mraptor evasion via Workbook_BeforeClose #518
Comments
|
After adding Workbook_BeforeClose to https://github.com/decalage2/oletools/blob/master/oletools/olevba.py#L632 and _BeforeClose to https://github.com/decalage2/oletools/blob/master/oletools/mraptor.py#L118 the AutoExec function is correctly recognized. |
|
The milestone says 0.56, 0.55, but this bug is still open |
c-rosenberg
pushed a commit
to HeinleinSupport/oletools
that referenced
this issue
Dec 2, 2021
ljuturu
pushed a commit
to ljuturu/oletools
that referenced
this issue
Apr 21, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We received the attached Excel file (password 123), which contains a malicios macro that triggers on "Private Sub Workbook_BeforeClose". Unfortunately mraptor does not detect this file as suspicious, because it only looks for "Document_BeforeClose" or "Workbook_Close", but not "Workbook_BeforeClose" (https://docs.microsoft.com/en-us/office/vba/api/excel.workbook.beforeclose)
The same is true for olevba, which does not recognize an autoexec function via its AUTOEXEC_KEYWORDS.
The fix is trivial, probably not worth a PR
Balance payment.zip
The text was updated successfully, but these errors were encountered: