Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

olevba - display a hint when --deobf should be used #40

Open
decalage2 opened this issue Apr 19, 2016 · 3 comments
Open

olevba - display a hint when --deobf should be used #40

decalage2 opened this issue Apr 19, 2016 · 3 comments
Assignees
@decalage2
Labels
minor olevba 👍 enhancement
Milestone
Future Releases

Comments

@decalage2
Copy link
Owner

Originally reported by: Philippe Lagadec (Bitbucket: decalage, GitHub: decalage2)

Display a message to use the option --deobf when some VBA keywords are found in the code: Chr*, StrReverse, etc.
@decalage2 decalage2 added this to the oletools 0.60 milestone Sep 3, 2016
@decalage2 decalage2 self-assigned this Sep 3, 2016
decalage2 added a commit that referenced this issue Sep 5, 2016
@decalage2
olevba: added hint when to use option --deobf - issue #40
1af6975
@Maijin
Copy link
Contributor

Maijin commented Jul 12, 2019

That's already happening e.g.

+----------+--------------------+---------------------------------------------+
|Type      |Keyword             |Description                                  |
+----------+--------------------+---------------------------------------------+
|AutoExec  |AutoOpen            |Runs when the Word document is opened        |
|Suspicious|Shell               |May run an executable file or a system       |
|          |                    |command                                      |
|Suspicious|Run                 |May run an executable file or a system       |
|          |                    |command                                      |
|Suspicious|Chr                 |May attempt to obfuscate specific strings    |
|          |                    |(use option --deobf to deobfuscate)          |
|Suspicious|ChrW                |May attempt to obfuscate specific strings    |
|          |                    |(use option --deobf to deobfuscate)          |
|Suspicious|Hex Strings         |Hex-encoded strings were detected, may be    |
|          |                    |used to obfuscate strings (option --decode to|
|          |                    |see all)                                     |
|Suspicious|Base64 Strings      |Base64-encoded strings were detected, may be |
|          |                    |used to obfuscate strings (option --decode to|
|          |                    |see all)                                     |
|Suspicious|Dridex Strings      |Dridex-encoded strings were detected, may be |
|          |                    |used to obfuscate strings (option --decode to|
|          |                    |see all)                                     |
+----------+--------------------+---------------------------------------------+

@yoshimo
Copy link

yoshimo commented Jul 12, 2019

Is there a reason why it is behind an extra option and isn't just decoded automatically?

@decalage2
Copy link
Owner Author

@yoshimo: this is because the deobfuscation algorithm is implemented using a partial VBA language parser built with pyparsing, and on some samples it may take a very long time to process. So it is optional until we find a much faster way to implement it.

@LeMurphant LeMurphant mentioned this issue Jul 29, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@decalage2 decalage2

Labels
minor olevba 👍 enhancement
Projects
None yet
Milestone
Future Releases
Development

No branches or pull requests
3 participants
@yoshimo @Maijin @decalage2