PyOLEScanner

From aldeid
Jump to navigation Jump to search

Description

pyOLEScanner 1.3 is a python based script written by Giuseppe 'Evilcry' Bonfa and inspired from OfficeMalScanner. It scans Office documents to attempt to assess if they could be malicious.

Installation

$ wget https://github.com/Evilcry/PythonScripts/raw/master/pyOLEScanner.zip

Usage

Usage: python pyOLEScanner.py <document>

Examples

Example #1

$ python pyOLEScanner.py /data/tmp/Olimpikge.xls 
+-------------------------------+
| OLE Scanner v. 1.2 
| by Giuseppe 'Evilcry' Bonfa
+-------------------------------+

[-] OLE File Seems Valid

[+] Hash Informations

MD5: 146a5751fc3af131dc1772682fb17d87
SHA-1: 5e51188e7c9cf9a3c1dd0fd4a7b85232a5d28a5f
[+] Scanning for Embedded OLE in Clean

Revealed presence of Embedded OLE 

[+] Scanning for API presence in Clean

No Embedded API Found


[+] Scanning for Embedded Executables - Clean Case

No Embedded Executables Found

[+] Scanning for Shellcode Presence

FS:[30h] Shellcode at offset:0x13406

==========================================

Warning File is Potentially INFECTED!!!!

[+] Scanning for MACROs

==========================================

No MACROs Revealed

Example #2

$ python pyOLEScanner.py /data/tmp/TestYourMind.ppt 
+-------------------------------+
| OLE Scanner v. 1.2
| by Giuseppe 'Evilcry' Bonfa
+-------------------------------+

[-] OLE File Seems Valid

[+] Hash Informations

MD5: 5c57d0475290975533abd166faee6f02
SHA-1: 099fab479e955711309a0a6ac3ac84817ebea26b
[+] Scanning for Embedded OLE in Clean

No Embeddd OLE Found 

[+] Scanning for API presence in Clean

Revealed presence of GetProcAddress at offset:0x273a
Revealed presence of LoadLibraryA at offset:10060
Revealed presence of GetSystemDirectoryA at offset:0x1bdd
Revealed presence of UrlDownloadToFile at offset:0x34d8
Revealed presence of UrlDownloadToFile at offset:0x37a1

==========================================

Warning File is Potentially INFECTED!!!!


[+] Scanning for Embedded Executables - Clean Case

('Embedded Executable discovered at offset :', '0x1ea6', '\n')

==========================================

Warning File is Potentially INFECTED!!!!

[+] Scanning for Shellcode Presence

FS:[00] Shellcode at offset:0x1800
FS:[30h] Shellcode at offset:0xfed
Call Prolog at offset:0x90c59
NOP Slide:0x14b9
Call Pop Signature:0xf51
Call Pop Signature:0x90c53

==========================================

Warning File is Potentially INFECTED!!!!

[+] Scanning for MACROs

==========================================

No MACROs Revealed

Comments