Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env python
- if 64 - 64: i11iIiiIii
- if 65 - 65: O0 / iIii1I11I1II1 % OoooooooOO - i1IIi
- if 73 - 73: II111iiii
- if 22 - 22: I1IiiI * Oo0Ooo / OoO0O00 . OoOoOO00 . o0oOOo0O0Ooo / I1ii11iIi11i
- if 48 - 48: oO0o / OOooOOo / I11i / Ii1I
- if 48 - 48: iII111i % IiII + I1Ii111 / ooOoO0o * Ii1I
- if 46 - 46: ooOoO0o * I11i - OoooooooOO
- if 30 - 30: o0oOOo0O0Ooo - O0 % o0oOOo0O0Ooo - OoooooooOO * O0 * OoooooooOO
- if 60 - 60: iIii1I11I1II1 / i1IIi * oO0o - I1ii11iIi11i + o0oOOo0O0Ooo
- if 94 - 94: i1IIi % Oo0Ooo
- if 68 - 68: Ii1I / O0
- if 46 - 46: O0 * II111iiii / IiII * Oo0Ooo * iII111i . I11i
- if 62 - 62: i11iIiiIii - II111iiii % I1Ii111 - iIii1I11I1II1 . I1ii11iIi11i . II111iiii
- if 61 - 61: oO0o / OoOoOO00 / iII111i * OoO0O00 . II111iiii
- if 1 - 1: II111iiii - I1ii11iIi11i % i11iIiiIii + IiII . I1Ii111
- if 55 - 55: iIii1I11I1II1 - I1IiiI . Ii1I * IiII * i1IIi / iIii1I11I1II1
- if 79 - 79: oO0o + I1Ii111 . ooOoO0o * IiII % I11i . I1IiiI
- if 94 - 94: iII111i * Ii1I / IiII . i1IIi * iII111i
- if 47 - 47: i1IIi % i11iIiiIii
- if 20 - 20: ooOoO0o * II111iiii
- if 65 - 65: o0oOOo0O0Ooo * iIii1I11I1II1 * ooOoO0o
- if 18 - 18: iIii1I11I1II1 / I11i + oO0o / Oo0Ooo - II111iiii - I11i
- if 1 - 1: I11i - OOooOOo % O0 + I1IiiI - iII111i / I11i
- if 31 - 31: OoO0O00 + II111iiii
- if 13 - 13: OOooOOo * oO0o * I1IiiI
- if 55 - 55: II111iiii
- if 43 - 43: OoOoOO00 - i1IIi + I1Ii111 + Ii1I
- if 17 - 17: o0oOOo0O0Ooo
- if 64 - 64: Ii1I % i1IIi % OoooooooOO
- if 3 - 3: iII111i + O0
- if 42 - 42: OOooOOo / i1IIi + i11iIiiIii - Ii1I
- if 78 - 78: OoO0O00
- if 18 - 18: O0 - iII111i / iII111i + ooOoO0o % ooOoO0o - IiII
- if 62 - 62: iII111i - IiII - OoOoOO00 % i1IIi / oO0o
- if 77 - 77: II111iiii - II111iiii . I1IiiI / o0oOOo0O0Ooo
- if 14 - 14: I11i % O0
- if 41 - 41: i1IIi + I1Ii111 + OOooOOo - IiII
- if 77 - 77: Oo0Ooo . IiII % ooOoO0o
- if 42 - 42: oO0o - i1IIi / i11iIiiIii + OOooOOo + OoO0O00
- if 17 - 17: oO0o . Oo0Ooo . I1ii11iIi11i
- if 3 - 3: OoOoOO00 . Oo0Ooo . I1IiiI / Ii1I
- if 38 - 38: II111iiii % i11iIiiIii . ooOoO0o - OOooOOo + Ii1I
- if 66 - 66: OoooooooOO * OoooooooOO . OOooOOo . i1IIi - OOooOOo
- if 77 - 77: I11i - iIii1I11I1II1
- if 82 - 82: i11iIiiIii . OOooOOo / Oo0Ooo * O0 % oO0o % iIii1I11I1II1
- if 78 - 78: iIii1I11I1II1 - Ii1I * OoO0O00 + o0oOOo0O0Ooo + iII111i + iII111i
- if 11 - 11: iII111i - OoO0O00 % ooOoO0o % iII111i / OoOoOO00 - OoO0O00
- if 74 - 74: iII111i * O0
- if 89 - 89: oO0o + Oo0Ooo
- if 3 - 3: i1IIi / I1IiiI % I11i * i11iIiiIii / O0 * I11i
- if 49 - 49: oO0o % Ii1I + i1IIi . I1IiiI % I1ii11iIi11i
- if 48 - 48: I11i + I11i / II111iiii / iIii1I11I1II1
- if 20 - 20: o0oOOo0O0Ooo
- if 77 - 77: OoOoOO00 / I11i
- if 98 - 98: iIii1I11I1II1 / i1IIi / i11iIiiIii / o0oOOo0O0Ooo
- if 28 - 28: OOooOOo - IiII . IiII + OoOoOO00 - OoooooooOO + O0
- if 95 - 95: OoO0O00 % oO0o . O0
- if 15 - 15: ooOoO0o / Ii1I . Ii1I - i1IIi
- if 53 - 53: IiII + I1IiiI * oO0o
- if 61 - 61: i1IIi * OOooOOo / OoooooooOO . i11iIiiIii . OoOoOO00
- if 60 - 60: I11i / I11i
- if 46 - 46: Ii1I * OOooOOo - OoO0O00 * oO0o - I1Ii111
- if 83 - 83: OoooooooOO
- if 31 - 31: II111iiii - OOooOOo . I1Ii111 % OoOoOO00 - O0
- if 4 - 4: II111iiii / ooOoO0o . iII111i
- if 58 - 58: OOooOOo * i11iIiiIii / OoOoOO00 % I1Ii111 - I1ii11iIi11i / oO0o
- if 50 - 50: I1IiiI
- if 34 - 34: I1IiiI * II111iiii % iII111i * OoOoOO00 - I1IiiI
- if 33 - 33: o0oOOo0O0Ooo + OOooOOo * OoO0O00 - Oo0Ooo / oO0o % Ii1I
- if 21 - 21: OoO0O00 * iIii1I11I1II1 % oO0o * i1IIi
- if 16 - 16: O0 - I1Ii111 * iIii1I11I1II1 + iII111i
- if 50 - 50: II111iiii - ooOoO0o * I1ii11iIi11i / I1Ii111 + o0oOOo0O0Ooo
- if 88 - 88: Ii1I / I1Ii111 + iII111i - II111iiii / ooOoO0o - OoOoOO00
- if 15 - 15: I1ii11iIi11i + OoOoOO00 - OoooooooOO / OOooOOo
- if 58 - 58: i11iIiiIii % I11i
- if 71 - 71: OOooOOo + ooOoO0o % i11iIiiIii + I1ii11iIi11i - IiII
- if 88 - 88: OoOoOO00 - OoO0O00 % OOooOOo
- if 16 - 16: I1IiiI * oO0o % IiII
- if 86 - 86: I1IiiI + Ii1I % i11iIiiIii * oO0o . ooOoO0o * I11i
- if 44 - 44: oO0o
- if 88 - 88: I1Ii111 % Ii1I . II111iiii
- if 38 - 38: o0oOOo0O0Ooo
- if 57 - 57: O0 / oO0o * I1Ii111 / OoOoOO00 . II111iiii
- if 26 - 26: iII111i
- if 91 - 91: OoO0O00 . I1ii11iIi11i + OoO0O00 - iII111i / OoooooooOO
- if 39 - 39: I1ii11iIi11i / ooOoO0o - II111iiii
- if 98 - 98: I1ii11iIi11i / I11i % oO0o . OoOoOO00
- if 91 - 91: oO0o % Oo0Ooo
- if 64 - 64: I11i % iII111i - I1Ii111 - oO0o
- if 31 - 31: I11i - II111iiii . I11i
- if 18 - 18: o0oOOo0O0Ooo
- if 98 - 98: iII111i * iII111i / iII111i + I11i
- if 34 - 34: ooOoO0o
- if 15 - 15: I11i * ooOoO0o * Oo0Ooo % i11iIiiIii % OoOoOO00 - OOooOOo
- if 68 - 68: I1Ii111 % i1IIi . IiII . I1ii11iIi11i
- if 92 - 92: iII111i . I1Ii111
- if 31 - 31: I1Ii111 . OoOoOO00 / O0
- if 89 - 89: OoOoOO00
- if 68 - 68: OoO0O00 * OoooooooOO % O0 + OoO0O00 + ooOoO0o
- if 4 - 4: ooOoO0o + O0 * OOooOOo
- if 55 - 55: Oo0Ooo + iIii1I11I1II1 / OoOoOO00 * oO0o - i11iIiiIii - Ii1I
- if 25 - 25: I1ii11iIi11i
- if 7 - 7: i1IIi / I1IiiI * I1Ii111 . IiII . iIii1I11I1II1
- if 13 - 13: OOooOOo / i11iIiiIii
- if 2 - 2: I1IiiI / O0 / o0oOOo0O0Ooo % OoOoOO00 % Ii1I
- if 52 - 52: o0oOOo0O0Ooo
- if 95 - 95: Ii1I
- if 87 - 87: ooOoO0o + OoOoOO00 . OOooOOo + OoOoOO00
- if 91 - 91: O0
- if 61 - 61: II111iiii
- if 64 - 64: ooOoO0o / OoOoOO00 - O0 - I11i
- if 86 - 86: I11i % OoOoOO00 / I1IiiI / OoOoOO00
- if 42 - 42: OoO0O00
- if 67 - 67: I1Ii111 . iII111i . O0
- if 10 - 10: I1ii11iIi11i % I1ii11iIi11i - iIii1I11I1II1 / OOooOOo + Ii1I
- if 87 - 87: oO0o * I1ii11iIi11i + OOooOOo / iIii1I11I1II1 / iII111i
- if 37 - 37: iII111i - ooOoO0o * oO0o % i11iIiiIii - I1Ii111
- if 83 - 83: I11i / I1IiiI
- if 34 - 34: IiII
- if 57 - 57: oO0o . I11i . i1IIi
- if 42 - 42: I11i + I1ii11iIi11i % O0
- if 6 - 6: oO0o
- if 68 - 68: OoOoOO00 - OoO0O00
- if 28 - 28: OoO0O00 . OOooOOo / OOooOOo + Oo0Ooo . I1ii11iIi11i
