def macro_section_builder(self, vba_code):
vba_code_sha256 = hashlib.sha256(vba_code).hexdigest()
macro_section = ResultSection(SCORE.NULL, "OleVBA : Macro detected")
macro_section.add_line("Macro SHA256 : %s" % vba_code_sha256)
#macro_section.add_line("Resubmitted macro as: macro_%s.vba" % vba_code_sha256[:7])
macro_section.add_tag(TAG_TYPE.OLE_MACRO_SHA256,
vba_code_sha256,
weight=TAG_WEIGHT.LOW,
usage=TAG_USAGE.CORRELATION)
dump_title = "Macro contents dump"
analyzed_code = self.deobfuscator(vba_code)
req_deob = False
if analyzed_code != vba_code:
req_deob = True
dump_title += " [deobfuscated]"
if len(analyzed_code) > self.MAX_STRINGDUMP_CHARS:
dump_title += " - Displaying only the first %s characters." % self.MAX_STRINGDUMP_CHARS
dump_subsection = ResultSection(SCORE.NULL, dump_title, body_format=TEXT_FORMAT.MEMORY_DUMP)
dump_subsection.add_line(analyzed_code[0:self.MAX_STRINGDUMP_CHARS])
else:
dump_subsection = ResultSection(SCORE.NULL, dump_title, body_format=TEXT_FORMAT.MEMORY_DUMP)
dump_subsection.add_line(analyzed_code)
if req_deob:
dump_subsection.add_tag(TAG_TYPE.TECHNIQUE_OBFUSCATION,
"VBA Macro String Functions",
weight=TAG_WEIGHT.LOW,
usage=TAG_USAGE.IDENTIFICATION)
score_subsection = self.macro_scorer(analyzed_code)
if score_subsection:
macro_section.add_section(score_subsection)
macro_section.add_section(dump_subsection)
# Flag macros
if self.flag_macro(analyzed_code):
macro_section.add_section(ResultSection(SCORE.HIGH, "Macro may be packed or obfuscated."))
return macro_section
def execute(self, request):
# Create a result object where all the sections will be stored
result = Result()
# ==================================================================
# Default Section:
# Default section basically just dumps the text to the screen...
# All sections scores will be SUMed in the service result
# The Result classification will be the highest classification found in the sections
default_section = ResultSection(SCORE.LOW,
'Example of a default section',
Classification.RESTRICTED)
default_section.add_line("You can add line by line!")
default_section.add_lines(["Or", "Multiple lines", "Inside a list!"])
# ==================================================================
# Color map Section:
# Creates a color map bar using a minimum and maximum domain
cmap_min = 0
cmap_max = 20
color_map_data = {
'type': 'colormap',
'data': {
'domain': [cmap_min, cmap_max],
'values': [random.random() * cmap_max for _ in xrange(50)]
}
}
section_color_map = ResultSection(SCORE.NULL,
"Example of colormap result section",
self.SERVICE_CLASSIFICATION,
body_format=TEXT_FORMAT.GRAPH_DATA,
body=json.dumps(color_map_data))
# ==================================================================
# URL section:
# Generate a list of clickable urls using a json encoded format
url_section = ResultSection(SCORE.NULL,
'Example of a simple url section',
self.SERVICE_CLASSIFICATION,
body_format=TEXT_FORMAT.URL,
body=json.dumps({
"name":
"Google",
"url":
"https://www.google.com/"
}))
# You can add tags to any section although those tag will be brought up to the result object
# Tags are defined by a type, value and weight (confidence lvl)
# you can also add a classification and context if needed
url_section.add_tag(TAG_TYPE.NET_DOMAIN_NAME, "google.com",
TAG_WEIGHT.LOW)
url_section.add_tag(TAG_TYPE.NET_DOMAIN_NAME,
"bob.com",
TAG_WEIGHT.LOW,
classification=Classification.RESTRICTED)
url_section.add_tag(TAG_TYPE.NET_DOMAIN_NAME,
"baddomain.com",
TAG_WEIGHT.LOW,
context=Context.BEACONS)
# You may also want to provide a list of url! Also, No need to provide a name, the url link will be displayed
urls = [{
"url": "https://google.com/"
}, {
"url": "https://google.ca/"
}, {
"url": "https://microsoft.com/"
}]
url_section2 = ResultSection(
SCORE.MED,
'Example of a url section with multiple links',
self.SERVICE_CLASSIFICATION,
body_format=TEXT_FORMAT.URL,
body=json.dumps(urls))
# Add url_section2 as a subsection of url section
# The score of the subsections will automatically be added to the parent section
url_section.add_section(url_section2)
# ==================================================================
# Memory dump section:
# Dump whatever string content you have into a <pre/> html tag so you can do your own formatting
data = hexdump(
"This is some random text that we will format as an hexdump and you'll see "
"that the hexdump formatting will be preserved by the memory dump section!"
