Commit fa1dfdf994fba7265c6f065403354aa09338068d
1 parent
f6155b35
added "Template Injection" and "XLM Macrosheet" to "Suspicious" keywords in "analyze_macros"
Showing
1 changed file
with
17 additions
and
0 deletions
oletools/olevba.py
| ... | ... | @@ -2695,6 +2695,8 @@ class VBA_Parser(object): |
| 2695 | 2695 | self.vba_stomping_detected = None |
| 2696 | 2696 | # will be set to True or False by detect_is_encrypted method |
| 2697 | 2697 | self.is_encrypted = None |
| 2698 | + self.xlm_macrosheet_found = False | |
| 2699 | + self.template_injection_found = False | |
| 2698 | 2700 | |
| 2699 | 2701 | # if filename is None: |
| 2700 | 2702 | # if isinstance(_file, basestring): |
| ... | ... | @@ -2820,6 +2822,7 @@ class VBA_Parser(object): |
| 2820 | 2822 | "".format(subfile_that_can_contain_templates, injected_template_url) |
| 2821 | 2823 | log.info(message) |
| 2822 | 2824 | template_injection_detected = True |
| 2825 | + self.template_injection_found = True | |
| 2823 | 2826 | # try to find a XML macrosheet |
| 2824 | 2827 | macro_sheet_footer = b"</xm:macrosheet>" |
| 2825 | 2828 | len_macro_sheet_footer = len(macro_sheet_footer) |
| ... | ... | @@ -2828,6 +2831,7 @@ class VBA_Parser(object): |
| 2828 | 2831 | message = "Found XLM Macro in subfile: {}".format(subfile) |
| 2829 | 2832 | log.info(message) |
| 2830 | 2833 | xml_macrosheet_found = True |
| 2834 | + self.xlm_macrosheet_found = True | |
| 2831 | 2835 | |
| 2832 | 2836 | if found_ole or xml_macrosheet_found or template_injection_detected: |
| 2833 | 2837 | log.debug('Opening OLE file %s within zip' % subfile) |
| ... | ... | @@ -3467,6 +3471,19 @@ class VBA_Parser(object): |
| 3467 | 3471 | 'this may have been used to hide malicious code' |
| 3468 | 3472 | scanner.suspicious_keywords.append((keyword, description)) |
| 3469 | 3473 | scanner.results.append(('Suspicious', keyword, description)) |
| 3474 | + if self.xlm_macrosheet_found: | |
| 3475 | + log.debug('adding XLM macrosheet found to suspicious keywords') | |
| 3476 | + keyword = 'XLM macrosheet' | |
| 3477 | + description = 'XLM macrosheet found. It could contain malicious code' | |
| 3478 | + scanner.suspicious_keywords.append((keyword, description)) | |
| 3479 | + scanner.results.append(('Suspicious', keyword, description)) | |
| 3480 | + if self.template_injection_found: | |
| 3481 | + log.debug('adding Template Injection to suspicious keywords') | |
| 3482 | + keyword = 'Template Injection' | |
| 3483 | + description = 'Template injection found. A malicious template could have been uploaded ' \ | |
| 3484 | + 'from a remote location' | |
| 3485 | + scanner.suspicious_keywords.append((keyword, description)) | |
| 3486 | + scanner.results.append(('Suspicious', keyword, description)) | |
| 3470 | 3487 | autoexec, suspicious, iocs, hexstrings, base64strings, dridex, vbastrings = scanner.scan_summary() |
| 3471 | 3488 | self.nb_autoexec += autoexec |
| 3472 | 3489 | self.nb_suspicious += suspicious | ... | ... |