- if 1 - 1: iIii1I11I1II1 / II111iiii
- if 33 - 33: I11i
- if 18 - 18: o0oOOo0O0Ooo % iII111i * O0
- if 87 - 87: i11iIiiIii
- if 93 - 93: I1ii11iIi11i - OoO0O00 % i11iIiiIii . iII111i / iII111i - I1Ii111
- if 9 - 9: I1ii11iIi11i / Oo0Ooo - I1IiiI / OoooooooOO / iIii1I11I1II1 - o0oOOo0O0Ooo
- if 91 - 91: iII111i % i1IIi % iIii1I11I1II1
- if 20 - 20: OOooOOo % Ii1I / Ii1I + Ii1I
- if 45 - 45: oO0o - IiII - OoooooooOO - OoO0O00 . II111iiii / O0
- if 51 - 51: O0 + iII111i
- if 8 - 8: oO0o * OoOoOO00 - Ii1I - OoO0O00 * OOooOOo % I1IiiI
- if 48 - 48: O0
- if 11 - 11: I11i + OoooooooOO - OoO0O00 / o0oOOo0O0Ooo + Oo0Ooo . II111iiii
- if 41 - 41: Ii1I - O0 - O0
- if 68 - 68: OOooOOo % I1Ii111
- if 88 - 88: iIii1I11I1II1 - ooOoO0o + OOooOOo
- if 40 - 40: I1IiiI * Ii1I + OOooOOo % iII111i
- if 74 - 74: oO0o - Oo0Ooo + OoooooooOO + I1Ii111 / OoOoOO00
- if 23 - 23: O0
- if 85 - 85: Ii1I
- if 84 - 84: I1IiiI . iIii1I11I1II1 % OoooooooOO + Ii1I % OoooooooOO % OoO0O00
- if 42 - 42: OoO0O00 / I11i / o0oOOo0O0Ooo + iII111i / OoOoOO00
- if 84 - 84: ooOoO0o * II111iiii + Oo0Ooo
- if 53 - 53: iII111i % II111iiii . IiII - iIii1I11I1II1 - IiII * II111iiii
- if 77 - 77: iIii1I11I1II1 * OoO0O00
- if 95 - 95: I1IiiI + i11iIiiIii
- if 6 - 6: ooOoO0o / i11iIiiIii + iII111i * oO0o
- if 80 - 80: II111iiii
- if 83 - 83: I11i . i11iIiiIii + II111iiii . o0oOOo0O0Ooo * I11i
- if 53 - 53: II111iiii
- if 31 - 31: OoO0O00
- __version__ = '0.41'
- if 80 - 80: I1Ii111 . i11iIiiIii - o0oOOo0O0Ooo
- if 25 - 25: OoO0O00
- if 62 - 62: OOooOOo + O0
- if 98 - 98: o0oOOo0O0Ooo
- if 51 - 51: Oo0Ooo - oO0o + II111iiii * Ii1I . I11i + oO0o
- if 78 - 78: i11iIiiIii / iII111i - Ii1I / OOooOOo + oO0o
- if 82 - 82: Ii1I
- if 46 - 46: OoooooooOO . i11iIiiIii
- if 94 - 94: o0oOOo0O0Ooo * Ii1I / Oo0Ooo / Ii1I
- if 87 - 87: Oo0Ooo . IiII
- if 75 - 75: ooOoO0o + OoOoOO00 + o0oOOo0O0Ooo * I11i % oO0o . iII111i
- if 55 - 55: OOooOOo . I1IiiI
- if 61 - 61: Oo0Ooo % IiII . Oo0Ooo
- if 100 - 100: I1Ii111 * O0
- if 64 - 64: OOooOOo % iIii1I11I1II1 * oO0o
- if 79 - 79: O0
- if 78 - 78: I1ii11iIi11i + OOooOOo - I1Ii111
- if 38 - 38: o0oOOo0O0Ooo - oO0o + iIii1I11I1II1 / OoOoOO00 % Oo0Ooo
- if 57 - 57: OoO0O00 / ooOoO0o
- if 29 - 29: iIii1I11I1II1 + OoOoOO00 * OoO0O00 * OOooOOo . I1IiiI * I1IiiI
- if 7 - 7: IiII * I1Ii111 % Ii1I - o0oOOo0O0Ooo
- if 13 - 13: Ii1I . i11iIiiIii
- if 56 - 56: I1ii11iIi11i % O0 - I1IiiI
- if 100 - 100: Ii1I - O0 % oO0o * OOooOOo + I1IiiI
- if 88 - 88: OoooooooOO - OoO0O00 * O0 * OoooooooOO . OoooooooOO
- if 33 - 33: I1Ii111 + iII111i * oO0o / iIii1I11I1II1 - I1IiiI
- if 54 - 54: I1Ii111 / OOooOOo . oO0o % iII111i
- if 57 - 57: i11iIiiIii . I1ii11iIi11i - Ii1I - oO0o + OoOoOO00
- if 63 - 63: OoOoOO00 * iII111i
- if 69 - 69: O0 . OoO0O00
- if 49 - 49: I1IiiI - I11i
- if 74 - 74: iIii1I11I1II1 * I1ii11iIi11i + OoOoOO00 / i1IIi / II111iiii . Oo0Ooo
- if 62 - 62: OoooooooOO * I1IiiI
- if 58 - 58: OoOoOO00 % o0oOOo0O0Ooo
- if 50 - 50: I1Ii111 . o0oOOo0O0Ooo
- import sys , logging
- import struct
- import cStringIO
- import math
- import zipfile
- import re
- import optparse
- import os . path
- import binascii
- import base64
- import traceback
- import zlib
- import email
- import string
- if 97 - 97: O0 + OoOoOO00
- if 89 - 89: o0oOOo0O0Ooo + OoO0O00 * I11i * Ii1I
- try :
- if 37 - 37: OoooooooOO - O0 - o0oOOo0O0Ooo
- import lxml . etree as ET
- except ImportError :
- try :
- if 77 - 77: OOooOOo * iIii1I11I1II1
- import xml . etree . cElementTree as ET
- except ImportError :
- try :
- if 98 - 98: I1IiiI % Ii1I * OoooooooOO
- import elementtree . cElementTree as ET
- except ImportError :
- raise ImportError , "lxml or ElementTree are not installed, " + "see http://codespeak.net/lxml " + "or http://effbot.org/zone/element-index.htm"
- if 51 - 51: iIii1I11I1II1 . OoOoOO00 / oO0o + o0oOOo0O0Ooo
- if 33 - 33: ooOoO0o . II111iiii % iII111i + o0oOOo0O0Ooo
- if 71 - 71: Oo0Ooo % OOooOOo
- import thirdparty . olefile as olefile
- from thirdparty . prettytable import prettytable
- from thirdparty . xglob import xglob
- from thirdparty . pyparsing . pyparsing import *
- if 98 - 98: I11i % i11iIiiIii % ooOoO0o + Ii1I
- if 78 - 78: I1ii11iIi11i % oO0o / iII111i - iIii1I11I1II1
- if 69 - 69: I1Ii111
- if 11 - 11: I1IiiI
- if 16 - 16: Ii1I + IiII * O0 % i1IIi . I1IiiI
- if 67 - 67: OoooooooOO / I1IiiI * Ii1I + I11i
- OooOo0ooo = 'https://bitbucket.org/decalage/oletools/issues'
- o00oo0 = 'Please report this issue on %s' % OooOo0ooo
- if 38 - 38: ooOoO0o % II111iiii % I11i / OoO0O00 + OoOoOO00 / i1IIi
- if 54 - 54: iIii1I11I1II1 % I1ii11iIi11i - OOooOOo / oO0o - OoO0O00 . I11i
- II = 'OLE'
- o0Oo0oO0oOO00 = 'OpenXML'
- oo00OO0000oO = 'Word2003_XML'
- I1II1 = 'MHTML'
- if 86 - 86: iIii1I11I1II1 / OoOoOO00 . II111iiii
- if 19 - 19: I1ii11iIi11i % OoooooooOO % IiII * o0oOOo0O0Ooo % O0
- ooo = {
- II : 'OLE:' ,
- o0Oo0oO0oOO00 : 'OpX:' ,
- oo00OO0000oO : 'XML:' ,
- I1II1 : 'MHT:' ,
- }
- if 27 - 27: ooOoO0o % I1IiiI
- if 73 - 73: OOooOOo
- if 70 - 70: iIii1I11I1II1
- i11ii1iI = 'ActiveMime'
- if 22 - 22: OoooooooOO
- OOOOOo = "bas"
- IiI1iIiIIIii = "cls"
- oOoO = "frm"
- if 81 - 81: OoOoOO00 - OoOoOO00 . iII111i
- if 73 - 73: I11i % i11iIiiIii - I1IiiI
- Ii1iI111II1I1 = '{http://schemas.microsoft.com/office/word/2003/wordml}'
- if 91 - 91: OOooOOo % OOooOOo - I1IiiI
- I1iiii1I = Ii1iI111II1I1 + 'binData'
- OOo0 = Ii1iI111II1I1 + 'name'
- if 73 - 73: iII111i
- if 42 - 42: i11iIiiIii * iIii1I11I1II1 / I1ii11iIi11i . i11iIiiIii % I11i
- i1iI = {
- 'Runs when the Word document is opened' :
- ( 'AutoExec' , 'AutoOpen' , 'Document_Open' , 'DocumentOpen' ) ,
- 'Runs when the Word document is closed' :
- ( 'AutoExit' , 'AutoClose' , 'Document_Close' , 'DocumentBeforeClose' ) ,
- 'Runs when the Word document is modified' :
- ( 'DocumentChange' , ) ,
- 'Runs when a new Word document is created' :
- ( 'AutoNew' , 'Document_New' , 'NewDocument' ) ,