)
memdump_section = ResultSection(SCORE.NULL,
'Example of a memory dump section',
self.SERVICE_CLASSIFICATION,
body_format=TEXT_FORMAT.MEMORY_DUMP,
body=data)
# ==================================================================
# Re-Submitting files to the system
# Adding extracted files will have them resubmitted to the system for analysis
if request.srl != '8cf8277a71e85122bf7ea4610c7cfcc0bfb6dee799be50a41b2f4b1321b3317f':
# This IF just prevents resubmitting the same file in a loop for this exemple...
temp_path = tempfile.mktemp(dir=self.working_directory)
with open(temp_path, "w") as myfile:
myfile.write(data)
request.add_extracted(temp_path,
"Extracted by some random magic!",
display_name="file.txt")
# ==================================================================
# Supplementary files
# Adding supplementary files will save them on the datastore for future
# reference but wont reprocess those files.
temp_path = tempfile.mktemp(dir=self.working_directory)
with open(temp_path, "w") as myfile:
myfile.write(json.dumps(urls))
request.add_supplementary(temp_path,
"These are urls as a JSON",
display_name="urls.json")
# ==================================================================
# Wrap-up:
# Add all sections to the Result object
result.add_section(default_section)
result.add_section(section_color_map)
result.add_section(url_section)
result.add_section(memdump_section)
request.result = result
def macro_scorer(self, text):
self.log.debug("Macro scorer running")
score_section = None
try:
vba_scanner = VBA_Scanner(text)
vba_scanner.scan(include_decoded_strings=True)
for string in self.ADDITIONAL_SUSPICIOUS_KEYWORDS:
if re.search(string, text, re.IGNORECASE):
# play nice with detect_suspicious from olevba.py
vba_scanner.suspicious_keywords.append((string, 'May download files from the Internet'))
stringcount = len(vba_scanner.autoexec_keywords) + len(vba_scanner.suspicious_keywords) + \
len(vba_scanner.iocs)
if stringcount > 0:
score_section = ResultSection(SCORE.NULL, "Interesting macro strings found")
if len(vba_scanner.autoexec_keywords) > 0:
subsection = ResultSection(min(self.MAX_STRING_SCORE,
SCORE.LOW * len(vba_scanner.autoexec_keywords)),
"Autoexecution strings")
for keyword, description in vba_scanner.autoexec_keywords:
subsection.add_line(keyword)
subsection.add_tag(TAG_TYPE.OLE_MACRO_SUSPICIOUS_STRINGS,
keyword, TAG_WEIGHT.HIGH,
usage=TAG_USAGE.IDENTIFICATION)
score_section.add_section(subsection)
if len(vba_scanner.suspicious_keywords) > 0:
subsection = ResultSection(min(self.MAX_STRING_SCORE,
SCORE.MED * len(vba_scanner.suspicious_keywords)),
"Suspicious strings or functions")
for keyword, description in vba_scanner.suspicious_keywords:
subsection.add_line(keyword)
subsection.add_tag(TAG_TYPE.OLE_MACRO_SUSPICIOUS_STRINGS,
keyword, TAG_WEIGHT.HIGH,
usage=TAG_USAGE.IDENTIFICATION)
score_section.add_section(subsection)
if len(vba_scanner.iocs) > 0:
subsection = ResultSection(min(500, SCORE.MED * len(vba_scanner.iocs)),
"Potential host or network IOCs")
scored_macro_uri = False
for keyword, description in vba_scanner.iocs:
# olevba seems to have swapped the keyword for description during iocs extraction
# this holds true until at least version 0.27
subsection.add_line("{}: {}".format(keyword, description))
desc_ip = self.ip_re.match(description)
if self.parse_uri(description) is True:
scored_macro_uri = True
elif desc_ip:
ip_str = desc_ip.group(1)
if not is_ip_reserved(ip_str):
scored_macro_uri = True
