恶意代码防范>> Vba2Graph>> 返回
项目作者: MalwareCantFly

项目描述 :
Vba2Graph - 从VBA代码生成调用图,以便更轻松地分析恶意文档。
高级语言: Python
项目地址: git://github.com/MalwareCantFly/Vba2Graph.git


Vba2Graph

A tool for security researchers, who waste their time analyzing malicious Office macros.

Generates a VBA call graph, with potential malicious keywords highlighted.

Allows for quick analysis of malicous macros, and easy understanding of the execution flow.

@MalwareCantFly

Features

  • Keyword highlighting
  • VBA Properties support
  • External function declarion support
  • Tricky macros with “_Change” execution triggers
  • Fancy color schemes!

Pros

  1.  Pretty fast
  3.  Works well on most malicious macros observed in the wild

Cons

  1.  Static (dynamicaly resolved calls would not be recognized)

Examples

Example 1:

Trickbot downloader - utilizes object Resize event as initial trigger, followed by TextBox_Change triggers.

Example 1

Example 2:

Example2

Check out the Examples folder for more cases.

Installation

Install oletools:

  1. https://github.com/decalage2/oletools/wiki/Install

Install Python Requirements

  1. pip3 install -r requirements.txt

Install Graphviz

Windows

Install Graphviz:

  1. https://graphviz.gitlab.io/download/#windows

Add “dot.exe” to PATH env variable or just:

  1. set PATH=%PATH%;C:\Program Files (x86)\Graphviz2.38\bin

Mac

  1. brew install graphviz

Ubuntu

  1. sudo apt-get install graphviz

Arch

  1. sudo pacman -S graphviz

Usage

  1. usage: vba2graph.py [-h] [-o OUTPUT] [-c {0,1,2,3}] (-i INPUT | -f FILE)
  3. optional arguments:
  4.   -h, --help            show this help message and exit
  5.   -o OUTPUT, --output OUTPUT
  6.                         output folder (default: "output")
  7.   -c {0,1,2,3}, --colors {0,1,2,3}
  8.                         color scheme number [0, 1, 2, 3] (default: 0 - B&W)
  9.   -i INPUT, --input INPUT
  10.                         olevba generated file or .bas file
  11.   -f FILE, --file FILE  Office file with macros

Usage Examples (All Platforms)

Please note that a Python 2 release is availiable in the Releases section, but is no longer supported.

  1. # Generate call graph directly from an Office file with macros [tnx @doomedraven]
  2. python3 vba2graph.py -f malicious.doc -c 2    
  4. # Generate vba code using olevba then pipe it to vba2graph
  5. olevba3 malicious.doc | python3 vba2graph.py -c 1
  7. # Generate call graph from VBA code
  8. python3 vba2graph.py -i vba_code.bas -o output_folder

Output

You’ll get 4 folders in your output folder:

  • png: the actual graph image you are looking for
  • svg: same graph image, just in vector graphics
  • dot: the dot file which was used to create the graph image
  • bas: the VBA functions code that was recognized by the script (for debugging)

Batch Processing

Mac/Linux:

batch.sh script file is attached for running olevba and vba2graph on an input folder of malicious docs.

Deletes output dir. use with caution.

License

The code in this project is licensed under the EPL-2.0 License.

This project is utilizing the following third-party open-source tools and libraries.
Please note their respective licenses.