- 'Runs when the Excel Workbook is opened' :
- ( 'Auto_Open' , 'Workbook_Open' ) ,
- 'Runs when the Excel Workbook is closed' :
- ( 'Auto_Close' , 'Workbook_Close' ) ,
- }
- if 29 - 29: I1IiiI % OOooOOo - I1IiiI / OOooOOo . i1IIi
- if 31 - 31: I1Ii111
- if 88 - 88: OoO0O00 - ooOoO0o + OOooOOo * I1IiiI % iIii1I11I1II1 + Oo0Ooo
- oo000O0OoooO = {
- 'May read system environment variables' :
- ( 'Environ' , ) ,
- 'May open a file' :
- ( 'Open' , ) ,
- 'May write to a file (if combined with Open)' :
- ( 'Write' , 'Put' , 'Output' , 'Print #' ) ,
- 'May read or write a binary file (if combined with Open)' :
- ( 'Binary' , ) ,
- 'May copy a file' :
- ( 'FileCopy' , 'CopyFile' ) ,
- # O0 * OoooooooOO % OOooOOo / IiII - Ii1I / I11i
- 'May delete a file' :
- ( 'Kill' , ) ,
- 'May create a text file' :
- ( 'CreateTextFile' , 'ADODB.Stream' , 'WriteText' , 'SaveToFile' ) ,
- # IiII + ooOoO0o / I1Ii111 . ooOoO0o
- 'May run an executable file or a system command' :
- ( 'Shell' , 'vbNormal' , 'vbNormalFocus' , 'vbHide' , 'vbMinimizedFocus' , 'vbMaximizedFocus' , 'vbNormalNoFocus' ,
- 'vbMinimizedNoFocus' , 'WScript.Shell' , 'Run' ) ,
- # ooOoO0o
- 'May run PowerShell commands' :
- # oO0o / I1Ii111 / I1ii11iIi11i
- # o0oOOo0O0Ooo + II111iiii + OoOoOO00 - ooOoO0o . OoOoOO00
- ( 'PowerShell' , 'noexit' , 'ExecutionPolicy' , 'noprofile' ) ,
- 'May hide the application' :
- ( 'Application.Visible' , 'ShowWindow' , 'SW_HIDE' ) ,
- 'May create a directory' :
- ( 'MkDir' , ) ,
- 'May save the current workbook' :
- ( 'ActiveWorkbook.SaveAs' , ) ,
- 'May change which directory contains files to open at startup' :
- ( 'Application.AltStartupPath' , ) ,
- 'May create an OLE object' :
- ( 'CreateObject' , ) ,
- 'May run an application (if combined with CreateObject)' :
- ( 'Shell.Application' , ) ,
- 'May enumerate application windows (if combined with Shell.Application object)' :
- ( 'Windows' , 'FindWindow' ) ,
- 'May run code from a DLL' :
- ( 'Lib' , ) ,
- 'May inject code into another process' :
- ( 'CreateThread' , 'VirtualAlloc' ,
- ) ,
- 'May download files from the Internet' :
- ( 'URLDownloadToFileA' , 'Msxml2.XMLHTTP' , 'Microsoft.XMLHTTP' ,
- 'MSXML2.ServerXMLHTTP' ,
- 'User-Agent' ,
- ) ,
- 'May download files from the Internet using PowerShell' :
- ( 'New-Object System.Net.WebClient' , 'DownloadFile' ) ,
- 'May control another application by simulating user keystrokes' :
- ( 'SendKeys' , 'AppActivate' ) ,
- 'May attempt to obfuscate malicious function calls' :
- ( 'CallByName' , ) ,
- 'May attempt to obfuscate specific strings' :
- ( 'Chr' , 'ChrB' , 'ChrW' , 'StrReverse' , 'Xor' ) ,
- 'May read or write registry keys' :
- ( 'RegOpenKeyExA' , 'RegOpenKeyEx' , 'RegCloseKey' ) ,
- 'May read registry keys' :
- ( 'RegQueryValueExA' , 'RegQueryValueEx' ,
- 'RegRead' ,
- ) ,
- 'May detect virtualization' :
- ( r'SYSTEM\ControlSet001\Services\Disk\Enum' , 'VIRTUAL' , 'VMWARE' , 'VBOX' ) ,
- 'May detect Anubis Sandbox' :
- # Oo0Ooo * I1ii11iIi11i + iIii1I11I1II1 / I1Ii111 / OoO0O00 - OoooooooOO
- # iII111i + OoOoOO00
- ( 'GetVolumeInformationA' , 'GetVolumeInformation' ,
- '1824245000' , r'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId' ,
- '76487-337-8429955-22614' , 'andy' , 'sample' , r'C:\exec\exec.exe' , 'popupkiller'
- ) ,
- 'May detect Sandboxie' :
- # II111iiii % ooOoO0o % OoOoOO00 - OoooooooOO
- ( 'SbieDll.dll' , 'SandboxieControlWndClass' ) ,
- 'May detect Sunbelt Sandbox' :
- ( r'C:\file.exe' , ) ,
- 'May detect Norman Sandbox' :
- ( 'currentuser' , ) ,
- 'May detect CW Sandbox' :
- ( 'Schmidti' , ) ,
- 'May detect WinJail Sandbox' :
- ( 'Afx:400000:0' , ) ,
- }
- if 80 - 80: OoOoOO00 % I1Ii111
- if 55 - 55: i11iIiiIii . I1Ii111 * Ii1I % OoO0O00
- if 85 - 85: i11iIiiIii % o0oOOo0O0Ooo
- if 38 - 38: oO0o % OoOoOO00 + I1ii11iIi11i . i11iIiiIii
- if 53 - 53: i11iIiiIii * iII111i
- if 68 - 68: iIii1I11I1II1 * iIii1I11I1II1 . o0oOOo0O0Ooo / II111iiii % Oo0Ooo
- i1i11I11 = r'\b(?:http|ftp)s?'
- if 10 - 10: O0 - OoooooooOO . OoOoOO00
- I1iIii11 = r'(?:xn--[a-zA-Z0-9]{4,20}|[a-zA-Z]{2,20})'
- i1 = r'(?:[a-zA-Z0-9\-\.]+\.' + I1iIii11 + ')'
- if 90 - 90: I1Ii111 . ooOoO0o / Ii1I - I11i
- if 40 - 40: OoooooooOO
- I1i1i1 = r'(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9][0-9]|[0-9])'
- OoO0O00O0oo0O = r'(?:' + I1i1i1 + r'\.){3}' + I1i1i1
- if 36 - 36: OOooOOo + O0 - Ii1I - O0 % I11i . oO0o
- oooiiI = r'(?:' + OoO0O00O0oo0O + '|' + i1 + ')'
- oO = r'(?:\:[0-9]{1,5})?'
- IIiIi = oooiiI + oO
- OOoOooOoOOOoo = r'(?:/[a-zA-Z0-9\-\._\?\,\'/\\\+&%\$#\=~]*)?'
- Iiii1iI1i = i1i11I11 + r'\://' + IIiIi + OOoOooOoOOOoo
- I1ii1ii11i1I = re . compile ( Iiii1iI1i )
- if 58 - 58: iII111i + Oo0Ooo
- if 12 - 12: o0oOOo0O0Ooo - I1ii11iIi11i % OoOoOO00 * I11i
- if 44 - 44: iII111i % Ii1I
- if 41 - 41: i1IIi - I11i - Ii1I
- III11I1 = (
- ( 'URL' , re . compile ( Iiii1iI1i ) ) ,
- ( 'IPv4 address' , re . compile ( OoO0O00O0oo0O ) ) ,
- ( 'E-mail address' , re . compile ( r'(?i)\b[A-Z0-9._%+-]+@' + oooiiI + '\b' ) ) ,
- # o0oOOo0O0Ooo * O0 - Ii1I
- ( "Executable file name" , re . compile (
- r"(?i)\b\w+\.(EXE|PIF|GADGET|MSI|MSP|MSC|VBS|VBE|VB|JSE|JS|WSF|WSC|WSH|WS|BAT|CMD|DLL|SCR|HTA|CPL|CLASS|JAR|PS1XML|PS1|PS2XML|PS2|PSC1|PSC2|SCF|LNK|INF|REG)\b" ) ) ,
- # oO0o + ooOoO0o . Oo0Ooo % Ii1I
- # i11iIiiIii + o0oOOo0O0Ooo / I1ii11iIi11i - OoO0O00 - Ii1I + I1ii11iIi11i
- # i11iIiiIii + OoO0O00 . iIii1I11I1II1 * I1Ii111
- )
- if 15 - 15: i1IIi + OoOoOO00
- if 48 - 48: I1IiiI % iII111i / iIii1I11I1II1
- Oo0oooO0oO = re . compile ( r'(?:[0-9A-Fa-f]{2}){4,}' )
- if 19 - 19: i11iIiiIii + OoooooooOO - Oo0Ooo - I11i
- if 21 - 21: O0 % IiII . I1IiiI / II111iiii + IiII
- if 53 - 53: oO0o - I1IiiI - oO0o * iII111i
- if 71 - 71: O0 - iIii1I11I1II1
- if 12 - 12: OOooOOo / o0oOOo0O0Ooo
- iiI1I1 = r'(?:[A-Za-z0-9+/]{4}){1,}(?:[A-Za-z0-9+/]{2}[AEIMQUYcgkosw048]=|[A-Za-z0-9+/][AQgw]==)?'