subsection.add_tag(TAG_TYPE.NET_IP,
ip_str,
TAG_WEIGHT.HIGH,
usage=TAG_USAGE.CORRELATION)
score_section.add_section(subsection)
if scored_macro_uri and self.scored_macro_uri is False:
self.scored_macro_uri = True
scored_uri_section = ResultSection(score=500,
title_text="Found network indicator(s) within macros")
self.ole_result.add_section(scored_uri_section)
except Exception as e:
self.log.debug("OleVBA VBA_Scanner constructor failed: {}".format(str(e)))
return score_section
def check_xml_strings(self, path):
xml_target_res = ResultSection(score=SCORE.NULL, title_text="Attached External Template Targets in XML")
xml_ioc_res = ResultSection(score=SCORE.NULL, title_text="IOCs in XML:")
xml_b64_res = ResultSection(score=SCORE.NULL, title_text="Base64 in XML:")
try:
template_re = re.compile(r'/attachedTemplate"\s+[Tt]arget="((?!file)[^"]+)"\s+[Tt]argetMode="External"')
uris = []
zip_uris = []
b64results = {}
b64_extracted = set()
if zipfile.is_zipfile(path):
try:
patterns = PatternMatch()
except:
patterns = None
z = zipfile.ZipFile(path)
for f in z.namelist():
data = z.open(f).read()
if len(data) > 500000:
data = data[:500000]
xml_ioc_res.report_heuristics(Oletools.AL_Oletools_003)
xml_ioc_res.score = min(xml_ioc_res.score, 1)
zip_uris.extend(template_re.findall(data))
# Use FrankenStrings modules to find other strings of interest
# Plain IOCs
if patterns:
pat_strs = ["http://purl.org", "schemas.microsoft.com", "schemas.openxmlformats.org",
"www.w3.org"]
pat_ends = ["themeManager.xml", "MSO.DLL", "stdole2.tlb", "vbaProject.bin", "VBE6.DLL", "VBE7.DLL"]
pat_whitelist = ['Management', 'Manager', "microsoft.com"]
st_value = patterns.ioc_match(data, bogon_ip=True)
if len(st_value) > 0:
for ty, val in st_value.iteritems():
if val == "":
asc_asc = unicodedata.normalize('NFKC', val).encode('ascii', 'ignore')
if any(x in asc_asc for x in pat_strs) \
or asc_asc.endswith(tuple(pat_ends)) \
or asc_asc in pat_whitelist:
continue
else:
xml_ioc_res.score += 1
xml_ioc_res.add_line("Found %s string: %s in file %s}"
% (TAG_TYPE[ty].replace("_", " "), asc_asc, f))
xml_ioc_res.add_tag(TAG_TYPE[ty], asc_asc, TAG_WEIGHT.LOW)
else:
ulis = list(set(val))
for v in ulis:
if any(x in v for x in pat_strs) \
or v.endswith(tuple(pat_ends)) \
or v in pat_whitelist:
continue
else:
xml_ioc_res.score += 1
xml_ioc_res.add_line("Found %s string: %s in file %s"
% (TAG_TYPE[ty].replace("_", " "), v, f))
xml_ioc_res.add_tag(TAG_TYPE[ty], v, TAG_WEIGHT.LOW)
# Base64
b64_matches = set()
for b64_tuple in re.findall('(([\x20]{0,2}[A-Za-z0-9+/]{3,}={0,2}[\r]?[\n]?){6,})',
data):
b64 = b64_tuple[0].replace('\n', '').replace('\r', '').replace(' ', '')
uniq_char = ''.join(set(b64))
if len(uniq_char) > 6:
if len(b64) >= 16 and len(b64) % 4 == 0:
b64_matches.add(b64)
"""
Using some selected code from 'base64dump.py' by Didier Stevens@https://DidierStevens.com
"""
for b64_string in b64_matches:
try:
b64_extract = False
base64data = binascii.a2b_base64(b64_string)
sha256hash = hashlib.sha256(base64data).hexdigest()
if sha256hash in b64_extracted:
continue
# Search for embedded files of interest
if 500 < len(base64data) < 8000000:
m = magic.Magic(mime=True)
ftype = m.from_buffer(base64data)
if 'octet-stream' not in ftype:
for ft in self.filetypes:
if ft in ftype:
b64_file_path = os.path.join(self.working_directory,
"{}_b64_decoded"
.format(sha256hash[0:10]))
self.request.add_extracted(b64_file_path,
"Extracted b64 file during "
"OLETools analysis.")
