decalage2 / oletools

oletools - python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging.
http://www.decalage.info/python/oletools
Other
2.93k stars 563 forks source link

olevba+mraptor: add keywords for HTTP requests, XML and other obfuscation methods (#VBALostArts) #589

Open decalage2 opened 4 years ago

decalage2 commented 4 years ago

See:

and in general https://twitter.com/hashtag/VBALostArts

Keywords to be detected:

decalage2 commented 4 years ago

Here is an Emotet sample using InlineShapes(1).AlternativeText to hide powershell code: https://twitter.com/jstrosch/status/1305750537183408129 https://app.any.run/tasks/7a92e103-f579-4f45-ad2a-fcca36376d73/

decalage2 commented 4 years ago

Another sample using InlineShapes to find an embedded OLE object, and using the clipboard to copy/paste data: https://twitter.com/SBousseaden/status/1320005809695264769 https://hybrid-analysis.com/sample/b97960c29b7c8234981728b80060a42dbe32bf625b052854a6cc2175467cca89/5f74689a7a87bb56fa74c556 image