- ooO = re . compile ( '"' + iiI1I1 + '"' )
- if 6 - 6: iIii1I11I1II1 . ooOoO0o % o0oOOo0O0Ooo
- I1Iii1 = set ( [ 'thisdocument' , 'thisworkbook' , 'test' , 'temp' , 'http' , 'open' , 'exit' ] )
- if 30 - 30: OoooooooOO - OoOoOO00
- if 75 - 75: iIii1I11I1II1 - Ii1I . Oo0Ooo % i11iIiiIii % I11i
- if 55 - 55: iII111i . II111iiii % OoO0O00 * iII111i + ooOoO0o + Ii1I
- II1Iiiiii = re . compile ( r'"[0-9A-Za-z]{20,}"' )
- if 36 - 36: I1IiiI - I11i
- i11i11111i1i = re . compile ( r'[G-Zg-z]' )
- if 72 - 72: OOooOOo % I1ii11iIi11i + OoO0O00 / oO0o + IiII
- if 10 - 10: I1Ii111 / ooOoO0o + i11iIiiIii / Ii1I
- if 74 - 74: OOooOOo + O0 + i1IIi - i1IIi + II111iiii
- if 83 - 83: I1ii11iIi11i - I1IiiI + OOooOOo
- if 5 - 5: Ii1I
- if 46 - 46: IiII
- if 45 - 45: ooOoO0o
- if 21 - 21: oO0o . I1Ii111 . OOooOOo / Oo0Ooo / I1Ii111
- if 17 - 17: OOooOOo / OOooOOo / I11i
- if 1 - 1: i1IIi . i11iIiiIii % OOooOOo
- if 82 - 82: iIii1I11I1II1 + Oo0Ooo . iIii1I11I1II1 % IiII / Ii1I . Ii1I
- if 14 - 14: o0oOOo0O0Ooo . OOooOOo . I11i + OoooooooOO - OOooOOo + IiII
- if 9 - 9: Ii1I
- oooooOOO000Oo = alphanums + '_'
- if 52 - 52: II111iiii % IiII . OoOoOO00 * iIii1I11I1II1
- class I111i1II ( str ) :
- pass
- if 69 - 69: Ii1I * O0 . i11iIiiIii / Ii1I . o0oOOo0O0Ooo
- if 63 - 63: I11i + o0oOOo0O0Ooo . II111iiii - I1IiiI
- if 52 - 52: o0oOOo0O0Ooo % Oo0Ooo
- if 64 - 64: O0 % I11i % O0 * OoO0O00 . oO0o + I1IiiI
- if 75 - 75: I11i . OoooooooOO % o0oOOo0O0Ooo * I11i % OoooooooOO
- if 13 - 13: IiII / i11iIiiIii % II111iiii % I11i . I1ii11iIi11i
- if 8 - 8: OoOoOO00 + Oo0Ooo - II111iiii
- if 11 - 11: i1IIi % i11iIiiIii - i1IIi * OoOoOO00
- if 39 - 39: I1Ii111
- if 86 - 86: I11i * I1IiiI + I11i + II111iiii
- if 8 - 8: I1Ii111 - iII111i / ooOoO0o
- if 96 - 96: OoOoOO00
- if 29 - 29: I1ii11iIi11i / i1IIi . I1IiiI - OoOoOO00 - OoOoOO00 - Ii1I
- if 20 - 20: i1IIi % OoO0O00 . I1IiiI / IiII * i11iIiiIii * OOooOOo
- if 85 - 85: o0oOOo0O0Ooo . OoOoOO00 / ooOoO0o . O0 % I1Ii111
- if 90 - 90: Oo0Ooo % O0 * iIii1I11I1II1 . iII111i
- if 8 - 8: ooOoO0o + II111iiii / iII111i / I11i
- if 74 - 74: O0 / i1IIi
- if 78 - 78: OoooooooOO . OoO0O00 + ooOoO0o - i1IIi
- if 31 - 31: OoooooooOO . OOooOOo
- if 83 - 83: iII111i . O0 / Oo0Ooo / OOooOOo - II111iiii
- if 100 - 100: OoO0O00
- if 46 - 46: OoOoOO00 / iIii1I11I1II1 % iII111i . iIii1I11I1II1 * iII111i
- if 38 - 38: I1ii11iIi11i - iII111i / O0 . I1Ii111
- if 45 - 45: I1Ii111
- if 83 - 83: OoOoOO00 . OoooooooOO
- if 58 - 58: i11iIiiIii + OoooooooOO % OoooooooOO / IiII / i11iIiiIii
- oOOoo = Combine ( WordStart ( oooooOOO000Oo ) + Word ( nums )
- + Suppress ( Optional ( Word ( '%&^' , exact = 1 ) ) ) )
- oOOoo . setParseAction ( lambda iII1111III1I : int ( iII1111III1I [ 0 ] ) )
- if 39 - 39: i1IIi / IiII
- oO000oOo00o0o = Combine ( Suppress ( Literal ( '&' ) + Optional ( ( CaselessLiteral ( 'o' ) ) ) ) + Word ( srange ( '[0-7]' ) )
- + Suppress ( Optional ( Word ( '%&^' , exact = 1 ) ) ) )
- oO000oOo00o0o . setParseAction ( lambda iII1111III1I : int ( iII1111III1I [ 0 ] , base = 8 ) )
- if 85 - 85: iII111i + OoooooooOO * iII111i - I1Ii111 % i11iIiiIii
- OOo00OoO = Combine ( Suppress ( CaselessLiteral ( '&h' ) ) + Word ( srange ( '[0-9a-fA-F]' ) )
- + Suppress ( Optional ( Word ( '%&^' , exact = 1 ) ) ) )
- OOo00OoO . setParseAction ( lambda iII1111III1I : int ( iII1111III1I [ 0 ] , base = 16 ) )
- if 10 - 10: o0oOOo0O0Ooo / i11iIiiIii
- o00 = oOOoo | oO000oOo00o0o | OOo00OoO
- if 85 - 85: I1ii11iIi11i . I1Ii111
- if 78 - 78: ooOoO0o * I1Ii111 + iIii1I11I1II1 + iIii1I11I1II1 / I1Ii111 . Ii1I
- if 97 - 97: ooOoO0o / I1Ii111 % i1IIi % I1ii11iIi11i
- if 18 - 18: iIii1I11I1II1 % I11i
- if 95 - 95: ooOoO0o + i11iIiiIii * I1Ii111 - i1IIi * I1Ii111 - iIii1I11I1II1
- if 75 - 75: OoooooooOO * IiII
- if 9 - 9: IiII - II111iiii + O0 / iIii1I11I1II1 / i11iIiiIii
- if 39 - 39: IiII * Oo0Ooo + iIii1I11I1II1 - IiII + OOooOOo
- if 69 - 69: O0
- o0ooO = QuotedString ( '"' , escQuote = '""' )
- o0ooO . setParseAction ( lambda iII1111III1I : str ( iII1111III1I [ 0 ] ) )
- if 74 - 74: O0 * oO0o - i11iIiiIii + I1Ii111
- if 17 - 17: iIii1I11I1II1 . OoooooooOO / I11i % II111iiii % i1IIi / i11iIiiIii
- if 58 - 58: Oo0Ooo . II111iiii + oO0o - i11iIiiIii / II111iiii / O0
- if 85 - 85: OoOoOO00 + OOooOOo
- if 10 - 10: IiII / OoO0O00 + OoOoOO00 / i1IIi
- if 27 - 27: Ii1I
- if 67 - 67: I1IiiI
- if 55 - 55: I1ii11iIi11i - iII111i * o0oOOo0O0Ooo + OoOoOO00 * OoOoOO00 * O0
- O000Oo0o = Forward ( )
- OoO0O0O0o00 = Forward ( )
- if 7 - 7: I1IiiI + OoOoOO00 / IiII
- if 79 - 79: OoO0O00 - iIii1I11I1II1 + Ii1I - I1Ii111
- if 93 - 93: II111iiii . I1IiiI - Oo0Ooo + OoOoOO00
- if 61 - 61: II111iiii
- Ii1ii111i1 = Suppress (
- Combine ( WordStart ( oooooOOO000Oo ) + CaselessLiteral ( 'Chr' )
- + Optional ( CaselessLiteral ( 'B' ) | CaselessLiteral ( 'W' ) ) + Optional ( '$' ) )
- + '(' ) + OoO0O0O0o00 + Suppress ( ')' )
- Ii1ii111i1 . setParseAction ( lambda iII1111III1I : I111i1II ( chr ( iII1111III1I [ 0 ] ) ) )
- if 31 - 31: OOooOOo + O0
- if 87 - 87: ooOoO0o
- if 45 - 45: OoO0O00 / OoooooooOO - iII111i / Ii1I % IiII
- if 83 - 83: I1IiiI . iIii1I11I1II1 - IiII * i11iIiiIii
- if 20 - 20: i1IIi * I1Ii111 + II111iiii % o0oOOo0O0Ooo % oO0o
- if 13 - 13: Oo0Ooo
- oOOo000oOoO0 = Suppress ( CaselessKeyword ( 'Asc' ) + '(' ) + O000Oo0o + Suppress ( ')' )
- oOOo000oOoO0 . setParseAction ( lambda iII1111III1I : ord ( iII1111III1I [ 0 ] ) )
- if 86 - 86: II111iiii % i11iIiiIii + Ii1I % i11iIiiIii
- if 92 - 92: i11iIiiIii - iII111i / ooOoO0o / oO0o
- if 43 - 43: II111iiii + OOooOOo + iII111i
- if 40 - 40: o0oOOo0O0Ooo
- if 67 - 67: oO0o + II111iiii - O0 . oO0o * II111iiii * I11i
- if 90 - 90: Ii1I . IiII
