oletools on macOS Mojave
更新履歴
- 2021.02.16
はじめに
- このドキュメントでは,Microsoft Office文書ファイルを分析する,oletoolsをインストールして,マルウェアを入りのExcelマクロファイルを分析してみる.
- なお,oletoolsはPythonで作られているので,Python環境とpipが準備されている必要がある.
パッケージのインストール
- pipを使ってインストール.
$ pip install oletools🆑
Collecting oletools
Downloading oletools-0.56.zip (3.1 MB)
|████████████████████████████████| 3.1 MB 313 kB/s
Collecting pyparsing<3,>=2.1.0
Downloading pyparsing-2.4.7-py2.py3-none-any.whl (67 kB)
|████████████████████████████████| 67 kB 3.3 MB/s
Collecting olefile>=0.46
Downloading olefile-0.46.zip (112 kB)
|████████████████████████████████| 112 kB 2.2 MB/s
Collecting easygui
Downloading easygui-0.98.2-py2.py3-none-any.whl (92 kB)
|████████████████████████████████| 92 kB 2.5 MB/s
Collecting colorclass
Downloading colorclass-2.2.0.tar.gz (17 kB)
Collecting msoffcrypto-tool
Downloading msoffcrypto-tool-4.11.0.tar.gz (211 kB)
|████████████████████████████████| 211 kB 2.8 MB/s
Collecting pcodedmp>=1.2.5
Downloading pcodedmp-1.2.6-py2.py3-none-any.whl (30 kB)
Requirement already satisfied: cryptography>=2.3 in
/usr/local/lib/python3.9/site-packages (from
msoffcrypto-tool->oletools) (3.3.1)
Requirement already satisfied: cffi>=1.12 in
/usr/local/lib/python3.9/site-packages (from
cryptography>=2.3->msoffcrypto-tool->oletools) (1.14.4)
Requirement already satisfied: six>=1.4.1 in
/usr/local/lib/python3.9/site-packages (from
cryptography>=2.3->msoffcrypto-tool->oletools) (1.14.0)
Requirement already satisfied: pycparser in
/usr/local/lib/python3.9/site-packages (from
cffi>=1.12->cryptography>=2.3->msoffcrypto-tool->oletools)
(2.20)
Building wheels for collected packages: oletools, olefile, colorclass, msoffcrypto-tool
Building wheel for oletools (setup.py) ... done
Created wheel for oletools:
filename=oletools-0.56-py3-none-any.whl size=933616
sha256=7b36d008a9b33c2f04d1c502e06515be0a7bae25978ca90e5ce22d2626382dce
Stored in directory:
/Users/ujpadmin/Library/Caches/pip/wheels/05/bb/26/15b0a068fde1216b8fb73f0ee57ce8da02c618c5cd6d3a5f9d
Building wheel for olefile (setup.py) ... done
Created wheel for olefile:
filename=olefile-0.46-py2.py3-none-any.whl size=35416
sha256=22ddebb1e3d17a0be6f140fe77f825adddeffcc9c6ff4c32e812d6c394beac10
Stored in directory:
/Users/ujpadmin/Library/Caches/pip/wheels/64/b8/ba/ebba30390fbd997074f35e42a842ce3fd933213cac8753414e
Building wheel for colorclass (setup.py) ... done
Created wheel for colorclass:
filename=colorclass-2.2.0-py3-none-any.whl size=19394
sha256=2241ba0123d957730b295607537a810c64c245dd8ea65546ed91c8c873fbab2e
Stored in directory:
/Users/ujpadmin/Library/Caches/pip/wheels/45/8b/b9/04de9e894d23f2a3a560c21df5dd2088d58e0f651ec58ec348
Building wheel for msoffcrypto-tool (setup.py) ... done
Created wheel for msoffcrypto-tool:
filename=msoffcrypto_tool-4.11.0-py3-none-any.whl size=32335
sha256=7beb576337ea39d9377ac95d6a7166a9b0d844cc5eec65c09e28e0c194482786
Stored in directory:
/Users/ujpadmin/Library/Caches/pip/wheels/0e/c0/c9/a10689bd268b5a65d03d84765b332e94e102de9a56c29b6d8f
Successfully built oletools olefile colorclass msoffcrypto-tool
Installing collected packages: olefile, pyparsing, pcodedmp, msoffcrypto-tool, easygui, colorclass, oletools
Successfully installed colorclass-2.2.0 easygui-0.98.2
msoffcrypto-tool-4.11.0 olefile-0.46 oletools-0.56 pcodedmp-1.2.6
pyparsing-2.4.7
[macmini2014:ujpadmin 13:41:39 ~ ]
$
- パケージのインストールパスを確認.
$ which olevba3🆑
/usr/local/bin/olevba3
[macmini2014:ujpadmin 13:44:13 ~ ]
$ ls -lat /usr/local/bin/|head -n 20🆑
total 1036
-rwxr-xr-x 1 ujpadmin admin 237 2 16 13:41 rtfobj
drwxrwxr-x 636 ujpadmin admin 20352 2 16 13:41 .
