VBA and OLE content on MS Office Files, is a large vehicle for Malware Delivery. As any Powerful tool, it can be used for Good or Evil Historically VBA Macros have been used to distribute Malware.
Microsoft has had multiple attempts at Disabling this Functionality by Default, but still has not address the fundamental problem.
In a large amount of Environments, Macros are not to be used. Therefore a CLI tool that allow to extract for analysis and removes completely all Macros and OLE, SILk or other Dynamic Content from the MS Office File (At the risk of potentially breaking the Functionality) should be written and made available to IT practitioners.
Unfortunately DocBleach has now been Archived and was Originally Written in Java. We should come up with a new similar simple tool, that is easier to be maintained by Security Community.
Requirements
Investigate Python Mechanism, to be able to Parse, Extract and Remove Macros, and other Dynamic content from MS Office Files.
Current GitHub Projects have some overlaps but fail to address the requirements. Focus on a tool that is able to use a library to parse, remove and overwrite new sanitized version of file.
Extensive testing required,
The Problem.
VBA and OLE content on MS Office Files, is a large vehicle for Malware Delivery. As any Powerful tool, it can be used for Good or Evil Historically VBA Macros have been used to distribute Malware.
Microsoft has had multiple attempts at Disabling this Functionality by Default, but still has not address the fundamental problem.
In a large amount of Environments, Macros are not to be used. Therefore a CLI tool that allow to extract for analysis and removes completely all Macros and OLE, SILk or other Dynamic Content from the MS Office File (At the risk of potentially breaking the Functionality) should be written and made available to IT practitioners.
Unfortunately DocBleach has now been Archived and was Originally Written in Java. We should come up with a new similar simple tool, that is easier to be maintained by Security Community.
Requirements
Investigate Python Mechanism, to be able to Parse, Extract and Remove Macros, and other Dynamic content from MS Office Files.
Several links might be useful.
https://github.com/decalage2/oletools/wiki/olevba (Extended officeparser to extract macros)
https://github.com/decalage2/oletools/wiki/mraptor (Detection Tool)
https://github.com/MalwareCantFly/Vba2Graph (Extraction and Visualization Tool)
https://github.com/egaus/MaliciousMacroBot (Detection, and Extraction of Macros built on top of officeparser
https://github.com/S3cur3Th1sSh1t/OffensiveVBA (Attack Techniques used for VBA)
https://github.com/unixfreak0037/officeparser/tree/master (Library to Parse Document Files)
https://github.com/decalage2/exefilter/tree/master (Bigger Scope, Older Python, Written in French)
https://github.com/matan2021/Macros_Purifiction_Tool (Not in Python, uses C# libraries)
https://github.com/docbleach/DocBleach (Related Tool in Java, but now Archived)
Current GitHub Projects have some overlaps but fail to address the requirements. Focus on a tool that is able to use a library to parse, remove and overwrite new sanitized version of file. Extensive testing required,