- OO00O0oOO = Suppress ( CaselessKeyword ( 'Val' ) + '(' ) + O000Oo0o + Suppress ( ')' )
- OO00O0oOO . setParseAction ( lambda iII1111III1I : int ( iII1111III1I [ 0 ] . strip ( ) ) )
- if 4 - 4: OoooooooOO - i1IIi % Ii1I - OOooOOo * o0oOOo0O0Ooo
- if 85 - 85: OoooooooOO * iIii1I11I1II1 . iII111i / OoooooooOO % I1IiiI % O0
- if 36 - 36: Ii1I / II111iiii / IiII / IiII + I1ii11iIi11i
- if 95 - 95: IiII
- if 51 - 51: II111iiii + IiII . i1IIi . I1ii11iIi11i + OoOoOO00 * I1IiiI
- OOoOoo0 = Suppress ( CaselessKeyword ( 'StrReverse' ) + '(' ) + O000Oo0o + Suppress ( ')' )
- OOoOoo0 . setParseAction ( lambda iII1111III1I : I111i1II ( str ( iII1111III1I [ 0 ] ) [ : : - 1 ] ) )
- if 17 - 17: Ii1I + oO0o . OoO0O00 - Oo0Ooo * i11iIiiIii
- if 20 - 20: I1IiiI . OoooooooOO % OOooOOo
- if 63 - 63: I1IiiI % iIii1I11I1II1
- if 39 - 39: iII111i / II111iiii / I1ii11iIi11i % I1IiiI
- if 89 - 89: I1Ii111 + OoooooooOO + I1Ii111 * i1IIi + iIii1I11I1II1 % I11i
- oOo0oO = Suppress ( CaselessKeyword ( 'Environ' ) + '(' ) + O000Oo0o + Suppress ( ')' )
- oOo0oO . setParseAction ( lambda iII1111III1I : I111i1II ( '%%%s%%' % iII1111III1I [ 0 ] ) )
- if 5 - 5: OOooOOo - OOooOOo . Oo0Ooo + OoOoOO00 - OOooOOo . oO0o
- if 31 - 31: II111iiii - iIii1I11I1II1 - iIii1I11I1II1 % I11i
- if 12 - 12: iIii1I11I1II1
- if 20 - 20: o0oOOo0O0Ooo / i1IIi
- if 71 - 71: OoOoOO00 . i1IIi
- if 94 - 94: OOooOOo . I1Ii111
- if 84 - 84: O0 . I11i - II111iiii . ooOoO0o / II111iiii
- if 47 - 47: OoooooooOO
- if 4 - 4: I1IiiI % I11i
- I1 = Word ( initChars = alphas , bodyChars = alphanums + '_' )
- if 67 - 67: OoO0O00 + oO0o
- if 88 - 88: iII111i
- if 19 - 19: II111iiii * IiII + Ii1I
- if 65 - 65: OOooOOo . I1Ii111 . OoO0O00 . iII111i - OOooOOo
- if 19 - 19: i11iIiiIii + iII111i % ooOoO0o
- if 14 - 14: OoO0O00 . II111iiii . I11i / Ii1I % I1ii11iIi11i - ooOoO0o
- if 67 - 67: I11i - OOooOOo . i1IIi
- I1I1iI = Suppress ( '"' ) + Combine ( Word ( hexnums , exact = 2 ) * ( 2 , None ) ) + Suppress ( '"' )
- I1I1iI . setParseAction ( lambda iII1111III1I : str ( iII1111III1I [ 0 ] ) )
- if 16 - 16: IiII * OoOoOO00 . ooOoO0o / i1IIi . OoO0O00 - i1IIi
- I1IiIIi = Suppress ( I1 ) + Suppress ( '(' ) + I1I1iI ( 'hex_string' ) + Suppress ( ')' )
- if 42 - 42: O0 . oO0o - o0oOOo0O0Ooo / i1IIi
- I1IiIIi . setParseAction ( lambda iII1111III1I : I111i1II ( binascii . a2b_hex ( iII1111III1I . hex_string ) ) )
- if 68 - 68: O0 + OoOoOO00 / oO0o - OOooOOo + iIii1I11I1II1 % Ii1I
- if 23 - 23: ooOoO0o % o0oOOo0O0Ooo / I11i
- if 5 - 5: iIii1I11I1II1
- if 72 - 72: oO0o . I1Ii111 / OoOoOO00 + I11i % iIii1I11I1II1
- if 42 - 42: I1ii11iIi11i * OoOoOO00 % ooOoO0o - OoOoOO00 . i11iIiiIii - I1Ii111
- if 84 - 84: I1Ii111 - I1ii11iIi11i / I11i
- if 13 - 13: IiII - Oo0Ooo - ooOoO0o
- if 92 - 92: ooOoO0o / OoOoOO00 * OoO0O00 . I11i % II111iiii
- O0OoOoO00O = Suppress ( '"' ) + Regex ( iiI1I1 ) + Suppress ( '"' )
- O0OoOoO00O . setParseAction ( lambda iII1111III1I : str ( iII1111III1I [ 0 ] ) )
- if 96 - 96: I1IiiI % Oo0Ooo . I1ii11iIi11i + OOooOOo
- Ii11Iii1i1ii = Suppress ( I1 ) + Suppress ( '(' ) + O0OoOoO00O ( 'base64_string' ) + Suppress ( ')' )
- if 26 - 26: II111iiii % i11iIiiIii % iIii1I11I1II1 % I11i * I11i * I1ii11iIi11i
- Ii11Iii1i1ii . setParseAction ( lambda iII1111III1I : I111i1II ( binascii . a2b_base64 ( iII1111III1I . base64_string ) ) )
- if 24 - 24: II111iiii % I1Ii111 - ooOoO0o + I1IiiI * I1ii11iIi11i
- if 2 - 2: Ii1I - IiII
- if 83 - 83: oO0o % o0oOOo0O0Ooo % Ii1I - II111iiii * OOooOOo / OoooooooOO
- if 18 - 18: OoO0O00 + iIii1I11I1II1 - II111iiii - I1IiiI
- def oooOOOO0oooo ( tokens ) :
- if 51 - 51: O0 - i1IIi / I1IiiI
- if 37 - 37: o0oOOo0O0Ooo % ooOoO0o
- O0II11i11II = tokens [ 0 ] [ : : 2 ]
- if 29 - 29: Oo0Ooo % OoO0O00 % IiII . o0oOOo0O0Ooo / OoooooooOO * ooOoO0o
- if 54 - 54: O0
- if 68 - 68: OoO0O00 * o0oOOo0O0Ooo . ooOoO0o % oO0o % I1Ii111
- return I111i1II ( '' . join ( O0II11i11II ) )
- if 75 - 75: OoOoOO00
- if 34 - 34: O0
- OooOOOo0 = ( Ii1ii111i1 | OOoOoo0 | oOo0oO | o0ooO | I1IiIIi | Ii11Iii1i1ii )
- if 54 - 54: Ii1I - I11i - I1Ii111 . iIii1I11I1II1
- O000Oo0o <<= infixNotation ( OooOOOo0 ,
- [
- ( "+" , 2 , opAssoc . LEFT , oooOOOO0oooo ) ,
- ( "&" , 2 , opAssoc . LEFT , oooOOOO0oooo ) ,
- ] )
- if 79 - 79: Ii1I . OoO0O00
- if 40 - 40: o0oOOo0O0Ooo + Oo0Ooo . o0oOOo0O0Ooo % ooOoO0o
- if 15 - 15: Ii1I * Oo0Ooo % I1ii11iIi11i * iIii1I11I1II1 - i11iIiiIii
- if 60 - 60: I1IiiI * I1Ii111 % OoO0O00 + oO0o
- def o0oo ( tokens ) :
- if 80 - 80: I1Ii111 * OoOoOO00 * II111iiii - O0 . OoOoOO00 % I1IiiI
- if 13 - 13: oO0o . I1IiiI * oO0o + I1IiiI
- OoOooo = tokens [ 0 ] [ : : 2 ]
- if 74 - 74: iIii1I11I1II1 * IiII % OoOoOO00
- if 36 - 36: OoooooooOO - oO0o
- if 85 - 85: o0oOOo0O0Ooo . IiII / O0 . o0oOOo0O0Ooo . I1ii11iIi11i . OoO0O00
- return sum ( OoOooo )
- if 60 - 60: o0oOOo0O0Ooo - OoOoOO00 * Oo0Ooo % Ii1I / II111iiii % OoOoOO00
- if 52 - 52: OOooOOo - iII111i * oO0o
- Ii1I11I = ( oOOo000oOoO0 | OO00O0oOO | o00 )
- if 36 - 36: O0 + Oo0Ooo
- OoO0O0O0o00 <<= infixNotation ( Ii1I11I ,
- [
- ( "+" , 2 , opAssoc . LEFT , o0oo ) ,
- ] )
- if 5 - 5: Oo0Ooo * OoOoOO00
- if 46 - 46: ooOoO0o
- if 33 - 33: iII111i - II111iiii * OoooooooOO - Oo0Ooo - OOooOOo
- if 84 - 84: I1Ii111 + Oo0Ooo - OoOoOO00 * OoOoOO00
- if 61 - 61: OoooooooOO . oO0o . OoooooooOO / Oo0Ooo
- if 72 - 72: i1IIi
- def OOoo0oo ( data ) :
- return data . startswith ( i11ii1iI )
- if 58 - 58: oO0o
- if 4 - 4: II111iiii . ooOoO0o / I1ii11iIi11i - i11iIiiIii
- if 72 - 72: O0 / ooOoO0o + OoooooooOO * iII111i
- if 61 - 61: OoooooooOO % II111iiii - I1IiiI % I1ii11iIi11i + i1IIi
- if 39 - 39: i1IIi
- if 86 - 86: iIii1I11I1II1 + OoOoOO00 . i11iIiiIii - Ii1I
- if 51 - 51: OoOoOO00