-rwxr-xr-x 1 ujpadmin admin 237 2 16 13:41 pyxswf
-rwxr-xr-x 1 ujpadmin admin 238 2 16 13:41 olevba3🈁
-rwxr-xr-x 1 ujpadmin admin 237 2 16 13:41 olevba
-rwxr-xr-x 1 ujpadmin admin 239 2 16 13:41 oletimes
-rwxr-xr-x 1 ujpadmin admin 237 2 16 13:41 oleobj
-rwxr-xr-x 1 ujpadmin admin 238 2 16 13:41 olemeta
-rwxr-xr-x 1 ujpadmin admin 237 2 16 13:41 olemap
-rwxr-xr-x 1 ujpadmin admin 236 2 16 13:41 oleid
-rwxr-xr-x 1 ujpadmin admin 237 2 16 13:41 olefile
-rwxr-xr-x 1 ujpadmin admin 237 2 16 13:41 oledir
-rwxr-xr-x 1 ujpadmin admin 240 2 16 13:41 olebrowse
-rwxr-xr-x 1 ujpadmin admin 237 2 16 13:41 msodde
-rwxr-xr-x 1 ujpadmin admin 239 2 16 13:41 mraptor3
-rwxr-xr-x 1 ujpadmin admin 238 2 16 13:41 mraptor
-rwxr-xr-x 1 ujpadmin admin 242 2 16 13:41 ezhexviewer
-rwxr-xr-x 1 ujpadmin admin 242 2 16 13:41 msoffcrypto-tool
-rwxr-xr-x 1 ujpadmin admin 239 2 16 13:41 pcodedmp
[macmini2014:
ujpadmin
14:26:25 ~ ]
$
- 完了.
olevba3を使って分析してみる
まずは,なにもないファイル.
$ olevba3 /Users/ujpadmin/Documents/datafile.xlsx🆑
olevba 0.56 on Python 3.9.1 - http://decalage.info/python/oletools
===============================================================================
FILE: /Users/ujpadmin/Documents/datafile.xlsx
Type: OpenXML
No VBA macros found.
[macmini2014:ujpadmin 13:44:42 ~ ]
$
- No VBAとなった.
VBAの入っているマルウェアを分析してみる
- 以前,調査した結果マルウェアだったExcelファイルを分析する.
$ olevba3 /Users/ujpadmin/Downloads/マルウェアのファイル.xls🆑
olevba 0.56 on Python 3.9.1 - http://decalage.info/python/oletools
===============================================================================
FILE: /Users/ujpadmin/Downloads/マルウェアのファイル.xls
Type: OLE
-------------------------------------------------------------------------------
VBA MACRO ThisWorkbook.cls
in file: /Users/ujpadmin/Downloads/マルウェアのファイルxls - OLE stream: '_VBA_PROJECT_CUR/VBA/ThisWorkbook'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Sub WorkBook_open()
On Error Resume Next
CallByName Class5, "Show", VbMethod
End Sub
〜略〜
-------------------------------------------------------------------------------
VBA FORM Variable "b'Label5'" IN '/Users/ujpadmin/Downloads/マルウェアのファイル.xls' - OLE stream: '_VBA_PROJECT_CUR/Class7'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
None
+----------+--------------------+---------------------------------------------+
|Type
|Keyword
|Description
|
+----------+--------------------+---------------------------------------------+
|AutoExec |WorkBook_open |Runs
when the Excel Workbook is opened |
|AutoExec |Label5_Click
|Runs when the file is opened and ActiveX |
|
|
|objects
trigger
events
|
|Suspicious|Open
|May
open a
file
|
|Suspicious|write
|May write to a file (if combined with Open) |
|Suspicious|Adodb.Stream |May
create a text
file
|
|Suspicious|CreateObject |May
create an OLE
object
|
|Suspicious|ExecuteExcel4Macro |May run an Excel 4 Macro (aka XLM/XLF) from |
|
|
|VBA
|
|Suspicious|Microsoft.XMLHTTP |May download files from the
Internet |
|Suspicious|CallByName
|May attempt to obfuscate malicious function |
|
|
|calls
|
|Suspicious|EXEC
|May run an executable file or a
system |
|
|
|command using Excel 4 Macros
(XLM/XLF) |
|Suspicious|Hex Strings
|Hex-encoded strings were detected, may be |
|
|
|used to obfuscate strings (option --decode to|
|
|
|see
all)
|
|Suspicious|Base64 Strings |Base64-encoded strings were detected, may be |
|
|
|used to obfuscate strings (option --decode to|
|
|
|see
all)
|
|IOC
|cmd.exe
|Executable
file
name
|
|IOC
|wrnglr.exe
|Executable file
name
|
+----------+--------------------+---------------------------------------------+
[macmini2014:ujpadmin 13:46:34 ~ ]
$
- テキストだけだとわかりづらいのでスクショで.

- Suspiciousとされた処理と,IOCの記載がありました.
mraptorで解析してみる
$ mraptor マルウェアのファイル.xls🆑
MacroRaptor 0.56 - http://decalage.info/python/oletools
This is work in progress, please report issues at https://github.com/decalage2/oletools/issues
----------+-----+----+--------------------------------------------------------
Result |Flags|Type|File
----------+-----+----+--------------------------------------------------------
SUSPICIOUS|AWX |OLE:|マルウェア.xls
Flags: A=AutoExec, W=Write, X=Execute
Exit code: 20 - SUSPICIOUS🈁
[macmini2014:ujpadmin 13:46:34 ~ ]
$
- SUSPICIOUSと出ている.
参考
- decalage2 /oletools
- https://github.com/decalage2/oletools/issues