1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
|
###############################################################################
# #
# Peekaboo Extended Email Attachment Behavior Observation Owl #
# #
# toolbox/ #
# ole.py #
###############################################################################
# #
# Copyright (C) 2016-2019 science + computing ag #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation, either version 3 of the License, or (at #
# your option) any later version. #
# #
# This program is distributed in the hope that it will be useful, but #
# WITHOUT ANY WARRANTY; without even the implied warranty of #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU #
# General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with this program. If not, see <http://www.gnu.org/licenses/>. #
# #
###############################################################################
import logging
import re
from oletools.olevba import VBA_Parser
logger = logging.getLogger(__name__)
class OleNotAnOfficeDocumentException(Exception):
pass
class Oletools(object):
""" Parent class, defines interface to Oletools. """
def __init__(self):
self.MS_OFFICE_EXTENSIONS = [
"doc", "docm", "dotm", "docx",
"ppt", "pptm", "pptx", "potm", "ppam", "ppsm",
"xls", "xlsm", "xlsx",
]
def get_report(self, sample):
""" Return oletools report or create if not already cached. """
if sample.oletools_report != None:
return sample.oletools_report
report = {}
if sample.file_extension not in self.MS_OFFICE_EXTENSIONS:
raise OleNotAnOfficeDocumentException(sample.file_extension)
try:
vbaparser = VBA_Parser(sample.file_path)
# List from oletools/olevba.py#L553
oletype = ('OLE', 'OpenXML', 'FlatOPC_XML', 'Word2003_XML', 'MHTML', 'PPT')
# check if ole detects it as an office file
if vbaparser.type not in oletype:
raise OleNotAnOfficeDocumentException(sample.file_extension)
# VBA_Parser reports macros for office documents
report['has_macros'] = vbaparser.detect_vba_macros() or vbaparser.detect_xlm_macros()
try:
report['vba'] = vbaparser.reveal()
except TypeError:
# no macros
pass
vbaparser.close()
except IOError:
raise
except TypeError:
# The given file is not an office document.
pass
except Exception as error:
logger.exception(error)
sample.register_oletools_report(report)
return report
class OletoolsReport(object):
""" Represents a custom Oletools report. """
def __init__(self, report):
self.report = report
def has_office_macros(self):
"""
Detects macros in Microsoft Office documents.
@return: True if macros where found, otherwise False.
If VBA_Parser crashes it returns False too.
"""
try:
return self.report['has_macros']
except KeyError:
return False
def has_office_macros_with_suspicious_keyword(self, suspicious_keywords):
"""
Detects macros with supplied suspicious keywords in Microsoft Office documents.
@param suspicious_keywords: List of suspicious keyword regexes.
@return: True if macros with keywords where found, otherwise False.
If VBA_Parser crashes it returns False too.
"""
suspicious = False
try:
vba = self.report['vba']
for w in suspicious_keywords:
if re.search(w, vba):
suspicious = True
break
except KeyError:
return False
return suspicious
|