1. Advisor
  2. oletools
  3. functions
  4. oletools.olevba3.VBA_Parser
View all oletools analysis

How to use the oletools.olevba3.VBA_Parser function in oletools

To help you get started, we’ve selected a few oletools examples, based on popular ways it is used in public projects.

Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.

github xlwings / git-xl / src / diff.py View on Github external
def get_vba(workbook):
    vba_parser = VBA_Parser(workbook)
    vba_modules = vba_parser.extract_all_macros() if vba_parser.detect_vba_macros() else []

    modules = {}

    for _, _, _, content in vba_modules:
        decoded_content = content.decode('latin-1')
        lines = []
        if '\r\n' in decoded_content:
            lines = decoded_content.split('\r\n')
        else:
            lines = decoded_content.split('\n')
        if lines:
            name = lines[0].replace('Attribute VB_Name = ', '').strip('"')
            content = [line for line in lines[1:] if not (
                line.startswith('Attribute') and 'VB_' in line)]
            non_empty_lines_of_code = len([c for c in content if c])
github malice-plugins / office / docs / office.py View on Github external
def parse_vba(self, save_path):
        save = False
        vbaparser = VBA_Parser(__sessions__.current.file.path)
        # Check for Macros
        if not vbaparser.detect_vba_macros():
            self.log('error', "No Macro's Detected")
            return
        self.log('info', "Macro's Detected")
        # try:
        if True:
            an_results = {
                'AutoExec': [],
                'Suspicious': [],
                'IOC': [],
                'Hex String': [],
                'Base64 String': [],
                'Dridex string': [],
                'VBA string': []
            }
github viper-framework / viper / viper / modules / office.py View on Github external
def parse_vba(self, save_path):
        save = False
        vbaparser = VBA_Parser(__sessions__.current.file.path)
        # Check for Macros
        if not vbaparser.detect_vba_macros():
            self.log('error', "No Macro's Detected")
            return
        self.log('info', "Macro's Detected")
        # try:
        if True:
            an_results = {'AutoExec': [], 'Suspicious': [], 'IOC': [], 'Hex String': [], 'Base64 String': [], 'Dridex string': [], 'VBA string': []}
            for (filename, stream_path, vba_filename, vba_code) in vbaparser.extract_macros():
                self.log('info', "Stream Details")
                self.log('item', "OLE Stream: {0}".format(string_clean(stream_path)))
                self.log('item', "VBA Filename: {0}".format(string_clean(vba_filename)))
                # Analyse the VBA Code
                vba_scanner = VBA_Scanner(vba_code)
                analysis = vba_scanner.scan(include_decoded_strings=True)
                for kw_type, keyword, description in analysis:
github target / strelka / src / python / strelka / scanners / scan_vba.py View on Github external
def scan(self, data, file, options, expire_at):
        analyze_macros = options.get('analyze_macros', True)

        self.event['total'] = {'files': 0, 'extracted': 0}

        try:
            vba = olevba3.VBA_Parser(filename=file.name, data=data)
            if vba.detect_vba_macros():
                extract_macros = list(vba.extract_macros())
                self.event['total']['files'] = len(extract_macros)
                for (filename, stream_path, vba_filename, vba_code) in extract_macros:
                    extract_file = strelka.File(
                        name=f'{vba_filename}',
                        source=self.name,
                    )

                    for c in strelka.chunk_string(vba_code):
                        self.upload_to_coordinator(
                            extract_file.pointer,
                            c,
                            expire_at,
                        )
github PUNCH-Cyber / stoq-plugins-public / mraptor / mraptor / mraptor.py View on Github external
async def scan(self, payload: Payload, request: Request) -> WorkerResponse:
        results: Dict = {}
        filename = payload.results.payload_meta.extra_data.get(
            'filename', payload.results.payload_id
        )
        vba_parser = olevba.VBA_Parser(filename=filename, data=payload.content)

        if vba_parser.detect_vba_macros():
            vba_modules: List[str] = [
                vba_code[3] for vba_code in vba_parser.extract_all_macros()
            ]
            mraptor = MacroRaptor('\n'.join(vba_modules))
            mraptor.scan()
            flags = [
                self.FLAGS[flag] for flag in mraptor.get_flags() if flag in self.FLAGS
            ]
            results = {
                'suspicous': mraptor.suspicious,
                'flags': flags,
                'filetype': vba_parser.type,
                'matches': mraptor.matches,
            }
github guelfoweb / peframe / peframe / modules / macro.py View on Github external
def get_result(filename):
	try:
		behavior = {}

		vbaparser = VBA_Parser(filename)

		if vbaparser.detect_vba_macros():
			results = vbaparser.analyze_macros()
			for item in results:
				details = re.sub(r'\(.*\)', '', str(item[2]))
				details = details.replace('strings', 'str')
				details = re.sub(r' $', '', details)
				if item[0] == 'AutoExec':
					behavior.update({item[1]: details})
				if item[0] == 'Suspicious':
					behavior.update({item[1]: details})

			macro = vbaparser.reveal()
			attributes = re.findall(r'Attribute VB.*', macro, flags=re.MULTILINE)
			macro = re.sub(r'Attribute VB.*', '', macro)

oletools

Python tools to analyze security characteristics of MS Office and OLE files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), for Malware Analysis and Incident Response #DFIR

GitHub
BSD-2-Clause
Latest version published 2 years ago

Package Health Score

55 / 100
Full package analysis

Popular oletools functions

Similar packages