def parse_vba(self, save_path):
save = False
vbaparser = VBA_Parser(__sessions__.current.file.path)
# Check for Macros
if not vbaparser.detect_vba_macros():
self.log('error', "No Macro's Detected")
return
self.log('info', "Macro's Detected")
#try:
if True:
an_results = {'AutoExec':[], 'Suspicious':[], 'IOC':[], 'Hex String':[], 'Base64 String':[], 'Dridex String':[], 'VBA string':[]}
for (filename, stream_path, vba_filename, vba_code) in vbaparser.extract_macros():
self.log('info', "Stream Details")
self.log('item', "OLE Stream: {0}".format(string_clean(stream_path)))
self.log('item', "VBA Filename: {0}".format(string_clean(vba_filename)))
# Analyse the VBA Code
vba_scanner = VBA_Scanner(vba_code)
analysis = vba_scanner.scan(include_decoded_strings=True)
for kw_type, keyword, description in analysis:
an_results[kw_type].append([string_clean_hex(keyword), description])
# Save the code to external File
if save_path:
try:
with open(save_path, 'a') as out:
out.write(vba_code)
save = True
except:
self.log('error', "Unable to write to {0}".format(save_path))
return
# Print all Tables together
self.log('info', "AutoRun Macros Found")
self.log('table', dict(header=['Method', 'Description'], rows=an_results['AutoExec']))
self.log('info', "Suspicious Keywords Found")
self.log('table', dict(header=['KeyWord', 'Description'], rows=an_results['Suspicious']))
self.log('info', "Possible IOC's")
self.log('table', dict(header=['IOC', 'Type'], rows=an_results['IOC']))
self.log('info', "Hex Strings")
self.log('table', dict(header=['Decoded', 'Raw'], rows=an_results['Hex String']))
self.log('info', "Base64 Strings")
self.log('table', dict(header=['Decoded', 'Raw'], rows=an_results['Base64 String']))
self.log('info', "Dridex String")
self.log('table', dict(header=['Decoded', 'Raw'], rows=an_results['Dridex String']))
self.log('info', "VBA string")
self.log('table', dict(header=['Decoded', 'Raw'], rows=an_results['VBA string']))
if save:
self.log('success', "Writing VBA Code to {0}".format(save_path))
#except:
#self.log('error', "Unable to Process File")
# Close the file
vbaparser.close()
def parse_vba(self, save_path):
save = False
vbaparser = VBA_Parser(__sessions__.current.file.path)
# Check for Macros
if not vbaparser.detect_vba_macros():
self.log('error', "No Macro's Detected")
return
self.log('info', "Macro's Detected")
#try:
if True:
an_results = {'AutoExec':[], 'Suspicious':[], 'IOC':[], 'Hex String':[], 'Base64 String':[], 'Dridex String':[], 'VBA string':[]}
for (filename, stream_path, vba_filename, vba_code) in vbaparser.extract_macros():
self.log('info', "Stream Details")
self.log('item', "OLE Stream: {0}".format(string_clean(stream_path)))
self.log('item', "VBA Filename: {0}".format(string_clean(vba_filename)))
# Analyse the VBA Code
vba_scanner = VBA_Scanner(vba_code)
analysis = vba_scanner.scan(include_decoded_strings=True)
for kw_type, keyword, description in analysis:
an_results[kw_type].append([string_clean_hex(keyword), description])
# Save the code to external File
if save_path:
try:
with open(save_path, 'a') as out:
out.write(vba_code)
save = True
except:
self.log('error', "Unable to write to {0}".format(save_path))
return
# Print all Tables together
self.log('info', "AutoRun Macros Found")
self.log('table', dict(header=['Method', 'Description'], rows=an_results['AutoExec']))
self.log('info', "Suspicious Keywords Found")
self.log('table', dict(header=['KeyWord', 'Description'], rows=an_results['Suspicious']))
self.log('info', "Possible IOC's")
self.log('table', dict(header=['IOC', 'Type'], rows=an_results['IOC']))
self.log('info', "Hex Strings")
self.log('table', dict(header=['Decoded', 'Raw'], rows=an_results['Hex String']))
self.log('info', "Base64 Strings")
self.log('table', dict(header=['Decoded', 'Raw'], rows=an_results['Base64 String']))
self.log('info', "Dridex String")
self.log('table', dict(header=['Decoded', 'Raw'], rows=an_results['Dridex String']))
self.log('info', "VBA string")
self.log('table', dict(header=['Decoded', 'Raw'], rows=an_results['VBA string']))
if save:
self.log('success', "Writing VBA Code to {0}".format(save_path))
#except:
#self.log('error', "Unable to Process File")
# Close the file
vbaparser.close()
def parse_vba(self, save_path):
"""
Parse VBA scripts.
"""
save = False
vbaparser = VBA_Parser(__sessions__.current.file.path)
# Check for Macros
if not vbaparser.detect_vba_macros():
self.log("error", "No macros detected")
return
self.log("info", "Macros detected")
# try:
if True:
an_results = {
"AutoExec": [],
"Suspicious": [],
"IOC": [],
"Hex String": [],
"Base64 String": [],
"Dridex string": [],
"VBA string": []
}
for (filename, stream_path, vba_filename,
vba_code) in vbaparser.extract_macros():
self.log("info", "Stream Details")
self.log("item",
"OLE Stream: {0}".format(string_clean(stream_path)))
self.log(
"item",
"VBA Filename: {0}".format(string_clean(vba_filename)))
# Analyse the VBA Code
vba_scanner = VBA_Scanner(vba_code)
analysis = vba_scanner.scan(include_decoded_strings=True)
for kw_type, keyword, description in analysis:
an_results[kw_type].append(
[string_clean_hex(keyword), description])
# Save the code to external File
if save_path:
try:
with open(save_path, "a") as out:
out.write(vba_code)
save = True
except Exception as e:
self.log(
"error",
"Unable to write to {0}: {1}".format(save_path, e))
return
# Print all tables together
if an_results["AutoExec"]:
self.log("info", "Autorun macros found")
self.log(
"table",
dict(header=["Method", "Description"],
rows=an_results["AutoExec"]))
if an_results["Suspicious"]:
self.log("info", "Suspicious keywords found")
self.log(
"table",
dict(header=["Keyword", "Description"],
rows=an_results["Suspicious"]))
if an_results["IOC"]:
self.log("info", "Possible IOCs")
self.log("table",
dict(header=["IOC", "Type"], rows=an_results["IOC"]))
if an_results["Hex String"]:
self.log("info", "Hex strings")
self.log(
"table",
dict(header=["Decoded", "Raw"],
rows=an_results["Hex String"]))
if an_results["Base64 String"]:
self.log("info", "Base64 strings")
self.log(
"table",
dict(header=["Decoded", "Raw"],
rows=an_results["Base64 String"]))
if an_results["Dridex string"]:
self.log("info", "Dridex strings")
self.log(
"table",
dict(header=["Decoded", "Raw"],
rows=an_results["Dridex string"]))
if an_results["VBA string"]:
self.log("info", "VBA strings")
self.log(
"table",
dict(header=["Decoded", "Raw"],
rows=an_results["VBA string"]))
if save:
self.log("success",
"Writing VBA Code to {0}".format(save_path))
# Close the file
vbaparser.close()