokeVerb','InvokeVerbEx', | |
| 693 | + 'DoIt'), | |
| 694 | + 'May run a dll': | |
| 695 | + ('ControlPanelItem',), | |
| 696 | + # Win32_Process.Create https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/create-method-in-class-win32-process | |
| 697 | + 'May execute file or a system command through WMI': | |
| 698 | + ('Create',), | |
| 699 | + # WMI https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/create-method-in-class-win32-process | |
| 683 | 700 | # MacScript: see https://msdn.microsoft.com/en-us/library/office/gg264812.aspx |
| 701 | + # AppleScript: see https://docs.microsoft.com/en-us/office/vba/office-mac/applescripttask | |
| 684 | 702 | 'May run an executable file or a system command on a Mac': |
| 685 | - ('MacScript',), | |
| 703 | + ('MacScript','AppleScript'), | |
| 686 | 704 | #Shell: http://msdn.microsoft.com/en-us/library/office/gg278437%28v=office.15%29.aspx |
| 687 | 705 | #WScript.Shell+Run sample: http://pastebin.com/Z4TMyuq6 |
| 688 | 706 | 'May run PowerShell commands': |
| ... | ... | @@ -710,6 +728,9 @@ SUSPICIOUS_KEYWORDS = { |
| 710 | 728 | ('Application.AltStartupPath',), |
| 711 | 729 | 'May create an OLE object': |
| 712 | 730 | ('CreateObject',), |
| 731 | + #bypass CreateObject http://www.certego.net/en/news/advanced-vba-macros/ | |
| 732 | + 'May get an OLE object with a running instance': | |
| 733 | + ('GetObject',), | |
| 713 | 734 | 'May create an OLE object using PowerShell': |
| 714 | 735 | ('New-Object',), |
| 715 | 736 | 'May run an application (if combined with CreateObject)': | ... | ... |