olevba+mraptor: add keywords for HTTP requests, XML and other obfuscation methods (#VBALostArts)

[decalage2]

See:

• https://twitter.com/Laughing_Mantis/status/1278031578019426304
• https://twitter.com/Laughing_Mantis/status/1278497214076092416
• https://twitter.com/Laughing_Mantis/status/1278371933604548609
• MsoShape: https://twitter.com/Laughing_Mantis/status/1279909614469840896 and https://medium.com/@laughing_mantis/malicious-shapes-in-office-part-1-8a4efca74358
• Possibly VAC-Parasite: https://twitter.com/Laughing_Mantis/status/1279463046415433730 and https://medium.com/@laughing_mantis/abusing-vba-for-air-gap-communications-4046c6b5b561
• VBA-Stendhal: https://twitter.com/Laughing_Mantis/status/1280971785312206848, https://medium.com/@laughing_mantis/malicious-shapes-in-office-part-2-910375cd05f3 and https://github.com/glinares/VBA-Stendhal

and in general https://twitter.com/hashtag/VBALostArts

Keywords to be detected:

• InsertXML (and other XML methods)
• AddOLEObject
• InlineShapes.AddPicture
• Range.EnhMetaFileBits
• AddWebVideo
• ...

[decalage2]

Here is an Emotet sample using InlineShapes(1).AlternativeText to hide powershell code: https://twitter.com/jstrosch/status/1305750537183408129 https://app.any.run/tasks/7a92e103-f579-4f45-ad2a-fcca36376d73/

[decalage2]

Another sample using InlineShapes to find an embedded OLE object, and using the clipboard to copy/paste data: https://twitter.com/SBousseaden/status/1320005809695264769 https://hybrid-analysis.com/sample/b97960c29b7c8234981728b80060a42dbe32bf625b052854a6cc2175467cca89/5f74689a7a87bb56fa74c556