Didier Stevens

Tuesday 7 March 2017

Update: oledump.py Version 0.0.27

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of oledump.py adds some extra features for YARA rule scanning.

oledump.py declares 2 external variables that can be used in your YARA rules.

External variable streamname is a string with the stream name, as printed in oledump’s report.

External variable VBA is a boolean that is set to true when the data to scan is VBA source code. Previous versions of oledump would scan the raw stream content with YARA, but this new version also decompresses all streams with VBA macros, and concatenates them together to scan them after all streams have been scanned.

Example of a rule using external variable VBA:

rule VBA_Autorun
{
    strings:
        $a = "AutoExec" nocase fullword
        $b = "AutoOpen" nocase fullword
        $c = "DocumentOpen" nocase fullword
        $d = "AutoExit" nocase fullword
        $e = "AutoClose" nocase fullword
        $f = "Document_Close" nocase fullword
        $g = "DocumentBeforeClose" nocase fullword
        $h = "Document_Open" nocase fullword
        $i = "Document_BeforeClose" nocase fullword
        $j = "Auto_Open" nocase fullword
        $k = "Workbook_Open" nocase fullword
        $l = "Workbook_Activate" nocase fullword
        $m = "Auto_Close" nocase fullword
        $n = "Workbook_Close" nocase fullword
    condition:
        VBA and any of ($*)
}

The condition of this rule is true when external variable VBA is true and when at least one of the strings are found:

20170306-184258

This rule is included in a new set of YARA rules I included with oledump.py: vba.yara.

I made a video to illustrate this:

And there is also a new plugin: plugin_str_sub. It tries to de-obfuscate strings with padded characters:

oledump_V0_0_27.zip (https)
MD5: A6C6728E20AE46A4FECC5F3976AF33BF
SHA256: 54FE550D5102A0E9428F6BD9B5170B50797EDA2076601634519CDBB574004A3C

4 Comments »

  1. […] – github.com/decalage2/oletools oledump – blog.didierstevens.com/2017/03/07/update-oledump-py-version-0-0-27/ psparser – github.com/phishme/malware_analysis/blob/master/scripts/psparser.py VBCode […]

    Pingback by Decoding Malicious .vbs Scripts – Cyber Forensicator — Wednesday 15 March 2017 @ 13:58

  2. Hi Didier! Thanks for making these great tools available!!! I’m wondering what methods you use to triage password protected Word documents. Typically, I’ll see the docx file attached to an email with the password referenced in the body. An example is here:
    https://www.virustotal.com/en/file/a6dcda1847bdc1e2e85c76b0005f475e85686b993cf7a07119ce94254a9cbe74/analysis/1489611795/
    Password is 93uzjt
    The entire document itself is password protected, not just the macro. The only way I’ve been able to get access to it’s contents are to open it up in a VM but am looking for alternative ways…
    Thanks!

    Comment by PT — Wednesday 15 March 2017 @ 21:12

  3. That’s what I do too. There are some open source tools to do this, but haven’t found any to still work with the latest office versions.

    Comment by Didier Stevens — Thursday 16 March 2017 @ 19:10

  4. […] Update: oledump.py Version 0.0.27 […]

    Pingback by Overview of Content Published In March | Didier Stevens — Tuesday 4 April 2017 @ 0:00


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.