decalage2 / ViperMonkey

A VBA parser and emulation engine to analyze malicious macros.
1.05k stars 186 forks source link

Add Base64 Logging #86

Closed utkonos closed 1 year ago

utkonos commented 4 years ago

Is your feature request related to a problem? Please describe. From a discussion on a list, tracking that base64 or other encoding is used in a maldoc can be a useful TTP to note. There are four locations in the source code that base64 is decoded, but the one in vipermonkey/core/expressions.py doesn't log.

Describe the solution you'd like I can add logging after lines 640 and 644, but I wanted to check to make sure the correct log level is used. I see warning used sometimes and debug used in other locations. Which level is appropriate for this? I can create a PR based on which one is appropriate.