Vba2Graph: A tool for security researchers to Analysis of Malware.
Allows for quick analysis of malicious macros, and easy understanding of the execution flow.It Generates a VBA call graph for easier analysis of malicious documents., developed by @MalwareCantFly
- Keyword highlighting
- VBA Properties support
- External function declarion support
- Tricky macros with "_Change" execution triggers
- Fancy color schemes
Pros✓ Pretty fast
✓ Works well on most malicious macros observed in the wild
✗ Static (dynamicaly resolved calls would not be recognized)
Trickbot downloader - utilizes object Resize event as initial trigger, followed by TextBox_Change triggers.
Install Python Requirementspip install -r requirements.txt
Install GraphvizFor Windows
Install Graphviz msi:
Add "dot.exe" to PATH env variable or just:
set PATH=%PATH%;C:\Program Files (x86)\Graphviz2.38\bin
brew install graphviz
sudo apt-get install graphviz
sudo pacman -S graphviz
Usage (All Platforms)olevba malicious.doc | python vba2graph.py -c 1
python vba2graph.py -i olevba_output.bas -o output_folder
OutputYou'll get 3 folders in your output folder:
- png: the actual graph image you are looking for
- dot: the dot file which was used to create the graph image
- bas: the VBA functions code that was recognized by the script (for debugging)
batch.sh script file is attached for running olevba and vba2graph on an input folder of malicious docs.
Deletes output dir. use with caution.