olevba - add keyword detection for AccessVBOM

[decalage2]

Add several keywords to detect macros that attempt to disable protection to run self-modifying VBA code, as described in those articles:

• https://thehackernews.com/2017/11/ms-office-macro-malware.html
• http://blog.trendmicro.com/trendlabs-security-intelligence/qkg-filecoder-self-replicating-document-encrypting-ransomware/

As listed in the Trend Micro article, this includes:

• Deactivating Protected View (PV) by modifying a few registry keys: DisableAttachmentsInPV, DisableInternetFilesInPV, DisableUnsafeLocationsInPV
• Disabling the feature that blocks Excel files marked as from the web from executing macros (Blockcontentexecutionfrominternet)
• Enabling programmatical access to VBA object model (AccessVBOM)
• Setting the security level to Low (from three possibilities: High, Medium, Low)

TODO:

• [x] olevba
• [ ] mraptor

[decalage2]

olevba: done in commit b9b9af8.

[decalage2]

Potentially more keywords to detect techniques for macros that create other VBA macros by launching a new Word/Excel application via COM:

• https://blog.sevagas.com/IMG/pdf/my_vba_bot.pdf
  • isVBOMEnabled: checks if VBOM access is allowed
• https://blog.malwarebytes.com/threat-analysis/2021/01/retrohunting-apt37-north-korean-apt-used-vba-self-decode-technique-to-inject-rokrat/
• https://docs.microsoft.com/en-us/archive/blogs/cristib/vba-how-to-programmatically-enable-access-to-the-vba-object-model-using-macros