- if 14 - 14: IiII % oO0o % Oo0Ooo - i11iIiiIii
- if 53 - 53: Ii1I % Oo0Ooo
- if 59 - 59: OOooOOo % iIii1I11I1II1 . i1IIi + II111iiii * IiII
- if 41 - 41: Ii1I % I1ii11iIi11i
- i1iIiIi1I = re . compile ( r'x' )
- if 37 - 37: Ii1I % OoO0O00
- if 79 - 79: I1ii11iIi11i + I1IiiI / I1IiiI
- def OO0O0ooOOO00 ( data ) :
- if 17 - 17: O0 . I1Ii111 . O0 + O0 / Oo0Ooo . ooOoO0o
- assert OOoo0oo ( data )
- if 62 - 62: I1ii11iIi11i % iII111i * OoO0O00 - i1IIi
- if 66 - 66: i11iIiiIii / o0oOOo0O0Ooo - OoooooooOO / i1IIi . i11iIiiIii
- if 16 - 16: Oo0Ooo % I1ii11iIi11i + I11i - O0 . iII111i / I1Ii111
- if 35 - 35: oO0o / I1Ii111 / II111iiii - iIii1I11I1II1 + II111iiii . I1Ii111
- if 81 - 81: iII111i * OOooOOo - I1ii11iIi11i * Ii1I % OoOoOO00 * OoOoOO00
- if 59 - 59: iIii1I11I1II1
- if 7 - 7: OOooOOo * I1IiiI / o0oOOo0O0Ooo * i11iIiiIii
- if 84 - 84: OOooOOo . iII111i
- if 8 - 8: Oo0Ooo + II111iiii * OOooOOo * OoOoOO00 * I11i / IiII
- if 21 - 21: oO0o / OoooooooOO
- if 11 - 11: OOooOOo % Ii1I - i11iIiiIii - oO0o + ooOoO0o + IiII
- if 87 - 87: I1Ii111 * i1IIi / I1ii11iIi11i
- if 6 - 6: o0oOOo0O0Ooo + Oo0Ooo - OoooooooOO % OOooOOo * OoOoOO00
- try :
- oOoOIIII = struct . unpack_from ( '<H' , data , offset = 0x1E ) [ 0 ] + 46
- logging . debug ( 'Parsing MSO file: data offset = 0x%X' % oOoOIIII )
- except :
- logging . exception ( 'Unable to parse MSO/ActiveMime file header' )
- raise RuntimeError ( 'Unable to parse MSO/ActiveMime file header' )
- if 50 - 50: Oo0Ooo % IiII
- if 28 - 28: I1ii11iIi11i . i1IIi
- if 10 - 10: OoO0O00 / Oo0Ooo
- if 15 - 15: iII111i . OoOoOO00 / iII111i * I11i - I1IiiI % I1ii11iIi11i
- for oo0OOOOOO0 in ( oOoOIIII , 0x32 , 0x22A ) :
- try :
- logging . debug ( 'Attempting zlib decompression from MSO file offset 0x%X' % oo0OOOOOO0 )
- i11 = zlib . decompress ( data [ oo0OOOOOO0 : ] )
- return i11
- except :
- logging . exception ( 'zlib decompression failed' )
- if 20 - 20: OoooooooOO - Oo0Ooo % OoOoOO00 % I11i
- if 89 - 89: oO0o / OoooooooOO . iII111i
- logging . debug ( 'Looking for potential zlib-compressed blocks in MSO file' )
- for I1iiiiii in i1iIiIi1I . finditer ( data ) :
- oo0OOOOOO0 = I1iiiiii . start ( )
- try :
- logging . debug ( 'Attempting zlib decompression from MSO file offset 0x%X' % oo0OOOOOO0 )
- i11 = zlib . decompress ( data [ oo0OOOOOO0 : ] )
- return i11
- except :
- logging . exception ( 'zlib decompression failed' )
- raise RuntimeError ( 'Unable to decompress data from a MSO/ActiveMime file' )
- if 65 - 65: IiII + Oo0Ooo
- if 59 - 59: OoooooooOO + I11i . I1Ii111 - O0 % iIii1I11I1II1 / O0
- if 88 - 88: Oo0Ooo . O0 % OoooooooOO / OOooOOo
- if 89 - 89: II111iiii / oO0o
- if 14 - 14: OOooOOo . I1IiiI * ooOoO0o + II111iiii - ooOoO0o + OOooOOo
- IIIIIiII1 = set ( string . printable )
- if 45 - 45: I1IiiI / iII111i . iII111i
- def i1oO ( s ) :
- if 30 - 30: Oo0Ooo . OoO0O00
- if 57 - 57: I11i . Oo0Ooo + II111iiii
- return set ( s ) . issubset ( IIIIIiII1 )
- if 43 - 43: I1Ii111 % iII111i
- if 69 - 69: iII111i % OoO0O00
- if 86 - 86: oO0o / oO0o
- if 28 - 28: i11iIiiIii / o0oOOo0O0Ooo . iIii1I11I1II1 / II111iiii
- if 72 - 72: OoooooooOO / I1IiiI + Ii1I / OoOoOO00 * Ii1I
- if 34 - 34: O0 * O0 % OoooooooOO + iII111i * iIii1I11I1II1 % Ii1I
- if 25 - 25: I11i + OoOoOO00 . o0oOOo0O0Ooo % OoOoOO00 * OOooOOo
- if 32 - 32: i11iIiiIii - I1Ii111
- if 53 - 53: OoooooooOO - IiII
- def oOo ( decompressed_current , decompressed_chunk_start ) :
- i1i = decompressed_current - decompressed_chunk_start
- if 5 - 5: I1ii11iIi11i + O0 + O0 . I1Ii111 - ooOoO0o
- if 63 - 63: oO0o
- if 71 - 71: i1IIi . Ii1I * iII111i % OoooooooOO + OOooOOo
- if 36 - 36: IiII
- if 49 - 49: OOooOOo / OoooooooOO / I1IiiI
- if 74 - 74: I1Ii111 % I1ii11iIi11i
- if 7 - 7: II111iiii
- iI = int ( math . ceil ( math . log ( i1i , 2 ) ) )
- iI = max ( [ iI , 4 ] )
- i1oOOOOOOOoO = 0xFFFF >> iI
- I1IIiI = ~ i1oOOOOOOOoO
- O0oOOo0o = ( 0xFFFF >> iI ) + 3
- return i1oOOOOOOOoO , I1IIiI , iI , O0oOOo0o
- if 50 - 50: iII111i . I1ii11iIi11i . OoO0O00 * I11i + II111iiii % i11iIiiIii
- if 8 - 8: ooOoO0o * O0
- def OOoO ( compressed_container ) :
- if 18 - 18: iIii1I11I1II1 + Oo0Ooo - OOooOOo + OoooooooOO * OoooooooOO
- if 41 - 41: ooOoO0o . Oo0Ooo + I1IiiI
- if 100 - 100: Ii1I + OoO0O00
- if 73 - 73: i1IIi - I1Ii111 % ooOoO0o / OoO0O00
- if 40 - 40: I1ii11iIi11i * ooOoO0o - I1IiiI / IiII / i11iIiiIii
- if 83 - 83: I1ii11iIi11i / I1Ii111 - i11iIiiIii . iIii1I11I1II1 + Oo0Ooo
- if 59 - 59: O0 % Oo0Ooo
- if 92 - 92: Ii1I % iII111i / I1ii11iIi11i % I1ii11iIi11i * I1IiiI
- if 74 - 74: O0 . I1IiiI % OoO0O00 % IiII
- if 87 - 87: oO0o - i11iIiiIii
- if 78 - 78: i11iIiiIii / iIii1I11I1II1 - o0oOOo0O0Ooo
- if 23 - 23: I11i
- if 40 - 40: o0oOOo0O0Ooo - II111iiii / Oo0Ooo
- if 14 - 14: I1ii11iIi11i
- if 5 - 5: o0oOOo0O0Ooo . iIii1I11I1II1 % iIii1I11I1II1
- if 56 - 56: OoooooooOO - I11i - i1IIi
- if 8 - 8: I1Ii111 / OOooOOo . I1IiiI + I1ii11iIi11i / i11iIiiIii
- if 31 - 31: ooOoO0o - iIii1I11I1II1 + iII111i . Oo0Ooo / IiII % iIii1I11I1II1
- if 6 - 6: IiII * i11iIiiIii % iIii1I11I1II1 % i11iIiiIii + o0oOOo0O0Ooo / i1IIi
- if 53 - 53: I11i + iIii1I11I1II1
- if 70 - 70: I1ii11iIi11i
- if 67 - 67: OoooooooOO
- if 29 - 29: O0 - i11iIiiIii - II111iiii + OOooOOo * IiII
- if 2 - 2: i1IIi - ooOoO0o + I1IiiI . o0oOOo0O0Ooo * o0oOOo0O0Ooo / OoOoOO00
- if 93 - 93: i1IIi
- if 53 - 53: OoooooooOO + Oo0Ooo + oO0o
- I1I111iI = ''
- iIiI1IIiii11 = 0
- if 33 - 33: iIii1I11I1II1 / iII111i - I1IiiI * I11i
- o0o00oO0oo000 = ord ( compressed_container [ iIiI1IIiii11 ] )
- if o0o00oO0oo000 != 0x01 :
- raise ValueError ( 'invalid signature byte {0:02X}' . format ( o0o00oO0oo000 ) )
- if 89 - 89: OoO0O00 + IiII * I1Ii111
