Support office documents and check for macros

IV1T3 / django-middleware-fileuploadvalidation

A Django middleware to validate user file uploads and detect malicious content.

Apache License 2.0

6 stars 2 forks source link

Support office documents and check for macros #24

Open wichmannpas opened 2 years ago

IV1T3 commented 2 years ago

Analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging: https://github.com/decalage2/oletools
Remove active content (scripts, macros, etc): https://github.com/decalage2/exefilter
- Since oletools does not support input modification, decalge2 recommended exefilter: https://github.com/decalage2/oletools/issues/377

IV1T3 commented 2 years ago

Started analyzing with commit 6509f418feb7684c46b76eefb28b82baccbef286

IV1T3 commented 2 years ago

Automatic (Malicious) Macro detection implemented with quicksand in commit 3254923e12367a4b4d82db7b03d805e4cefcee68. However, Macro removal still has to be implemented.

IV1T3 commented 2 years ago

Added multiple YARA rules for detecting Office Documents with Macros.

A few selected rules:

rule office_document_vba : maldoc
Contains_VBA_macro_code (Detect a MS Office document with embedded VBA macro code - by evild3ad)
rule macrocheck : maldoc (Identify office documents with the MACROCHECK credential stealer in them. - by Fireeye Labs)
rule Contains_hidden_PE_File_inside_a_sequence_of_numbers : maldoc (https://www.welivesecurity.com/2016/01/04/blackenergy-trojan-strikes-again-attacks-ukrainian-electric-power-industry/ - by evild3ad)