Peter M. Groen / oletools

Commit fa1dfdf994fba7265c6f065403354aa09338068d

Authored by Matteo Lodi
1 parent f6155b35

added "Template Injection" and "XLM Macrosheet" to "Suspicious" keywords in "analyze_macros"

Inline Side-by-side
Showing 1 changed file with 17 additions and 0 deletions
oletools/olevba.py
  View file @fa1dfdf
@@ -2695,6 +2695,8 @@ class VBA_Parser(object): @@ -2695,6 +2695,8 @@ class VBA_Parser(object):
2695 self.vba_stomping_detected = None 2695 self.vba_stomping_detected = None
2696 # will be set to True or False by detect_is_encrypted method 2696 # will be set to True or False by detect_is_encrypted method
2697 self.is_encrypted = None 2697 self.is_encrypted = None
  2698 + self.xlm_macrosheet_found = False
  2699 + self.template_injection_found = False
2698 2700
2699 # if filename is None: 2701 # if filename is None:
2700 # if isinstance(_file, basestring): 2702 # if isinstance(_file, basestring):
@@ -2820,6 +2822,7 @@ class VBA_Parser(object): @@ -2820,6 +2822,7 @@ class VBA_Parser(object):
2820 "".format(subfile_that_can_contain_templates, injected_template_url) 2822 "".format(subfile_that_can_contain_templates, injected_template_url)
2821 log.info(message) 2823 log.info(message)
2822 template_injection_detected = True 2824 template_injection_detected = True
  2825 + self.template_injection_found = True
2823 # try to find a XML macrosheet 2826 # try to find a XML macrosheet
2824 macro_sheet_footer = b"</xm:macrosheet>" 2827 macro_sheet_footer = b"</xm:macrosheet>"
2825 len_macro_sheet_footer = len(macro_sheet_footer) 2828 len_macro_sheet_footer = len(macro_sheet_footer)
@@ -2828,6 +2831,7 @@ class VBA_Parser(object): @@ -2828,6 +2831,7 @@ class VBA_Parser(object):
2828 message = "Found XLM Macro in subfile: {}".format(subfile) 2831 message = "Found XLM Macro in subfile: {}".format(subfile)
2829 log.info(message) 2832 log.info(message)
2830 xml_macrosheet_found = True 2833 xml_macrosheet_found = True
  2834 + self.xlm_macrosheet_found = True
2831 2835
2832 if found_ole or xml_macrosheet_found or template_injection_detected: 2836 if found_ole or xml_macrosheet_found or template_injection_detected:
2833 log.debug('Opening OLE file %s within zip' % subfile) 2837 log.debug('Opening OLE file %s within zip' % subfile)
@@ -3467,6 +3471,19 @@ class VBA_Parser(object): @@ -3467,6 +3471,19 @@ class VBA_Parser(object):
3467 'this may have been used to hide malicious code' 3471 'this may have been used to hide malicious code'
3468 scanner.suspicious_keywords.append((keyword, description)) 3472 scanner.suspicious_keywords.append((keyword, description))
3469 scanner.results.append(('Suspicious', keyword, description)) 3473 scanner.results.append(('Suspicious', keyword, description))
  3474 + if self.xlm_macrosheet_found:
  3475 + log.debug('adding XLM macrosheet found to suspicious keywords')
  3476 + keyword = 'XLM macrosheet'
  3477 + description = 'XLM macrosheet found. It could contain malicious code'
  3478 + scanner.suspicious_keywords.append((keyword, description))
  3479 + scanner.results.append(('Suspicious', keyword, description))
  3480 + if self.template_injection_found:
  3481 + log.debug('adding Template Injection to suspicious keywords')
  3482 + keyword = 'Template Injection'
  3483 + description = 'Template injection found. A malicious template could have been uploaded ' \
  3484 + 'from a remote location'
  3485 + scanner.suspicious_keywords.append((keyword, description))
  3486 + scanner.results.append(('Suspicious', keyword, description))
3470 autoexec, suspicious, iocs, hexstrings, base64strings, dridex, vbastrings = scanner.scan_summary() 3487 autoexec, suspicious, iocs, hexstrings, base64strings, dridex, vbastrings = scanner.scan_summary()
3471 self.nb_autoexec += autoexec 3488 self.nb_autoexec += autoexec
3472 self.nb_suspicious += suspicious 3489 self.nb_suspicious += suspicious