- iIiI1IIiii11 += 1
- if 28 - 28: OoooooooOO . oO0o % I1ii11iIi11i / i1IIi / OOooOOo
- if 36 - 36: o0oOOo0O0Ooo + I11i - IiII + iIii1I11I1II1 + OoooooooOO
- if 4 - 4: II111iiii . I11i + Ii1I * I1Ii111 . ooOoO0o
- while iIiI1IIiii11 < len ( compressed_container ) :
- if 87 - 87: OoOoOO00 / OoO0O00 / i11iIiiIii
- oO0OO = iIiI1IIiii11
- if 88 - 88: OoOoOO00 - i11iIiiIii % o0oOOo0O0Ooo * I11i + I1ii11iIi11i
- Oo = struct . unpack ( "<H" , compressed_container [ oO0OO : oO0OO + 2 ] ) [ 0 ]
- if 40 - 40: OoOoOO00 % OoO0O00
- if 62 - 62: o0oOOo0O0Ooo
- I1i111i = ( Oo & 0x0FFF ) + 3
- if 42 - 42: I1ii11iIi11i / i1IIi % OoOoOO00
- I11iiIIII1I1 = ( Oo >> 12 ) & 0x07
- if I11iiIIII1I1 != 0b011 :
- raise ValueError ( 'Invalid CompressedChunkSignature in VBA compressed stream' )
- if 38 - 38: I1Ii111 % OOooOOo - OoooooooOO
- oOo0OOoooO = ( Oo >> 15 ) & 0x01
- logging . debug ( "chunk size = {0}, compressed flag = {1}" . format ( I1i111i , oOo0OOoooO ) )
- if 26 - 26: o0oOOo0O0Ooo * IiII . i1IIi
- if 59 - 59: O0 + i1IIi - o0oOOo0O0Ooo
- if 62 - 62: i11iIiiIii % OOooOOo . IiII . OOooOOo
- if 84 - 84: i11iIiiIii * OoO0O00
- if 18 - 18: OOooOOo - Ii1I - OoOoOO00 / I1Ii111 - O0
- if 30 - 30: O0 + I1ii11iIi11i + II111iiii
- if oOo0OOoooO == 1 and I1i111i > 4098 :
- raise ValueError ( 'CompressedChunkSize > 4098 but CompressedChunkFlag == 1' )
- if oOo0OOoooO == 0 and I1i111i != 4098 :
- raise ValueError ( 'CompressedChunkSize != 4098 but CompressedChunkFlag == 0' )
- if 14 - 14: o0oOOo0O0Ooo / OOooOOo - iIii1I11I1II1 - oO0o % ooOoO0o
- if 49 - 49: ooOoO0o * oO0o / o0oOOo0O0Ooo / Oo0Ooo * iIii1I11I1II1
- if 57 - 57: OoOoOO00 - oO0o / ooOoO0o % i11iIiiIii
- if oO0OO + I1i111i > len ( compressed_container ) :
- logging . warning ( 'Chunk size is larger than remaining compressed data' )
- I11 = min ( [ len ( compressed_container ) , oO0OO + I1i111i ] )
- if 100 - 100: I1ii11iIi11i + i11iIiiIii - i1IIi
- iIiI1IIiii11 = oO0OO + 2
- if 29 - 29: o0oOOo0O0Ooo / i11iIiiIii / I1IiiI % oO0o % i11iIiiIii
- if oOo0OOoooO == 0 :
- if 18 - 18: OOooOOo + I1Ii111
- if 80 - 80: oO0o + o0oOOo0O0Ooo * Ii1I + OoO0O00
- if 75 - 75: I11i / o0oOOo0O0Ooo / OOooOOo / IiII % ooOoO0o + II111iiii
- I1I111iI += compressed_container [ iIiI1IIiii11 : iIiI1IIiii11 + 4096 ]
- iIiI1IIiii11 += 4096
- else :
- if 4 - 4: iII111i - Oo0Ooo - IiII - I11i % i11iIiiIii / OoO0O00
- if 50 - 50: ooOoO0o + i1IIi
- i11IiIIi11I = len ( I1I111iI )
- while iIiI1IIiii11 < I11 :
- if 78 - 78: IiII
- if 83 - 83: iIii1I11I1II1 % OoOoOO00 % o0oOOo0O0Ooo % I1Ii111 . I1ii11iIi11i % O0
- if 47 - 47: o0oOOo0O0Ooo
- if 66 - 66: I1IiiI - IiII
- iiIii = ord ( compressed_container [ iIiI1IIiii11 ] )
- iIiI1IIiii11 += 1
- for iIiIii1ii in xrange ( 0 , 8 ) :
- if 8 - 8: OoO0O00 + OoOoOO00 . iIii1I11I1II1 % O0
- if iIiI1IIiii11 >= I11 :
- break
- if 43 - 43: I1ii11iIi11i - iII111i
- if 70 - 70: iII111i / OOooOOo % ooOoO0o - Ii1I
- i1II11Iii1I = ( iiIii >> iIiIii1ii ) & 1
- if 92 - 92: OOooOOo % IiII % OoOoOO00
- if i1II11Iii1I == 0 :
- if 4 - 4: OoOoOO00 + Ii1I / oO0o
- I1I111iI += compressed_container [ iIiI1IIiii11 ]
- iIiI1IIiii11 += 1
- else :
- if 13 - 13: iII111i
- o0OOOOO0O = struct . unpack ( "<H" , compressed_container [ iIiI1IIiii11 : iIiI1IIiii11 + 2 ] ) [ 0 ]
- if 35 - 35: Ii1I - Ii1I + i1IIi - O0 - I1Ii111
- if 58 - 58: OoOoOO00 - iII111i - OoooooooOO
- i1oOOOOOOOoO , I1IIiI , iI , O0oOOo0o = oOo (
- len ( I1I111iI ) , i11IiIIi11I )
- o00ii111Iiii = ( o0OOOOO0O & i1oOOOOOOOoO ) + 3
- oo0oO0o0 = o0OOOOO0O & I1IIiI
- Iii1Ii = 16 - iI
- oOoOIIII = ( oo0oO0o0 >> Iii1Ii ) + 1
- if 30 - 30: O0 - iII111i % Oo0Ooo
- O0Oo = len ( I1I111iI ) - oOoOIIII
- for iIIiI11i in xrange ( O0Oo , O0Oo + o00ii111Iiii ) :
- I1I111iI += I1I111iI [ iIIiI11i ]
- iIiI1IIiii11 += 2
- return I1I111iI
- if 100 - 100: O0 . I11i . OoO0O00 + O0 * oO0o
- if 42 - 42: oO0o % OoooooooOO + o0oOOo0O0Ooo
- def ooOO0o ( ole , vba_root , project_path , dir_path ) :
- if 51 - 51: Oo0Ooo - I1ii11iIi11i * I11i
- ii1111Ii1i = ole . openstream ( project_path )
- if 48 - 48: O0 * Ii1I - O0 / Ii1I + OoOoOO00
- if 52 - 52: OoO0O00 % Ii1I * II111iiii
- if 4 - 4: I11i % O0 - OoooooooOO + ooOoO0o . oO0o % II111iiii
- if 9 - 9: II111iiii * II111iiii . i11iIiiIii * iIii1I11I1II1
- if 18 - 18: OoO0O00 . II111iiii % OoOoOO00 % Ii1I
- if 87 - 87: iIii1I11I1II1 . OoooooooOO * OoOoOO00
- if 100 - 100: OoO0O00 / i1IIi - I1IiiI % Ii1I - iIii1I11I1II1
- if 17 - 17: I11i / o0oOOo0O0Ooo % Oo0Ooo
- if 71 - 71: IiII . I1Ii111 . OoO0O00
- if 68 - 68: i11iIiiIii % oO0o * OoO0O00 * IiII * II111iiii + O0
- if 66 - 66: I11i % I1ii11iIi11i % OoooooooOO
- if 34 - 34: o0oOOo0O0Ooo / iII111i % O0 . OoO0O00 . i1IIi
- if 29 - 29: O0 . I1Ii111
- if 66 - 66: oO0o * iIii1I11I1II1 % iIii1I11I1II1 * IiII - ooOoO0o - IiII
- if 70 - 70: I1Ii111 + oO0o
- if 93 - 93: I1Ii111 + Ii1I
- if 33 - 33: O0
- if 78 - 78: O0 / II111iiii * OoO0O00
- if 50 - 50: OoooooooOO - iIii1I11I1II1 + i1IIi % I1Ii111 - iIii1I11I1II1 % O0
- if 58 - 58: IiII + iIii1I11I1II1
- if 65 - 65: II111iiii - I1Ii111 % o0oOOo0O0Ooo - OoOoOO00 * iII111i + Ii1I
- if 79 - 79: ooOoO0o . OoOoOO00 % I1Ii111 - Oo0Ooo
- if 69 - 69: ooOoO0o - o0oOOo0O0Ooo . ooOoO0o
- if 9 - 9: oO0o % i11iIiiIii / Oo0Ooo
- if 20 - 20: oO0o * O0 + I11i - OoooooooOO . I11i
- if 60 - 60: o0oOOo0O0Ooo . o0oOOo0O0Ooo / iII111i
- if 45 - 45: O0 . i11iIiiIii % iII111i . OoOoOO00 % IiII % iIii1I11I1II1
- if 58 - 58: iIii1I11I1II1 . OoOoOO00 - i11iIiiIii * iIii1I11I1II1 % i11iIiiIii / I1IiiI
- if 80 - 80: I1ii11iIi11i / iIii1I11I1II1 % OoOoOO00
- oO000o0Oo00 = { }
- if 77 - 77: iIii1I11I1II1 + OoO0O00 . I1ii11iIi11i % OoO0O00
- for o0O in ii1111Ii1i :
