Commit dcce7d95a18b6a4b8aed92585df8b01482a3bf0f
Committed by
Matteo Lodi
Matteo Lodi
1 parent
fa1dfdf9
added several improvements based on our tests: https://www.certego.net/en/news/advanced-vba-macros/
Showing
1 changed file
with
27 additions
and
6 deletions
oletools/olevba.py
| @@ -633,6 +633,9 @@ AUTOEXEC_KEYWORDS = { | @@ -633,6 +633,9 @@ AUTOEXEC_KEYWORDS = { | ||
| 633 | # TODO: "Auto_Ope" is temporarily here because of a bug in plugin_biff, which misses the last byte in "Auto_Open"... | 633 | # TODO: "Auto_Ope" is temporarily here because of a bug in plugin_biff, which misses the last byte in "Auto_Open"... |
| 634 | 'Runs when the Excel Workbook is closed': | 634 | 'Runs when the Excel Workbook is closed': |
| 635 | ('Auto_Close', 'Workbook_Close'), | 635 | ('Auto_Close', 'Workbook_Close'), |
| 636 | + #Worksheet_Calculate to Autoexec: see http://www.certego.net/en/news/advanced-vba-macros/ | ||
| 637 | + 'May runs when an Excel WorkSheet is open': | ||
| 638 | + ('Worksheet_Calculate',), | ||
| 636 | } | 639 | } |
| 637 | 640 | ||
| 638 | # Keywords to detect auto-executable macros | 641 | # Keywords to detect auto-executable macros |
| @@ -649,15 +652,17 @@ AUTOEXEC_KEYWORDS_REGEX = { | @@ -649,15 +652,17 @@ AUTOEXEC_KEYWORDS_REGEX = { | ||
| 649 | r'\w+_FileDownload', r'\w+_NavigateComplete2', r'\w+_NavigateError', | 652 | r'\w+_FileDownload', r'\w+_NavigateComplete2', r'\w+_NavigateError', |
| 650 | r'\w+_ProgressChange', r'\w+_PropertyChange', r'\w+_SetSecureLockIcon', | 653 | r'\w+_ProgressChange', r'\w+_PropertyChange', r'\w+_SetSecureLockIcon', |
| 651 | r'\w+_StatusTextChange', r'\w+_TitleChange', r'\w+_MouseMove', r'\w+_MouseEnter', | 654 | r'\w+_StatusTextChange', r'\w+_TitleChange', r'\w+_MouseMove', r'\w+_MouseEnter', |
| 652 | - r'\w+_MouseLeave', r'\w+_Layout', r'\w+_OnConnecting'), | 655 | + r'\w+_MouseLeave', r'\w+_Layout', r'\w+_OnConnecting', r'\w+_FollowHyperlink', r'\w+_ContentControlOnEnter'), |
| 653 | } | 656 | } |
| 654 | 657 | ||
| 655 | # Suspicious Keywords that may be used by malware | 658 | # Suspicious Keywords that may be used by malware |
| 656 | # See VBA language reference: http://msdn.microsoft.com/en-us/library/office/jj692818%28v=office.15%29.aspx | 659 | # See VBA language reference: http://msdn.microsoft.com/en-us/library/office/jj692818%28v=office.15%29.aspx |
| 657 | SUSPICIOUS_KEYWORDS = { | 660 | SUSPICIOUS_KEYWORDS = { |
| 658 | #TODO: use regex to support variable whitespaces | 661 | #TODO: use regex to support variable whitespaces |
| 662 | + #http://www.certego.net/en/news/advanced-vba-macros/ | ||
| 659 | 'May read system environment variables': | 663 | 'May read system environment variables': |
| 660 | - ('Environ',), | 664 | + ('Environ','Win32_Environment','Environment','ExpandEnvironmentStrings','HKCU\Environment', |
| 665 | + 'HKEY_CURRENT_USER\Environment'), | ||
| 661 | 'May open a file': | 666 | 'May open a file': |
| 662 | ('Open',), | 667 | ('Open',), |
| 663 | 'May write to a file (if combined with Open)': | 668 | 'May write to a file (if combined with Open)': |
| @@ -667,22 +672,35 @@ SUSPICIOUS_KEYWORDS = { | @@ -667,22 +672,35 @@ SUSPICIOUS_KEYWORDS = { | ||
| 667 | #TODO: regex to find Open+Binary on same line | 672 | #TODO: regex to find Open+Binary on same line |
| 668 | ('Binary',), | 673 | ('Binary',), |
| 669 | 'May copy a file': | 674 | 'May copy a file': |
| 670 | - ('FileCopy', 'CopyFile'), | 675 | + ('FileCopy', 'CopyFile','CopyHere','CopyFolder'), |
| 671 | #FileCopy: http://msdn.microsoft.com/en-us/library/office/gg264390%28v=office.15%29.aspx | 676 | #FileCopy: http://msdn.microsoft.com/en-us/library/office/gg264390%28v=office.15%29.aspx |
| 672 | #CopyFile: http://msdn.microsoft.com/en-us/library/office/gg264089%28v=office.15%29.aspx | 677 | #CopyFile: http://msdn.microsoft.com/en-us/library/office/gg264089%28v=office.15%29.aspx |
