GitHub - MalwareCantFly/Vba2Graph: Vba2Graph - Generate call graphs from VBA cod...
source link: https://github.com/MalwareCantFly/Vba2Graph
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
README.md
Vba2Graph
A tool for security researchers, who waste their time analyzing malicious Office macros.
Generates a VBA call graph, with potential malicious keywords highlighted.
Allows for quick analysis of malicous macros, and easy understanding of the execution flow.
Features
- Keyword highlighting
- VBA Properties support
- External function declarion support
- Tricky macros with "_Change" execution triggers
- Fancy color schemes!
Pros
✓ Pretty fast
✓ Works well on most malicious macros observed in the wild
Cons
✗ Static (dynamicaly resolved calls would not be recognized)
Examples
Example 1:
Trickbot downloader - utilizes object Resize event as initial trigger, followed by TextBox_Change triggers.
Example 2:
Check out the Examples folder for more cases.
Installation
Install oletools:
https://github.com/decalage2/oletools/wiki/Install
Install Python Requirements
pip install -r requirements.txt
Install Graphviz
Windows
Install Graphviz msi:
https://graphviz.gitlab.io/_pages/Download/Download_windows.html
Add "dot.exe" to PATH env variable or just:
set PATH=%PATH%;C:\Program Files (x86)\Graphviz2.38\bin
Mac
brew install graphviz
Ubuntu
sudo apt-get install graphviz
Arch
sudo pacman -S graphviz
Usage (All Platforms)
olevba malicious.doc | python vba2graph.py -c 1
python vba2graph.py -i olevba_output.bas -o output_folder
Output
You'll get 3 folders in your output folder:
- png: the actual graph image you are looking for
- dot: the dot file which was used to create the graph image
- bas: the VBA functions code that was recognized by the script (for debugging)
Batch Processing
Mac/Linux:
batch.sh script file is attached for running olevba and vba2graph on an input folder of malicious docs.
Deletes output dir. use with caution.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK