olevba: add keywords for AMSI bypass

decalage2 / oletools

oletools - python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging.

http://www.decalage.info/python/oletools

Other

2.87k stars 561 forks source link

olevba: add keywords for AMSI bypass #515

Open decalage2 opened 4 years ago

decalage2 commented 4 years ago

See this sample: https://labs.inquest.net/dfi/sha256/9404cbeacd30e170fe03bfdeb54663cb1439ccf73309e172e11349aa64fdbd00

Potential keywords (can be obfuscated):

amsi
AmsiUacInitialize
"4C8BDC49895B08"
"4883EC384533DB"
"8B450C85" & "C0745A85DB"
"8B550C85D" & "27434837D"

decalage2 commented 3 years ago

Another post: https://codewhitesec.blogspot.com/2019/07/heap-based-amsi-bypass-in-vba.html

decalage2 commented 2 years ago

Also this one: https://depthsecurity.com/blog/obfuscating-malicious-macro-enabled-word-docs