olevba+mraptor: add keywords for Outlook interaction

decalage2 / oletools

oletools - python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging.

http://www.decalage.info/python/oletools

Other

2.88k stars 564 forks source link

olevba+mraptor: add keywords for Outlook interaction #167

Open decalage2 opened 7 years ago

decalage2 commented 7 years ago

It looks like this sample uses Outlook for replication:

Several Outlook-related keywords could be detected.

decalage2 commented 3 years ago

More about Outlook VBA macros and potential keywords to be detected: https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/ Keywords:

Application_Startup (as trigger)
*_ItemAdd (as trigger)

And see also what is the CLSID of VbsProject.OTM generated by Outlook.

decalage2 commented 3 years ago

Yet another macro using Outlook for replication: https://twitter.com/SBousseaden/status/1364576189621424133