| 678 | + #CopyHere, MoveHere, MoveHere and MoveFolder exploitation: see http://www.certego.net/en/news/advanced-vba-macros/ | ||
| 679 | + 'May move a file': | ||
| 680 | + ('MoveHere', 'MoveFile', 'MoveFolder'), | ||
| 673 | 'May delete a file': | 681 | 'May delete a file': |
| 674 | ('Kill',), | 682 | ('Kill',), |
| 675 | 'May create a text file': | 683 | 'May create a text file': |
| 676 | ('CreateTextFile', 'ADODB.Stream', 'WriteText', 'SaveToFile'), | 684 | ('CreateTextFile', 'ADODB.Stream', 'WriteText', 'SaveToFile'), |
| 677 | #CreateTextFile: http://msdn.microsoft.com/en-us/library/office/gg264617%28v=office.15%29.aspx | 685 | #CreateTextFile: http://msdn.microsoft.com/en-us/library/office/gg264617%28v=office.15%29.aspx |
| 678 | #ADODB.Stream sample: http://pastebin.com/Z4TMyuq6 | 686 | #ADODB.Stream sample: http://pastebin.com/Z4TMyuq6 |
| 679 | - # ShellExecute: https://twitter.com/StanHacked/status/1075088449768693762 | 687 | + #ShellExecute: https://twitter.com/StanHacked/status/1075088449768693762 |
| 688 | + #InvokeVerb, InvokeVerbEx, DoIt and ControlPanelItem: see http://www.certego.net/en/news/advanced-vba-macros/ | ||
| 689 | + | ||
| 680 | 'May run an executable file or a system command': | 690 | 'May run an executable file or a system command': |
| 681 | ('Shell', 'vbNormal', 'vbNormalFocus', 'vbHide', 'vbMinimizedFocus', 'vbMaximizedFocus', 'vbNormalNoFocus', | 691 | ('Shell', 'vbNormal', 'vbNormalFocus', 'vbHide', 'vbMinimizedFocus', 'vbMaximizedFocus', 'vbNormalNoFocus', |
| 682 | - 'vbMinimizedNoFocus', 'WScript.Shell', 'Run', 'ShellExecute', 'ShellExecuteA', 'shell32'), | 692 | + 'vbMinimizedNoFocus', 'WScript.Shell', 'Run', 'ShellExecute', 'ShellExecuteA', 'shell32','InvokeVerb','InvokeVerbEx', |
| 693 | + 'DoIt'), | ||
| 694 | + 'May run a dll': | ||
| 695 | + ('ControlPanelItem',), | ||
| 696 | + # Win32_Process.Create https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/create-method-in-class-win32-process | ||
| 697 | + 'May execute file or a system command through WMI': | ||
| 698 | + ('Create',), | ||
| 699 | + # WMI https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/create-method-in-class-win32-process | ||
| 683 | # MacScript: see https://msdn.microsoft.com/en-us/library/office/gg264812.aspx | 700 | # MacScript: see https://msdn.microsoft.com/en-us/library/office/gg264812.aspx |
| 701 | + # AppleScript: see https://docs.microsoft.com/en-us/office/vba/office-mac/applescripttask | ||
| 684 | 'May run an executable file or a system command on a Mac': | 702 | 'May run an executable file or a system command on a Mac': |
| 685 | - ('MacScript',), | 703 | + ('MacScript','AppleScript'), |
| 686 | #Shell: http://msdn.microsoft.com/en-us/library/office/gg278437%28v=office.15%29.aspx | 704 | #Shell: http://msdn.microsoft.com/en-us/library/office/gg278437%28v=office.15%29.aspx |
| 687 | #WScript.Shell+Run sample: http://pastebin.com/Z4TMyuq6 | 705 | #WScript.Shell+Run sample: http://pastebin.com/Z4TMyuq6 |
| 688 | 'May run PowerShell commands': | 706 | 'May run PowerShell commands': |
| @@ -710,6 +728,9 @@ SUSPICIOUS_KEYWORDS = { | @@ -710,6 +728,9 @@ SUSPICIOUS_KEYWORDS = { | ||
| 710 | ('Application.AltStartupPath',), | 728 | ('Application.AltStartupPath',), |
| 711 | 'May create an OLE object': | 729 | 'May create an OLE object': |
| 712 | ('CreateObject',), | 730 | ('CreateObject',), |
| 731 | + #bypass CreateObject http://www.certego.net/en/news/advanced-vba-macros/ | ||
| 732 | + 'May get an OLE object with a running instance': | ||
| 733 | + ('GetObject',), | ||
| 713 | 'May create an OLE object using PowerShell': | 734 | 'May create an OLE object using PowerShell': |
| 714 | ('New-Object',), | 735 | ('New-Object',), |
| 715 | 'May run an application (if combined with CreateObject)': | 736 | 'May run an application (if combined with CreateObject)': |