|
|
|
|
@ -13,7 +13,7 @@ oletools {
|
|
|
|
|
OLETOOLS_MACRO_FOUND= '^.....M..$';
|
|
|
|
|
OLETOOLS_AUTOEXEC = '^A....M..$';
|
|
|
|
|
OLETOOLS_SUSPICIOUS = '^.....MS.$';
|
|
|
|
|
OLETOOLS_VBASTOMP = '^.....M.V$';
|
|
|
|
|
OLETOOLS_VBASTOMP = '^VBA Stomping$';
|
|
|
|
|
# see https://github.com/decalage2/oletools/blob/master/oletools/mraptor.py
|
|
|
|
|
OLETOOLS_A = '(?i)\b(?:Auto(?:Exec|_?Open|_?Close|Exit|New)|Document(?:_?Open|_Close|_?BeforeClose|Change|_New)|NewDocument|Workbook(?:_Open|_Activate|_Close|_BeforeClose)|\w+_(?:Painted|Painting|GotFocus|LostFocus|MouseHover|Layout|Click|Change|Resize|BeforeNavigate2|BeforeScriptExecute|DocumentComplete|DownloadBegin|DownloadComplete|FileDownload|NavigateComplete2|NavigateError|ProgressChange|PropertyChange|SetSecureLockIcon|StatusTextChange|TitleChange|MouseMove|MouseEnter|MouseLeave|OnConnecting))|Auto_Ope\b';
|
|
|
|
|
OLETOOLS_W = '(?i)\b(?:FileCopy|CopyFile|Kill|CreateTextFile|VirtualAlloc|RtlMoveMemory|URLDownloadToFileA?|AltStartupPath|WriteProcessMemory|ADODB\.Stream|WriteText|SaveToFile|SaveAs|SaveAsRTF|FileSaveAs|MkDir|RmDir|SaveSetting|SetAttr)\b|(?:\bOpen\b[^\n]+\b(?:Write|Append|Binary|Output|Random)\b)';
|
|
|
|
|
|
Florent Daigniere
3 years ago