with open(b64_file_path, 'wb') as b64_file:
b64_file.write(base64data)
self.log.debug("Submitted dropped file for analysis: {}"
.format(b64_file_path))
b64results[sha256hash] = [len(b64_string), b64_string[0:50],
"[Possible base64 file contents in {}. "
"See extracted files.]" .format(f), "", ""]
b64_extract = True
b64_extracted.add(sha256hash)
break
if not b64_extract and len(base64data) > 30:
if all(ord(c) < 128 for c in base64data):
check_utf16 = base64data.decode('utf-16').encode('ascii', 'ignore')
if check_utf16 != "":
asc_b64 = check_utf16
else:
asc_b64 = self.ascii_dump(base64data)
# If data has less then 7 uniq chars then ignore
uniq_char = ''.join(set(asc_b64))
if len(uniq_char) > 6:
if patterns:
st_value = patterns.ioc_match(asc_b64, bogon_ip=True)
if len(st_value) > 0:
for ty, val in st_value.iteritems():
if val == "":
asc_asc = unicodedata.normalize('NFKC', val)\
.encode('ascii', 'ignore')
xml_ioc_res.add_tag(TAG_TYPE[ty], asc_asc, TAG_WEIGHT.LOW)
else:
ulis = list(set(val))
for v in ulis:
xml_ioc_res.add_tag(TAG_TYPE[ty], v, TAG_WEIGHT.LOW)
b64results[sha256hash] = [len(b64_string), b64_string[0:50], asc_b64,
base64data, "{}" .format(f)]
except:
pass
b64index = 0
for b64k, b64l in b64results.iteritems():
xml_b64_res.score = 100
b64index += 1
sub_b64_res = (ResultSection(SCORE.NULL, title_text="Result {0} in file {1}"
.format(b64index, f), parent=xml_b64_res))
sub_b64_res.add_line('BASE64 TEXT SIZE: {}'.format(b64l[0]))
sub_b64_res.add_line('BASE64 SAMPLE TEXT: {}[........]'.format(b64l[1]))
sub_b64_res.add_line('DECODED SHA256: {}'.format(b64k))
subb_b64_res = (ResultSection(SCORE.NULL, title_text="DECODED ASCII DUMP:",
body_format=TEXT_FORMAT.MEMORY_DUMP,
parent=sub_b64_res))
subb_b64_res.add_line('{}'.format(b64l[2]))
if b64l[3] != "":
if patterns:
st_value = patterns.ioc_match(b64l[3], bogon_ip=True)
if len(st_value) > 0:
xml_b64_res.score += 1
for ty, val in st_value.iteritems():
if val == "":
asc_asc = unicodedata.normalize('NFKC', val).encode\
('ascii', 'ignore')
xml_b64_res.add_tag(TAG_TYPE[ty], asc_asc, TAG_WEIGHT.LOW)
else:
ulis = list(set(val))
for v in ulis:
xml_b64_res.add_tag(TAG_TYPE[ty], v, TAG_WEIGHT.LOW)
z.close()
for uri in zip_uris:
if self.parse_uri(uri):
uris.append(uri)
uris = list(set(uris))
# If there are domains or IPs, report them
if uris:
xml_target_res.score = 500
xml_target_res.add_lines(uris)
xml_target_res.report_heuristics(Oletools.AL_Oletools_001)
except Exception as e:
self.log.debug("Failed to analyze XML: {}".format(e))
if xml_target_res.score > 0:
self.ole_result.add_section(xml_target_res)
if xml_ioc_res.score > 0:
self.ole_result.add_section(xml_ioc_res)
if xml_b64_res.score > 0:
self.ole_result.add_section(xml_b64_res)