Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

added several improvements based on our tests: https://www.certego.ne… #591

Merged
merged 2 commits into from
Sep 28, 2020
Merged

added several improvements based on our tests: https://www.certego.ne… #591

merged 2 commits into from
Sep 28, 2020

Conversation

Gabriele-Pippi
Copy link
Contributor

Following some internal tests carried out mainly olevba, we at Certego have decided to propose some improvements for your public project.

Although the article is public it has not yet been shared with anyone before you. https://www.certego.net/en/news/advanced-vba-macros

These are the results on the analyzed samples of olevba with this commit:

Document_ContentControlOnEnter.doc

+----------+--------------------+---------------------------------------------+
|Type      |Keyword             |Description                                  |
+----------+--------------------+---------------------------------------------+
|AutoExec  |Document_ContentCont|Runs when the file is opened and ActiveX     |
|          |rolOnEnter          |objects trigger events                       |
|Suspicious|ControlPanelItem    |May run a dll                                |
|Suspicious|GetObject           |May get an OLE object with a running instance|
|Suspicious|CopyHere            |May copy a file                              |
+----------+--------------------+---------------------------------------------+

Worksheet_FollowHyperlink.xlsm

+----------+--------------------+---------------------------------------------+
|Type      |Keyword             |Description                                  |
+----------+--------------------+---------------------------------------------+
|AutoExec  |Worksheet_FollowHype|Runs when the file is opened and ActiveX     |
|          |rlink               |objects trigger events                       |
|Suspicious|GetObject           |May get an OLE object with a running instance|
|Suspicious|InvokeVerbEx        |May run an executable file or a system       |
|          |                    |command                                      |
|Suspicious|CopyHere            |May copy a file                              |
|Suspicious|Hex Strings         |Hex-encoded strings were detected, may be    |
|          |                    |used to obfuscate strings (option --decode to|
|          |                    |see all)                                     |
|Hex String|'\x00\x02\x08 '     |00020820                                     |
|Hex String|'\x00\x00\x00\x00\x0|000000000046                                 |
|          |0F'                 |                                             |
|Hex String|'\x00\x02\x08\x19'  |00020819                                     |
+----------+--------------------+---------------------------------------------+

Worksheet_Calculate.xlsm

+----------+--------------------+---------------------------------------------+
|Type      |Keyword             |Description                                  |
+----------+--------------------+---------------------------------------------+
|AutoExec  |Worksheet_Calculate |May runs when an Excel WorkSheet is open     |
|Suspicious|GetObject           |May get an OLE object with a running instance|
|Suspicious|DoIt                |May run an executable file or a system       |
|          |                    |command                                      |
|Suspicious|CopyHere            |May copy a file                              |
|Suspicious|Hex Strings         |Hex-encoded strings were detected, may be    |
|          |                    |used to obfuscate strings (option --decode to|
|          |                    |see all)                                     |
|Hex String|'\x00\x02\x08 '     |00020820                                     |
|Hex String|'\x00\x00\x00\x00\x0|000000000046                                 |
|          |0F'                 |                                             |
|Hex String|'\x00\x02\x08\x19'  |00020819                                     |
+----------+--------------------+---------------------------------------------+

@decalage2 decalage2 self-requested a review July 8, 2020 06:44
@decalage2 decalage2 self-assigned this Jul 8, 2020
@Gabriele-Pippi
Update olevba.py
8af891f 
even after adding the raw string, _r'HKCU\Environment'_ and _r'HKEY_CURRENT_USER\Environment'_ do not match correctly.
I temporarily removed them.
@decalage2
Copy link
Owner

Great job! Reading your article, I would also add some CLSIDs like 13709620-C279-11CE-A49E-444553540000 as a synonym of Shell.Application.

@Gabriele-Pippi
Copy link
Contributor Author

Gabriele-Pippi commented Jul 9, 2020
edited
Loading

Great job! Reading your article, I would also add some CLSIDs like 13709620-C279-11CE-A49E-444553540000 as a synonym of Shell.Application.

Thanks to you for the great project that you are maintaining, we hope to collaborate again to improve it.

All the obfuscatable strings were not included in the pull request, feel free to add them as well.

@mlodic mlodic mentioned this pull request Jul 21, 2020
Merged
@decalage2 decalage2 added this to the oletools 0.56 milestone Sep 28, 2020
@decalage2 decalage2 merged commit a854e61 into decalage2:master Sep 28, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@decalage2 decalage2 decalage2 approved these changes

Assignees

@decalage2 decalage2

Labels
olevba 👍 enhancement
Projects
None yet
Milestone
oletools 0.56
Development

Successfully merging this pull request may close these issues.
2 participants
@Gabriele-Pippi @decalage2