- Non-ASCII macro names and other metadata
- Multiple macros embedded into the same document
- Handling various types of macro obfuscation
Looking for more samples so that I have a larger test bed to work with. I'd like to see what bugs arise before committing this code. It's basically a merger of Decalage's oletools code with the static.py processing module from Cuckoo. All VM's have office 2010 configured to autorun macros, so newer campaigns should still beacon out. This allows me to compare the results of the static analysis / parsers with the results from the behavioral analysis.
PS. Would also appreciate any feedback on UI improvements / enhancements.
EDIT: Based on recent submissions, I made some changes to the IOC parser (best effort at the end of the day). Have not had a chance to dig into the custom Xor functions (like key-based XOR), and currently variable based string concatenation is broken. I have re-ran the reporting modules and updated the front end to display the new IOC's. There is often times good luck in investigating the Dropped Files tab, as I have a button to display ASCII data. You can view many of the temporary files from the web interface itself. (ex. *.vbs / *.bat / *.ps1)