- o0O = o0O . strip ( )
- if '=' in o0O :
- if 78 - 78: OoOoOO00
- iI1 , I1iIII1IiiI = o0O . split ( '=' , 1 )
- if 96 - 96: I1IiiI % i1IIi . o0oOOo0O0Ooo . O0
- if 37 - 37: i1IIi - OOooOOo % OoooooooOO / OOooOOo % ooOoO0o
- if 48 - 48: i11iIiiIii % oO0o
- if 29 - 29: iII111i + i11iIiiIii % I11i
- I1iIII1IiiI = I1iIII1IiiI . lower ( )
- if iI1 == 'Document' :
- if 93 - 93: OoOoOO00 % iIii1I11I1II1
- I1iIII1IiiI = I1iIII1IiiI . split ( '/' , 1 ) [ 0 ]
- oO000o0Oo00 [ I1iIII1IiiI ] = IiI1iIiIIIii
- elif iI1 == 'Module' :
- oO000o0Oo00 [ I1iIII1IiiI ] = OOOOOo
- elif iI1 == 'Class' :
- oO000o0Oo00 [ I1iIII1IiiI ] = IiI1iIiIIIii
- elif iI1 == 'BaseClass' :
- oO000o0Oo00 [ I1iIII1IiiI ] = oOoO
- if 90 - 90: I1IiiI - OOooOOo / Ii1I / O0 / I11i
- if 87 - 87: OoOoOO00 / IiII + iIii1I11I1II1
- oo0O0o = ole . openstream ( dir_path ) . read ( )
- if 13 - 13: iIii1I11I1II1 . OoOoOO00 * I1IiiI / oO0o * Ii1I
- def O00o ( name , expected , value ) :
- if expected != value :
- logging . error ( "invalid value for {0} expected {1:04X} got {2:04X}" . format ( name , expected , value ) )
- if 86 - 86: I1ii11iIi11i * II111iiii * I11i
- oO0Oo = cStringIO . StringIO ( OOoO ( oo0O0o ) )
- if 58 - 58: ooOoO0o
- if 5 - 5: i11iIiiIii % OoOoOO00 - Ii1I
- oOo0 = struct . unpack ( "<H" , oO0Oo . read ( 2 ) ) [ 0 ]
- O00o ( 'PROJECTSYSKIND_Id' , 0x0001 , oOo0 )
- oOoOo = struct . unpack ( "<L" , oO0Oo . read ( 4 ) ) [ 0 ]
- O00o ( 'PROJECTSYSKIND_Size' , 0x0004 , oOoOo )
- OoO00O0OOO = struct . unpack ( "<L" , oO0Oo . read ( 4 ) ) [ 0 ]
- if OoO00O0OOO == 0x00 :
- logging . debug ( "16-bit Windows" )
- elif OoO00O0OOO == 0x01 :
- logging . debug ( "32-bit Windows" )
- elif OoO00O0OOO == 0x02 :
- logging . debug ( "Macintosh" )
- elif OoO00O0OOO == 0x03 :
- logging . debug ( "64-bit Windows" )
- else :
- logging . error ( "invalid PROJECTSYSKIND_SysKind {0:04X}" . format ( OoO00O0OOO ) )
- if 87 - 87: IiII
- if 34 - 34: OoO0O00
- I11i11i1 = struct . unpack ( "<H" , oO0Oo . read ( 2 ) ) [ 0 ]
- O00o ( 'PROJECTLCID_Id' , 0x0002 , I11i11i1 )
- OOO = struct . unpack ( "<L" , oO0Oo . read ( 4 ) ) [ 0 ]
- O00o ( 'PROJECTLCID_Size' , 0x0004 , OOO )
- ii1i1iiI = struct . unpack ( "<L" , oO0Oo . read ( 4 ) ) [ 0 ]
- O00o ( 'PROJECTLCID_Lcid' , 0x409 , ii1i1iiI )
- if 94 - 94: i1IIi * i1IIi % II111iiii + OOooOOo
- if 28 - 28: I1IiiI
- I11o0000o0Oo = struct . unpack ( "<H" , oO0Oo . read ( 2 ) ) [ 0 ]
- O00o ( 'PROJECTLCIDINVOKE_Id' , 0x0014 , I11o0000o0Oo )
- ooo0O0OOo0OoO = struct . unpack ( "<L" , oO0Oo . read ( 4 ) ) [ 0 ]
- O00o ( 'PROJECTLCIDINVOKE_Size' , 0x0004 , ooo0O0OOo0OoO )
- Ii1i1 = struct . unpack ( "<L" , oO0Oo . read ( 4 ) ) [ 0 ]
- O00o ( 'PROJECTLCIDINVOKE_LcidInvoke' , 0x409 , Ii1i1 )
- if 65 - 65: oO0o + I1ii11iIi11i / OOooOOo
- if 85 - 85: iIii1I11I1II1 / OoooooooOO % II111iiii
- IiIIi11i111 = struct . unpack ( "<H" , oO0Oo . read ( 2 ) ) [ 0 ]
- O00o ( 'PROJECTCODEPAGE_Id' , 0x0003 , IiIIi11i111 )
- oooo = struct . unpack ( "<L" , oO0Oo . read ( 4 ) ) [ 0 ]
- O00o ( 'PROJECTCODEPAGE_Size' , 0x0002 , oooo )
- iiiIIIii = struct . unpack ( "<H" , oO0Oo . read ( 2 ) ) [ 0 ]
- if 93 - 93: iIii1I11I1II1 + I1IiiI + i11iIiiIii
- if 74 - 74: I11i / II111iiii + ooOoO0o * iIii1I11I1II1 - I1Ii111 - OoO0O00
- OoOoO0OooOOo = struct . unpack ( "<H" , oO0Oo . read ( 2 ) ) [ 0 ]
- O00o ( 'PROJECTNAME_Id' , 0x0004 , OoOoO0OooOOo )
- oOIIi = struct . unpack ( "<L" , oO0Oo . read ( 4 ) ) [ 0 ]
- if oOIIi < 1 or oOIIi > 128 :
- logging . error ( "PROJECTNAME_SizeOfProjectName value not in range: {0}" . format ( oOIIi ) )
- I1Ii1IIiI11i1 = oO0Oo . read ( oOIIi )
- if 45 - 45: II111iiii % ooOoO0o % IiII + I1ii11iIi11i . i1IIi . OoOoOO00
- if 87 - 87: ooOoO0o . O0 % I1Ii111 + I1ii11iIi11i + Ii1I % iIii1I11I1II1
- ii11iIIi = struct . unpack ( "<H" , oO0Oo . read ( 2 ) ) [ 0 ]
- O00o ( 'PROJECTDOCSTRING_Id' , 0x0005 , ii11iIIi )
- i1II1II1iii1i = struct . unpack ( "<L" , oO0Oo . read ( 4 ) ) [ 0 ]
- if oOIIi > 2000 :
- logging . error (
- "PROJECTDOCSTRING_SizeOfDocString value not in range: {0}" . format ( i1II1II1iii1i ) )
- O0OO0oOO = oO0Oo . read ( i1II1II1iii1i )
- oo = struct . unpack ( "<H" , oO0Oo . read ( 2 ) ) [ 0 ]
- O00o ( 'PROJECTDOCSTRING_Reserved' , 0x0040 , oo )
- ooOoO0O0 = struct . unpack ( "<L" , oO0Oo . read ( 4 ) ) [ 0 ]
- if ooOoO0O0 % 2 != 0 :
- logging . error ( "PROJECTDOCSTRING_SizeOfDocStringUnicode is not even" )
- iI111i11iI1 = oO0Oo . read ( ooOoO0O0 )
- if 2 - 2: OoOoOO00 + I1Ii111 + OoooooooOO . i1IIi
- if 19 - 19: iII111i - o0oOOo0O0Ooo - Ii1I - OoOoOO00 . iII111i . I1Ii111
- i11I1I = struct . unpack ( "<H" , oO0Oo . read ( 2 ) ) [ 0 ]
- O00o ( 'PROJECTHELPFILEPATH_Id' , 0x0006 , i11I1I )
- oo0ooooo00o = struct . unpack ( "<L" , oO0Oo . read ( 4 ) ) [ 0 ]
- if oo0ooooo00o > 260 :
- logging . error (
- "PROJECTHELPFILEPATH_SizeOfHelpFile1 value not in range: {0}" . format ( oo0ooooo00o ) )
- OoOo = oO0Oo . read ( oo0ooooo00o )
- i111i1iIi1 = struct . unpack ( "<H" , oO0Oo . read ( 2 ) ) [ 0 ]
- O00o ( 'PROJECTHELPFILEPATH_Reserved' , 0x003D , i111i1iIi1 )
- OoO0oO = struct . unpack ( "<L" , oO0Oo . read ( 4 ) ) [ 0 ]
- if OoO0oO != oo0ooooo00o :
- logging . error ( "PROJECTHELPFILEPATH_SizeOfHelpFile1 does not equal PROJECTHELPFILEPATH_SizeOfHelpFile2" )
- Ii = oO0Oo . read ( OoO0oO )
- if Ii != OoOo :
- logging . error ( "PROJECTHELPFILEPATH_HelpFile1 does not equal PROJECTHELPFILEPATH_HelpFile2" )
- if 20 - 20: o0oOOo0O0Ooo * ooOoO0o
- if 10 - 10: I11i - Oo0Ooo
- ooOOooo0ooo00 = struct . unpack ( "<H" , oO0Oo . read ( 2 ) ) [ 0 ]
- O00o ( 'PROJECTHELPCONTEXT_Id' , 0x0007 , ooOOooo0ooo00 )
- oooOo = struct . unpack ( "<L" , oO0Oo . read ( 4 ) ) [ 0 ]
- O00o ( 'PROJECTHELPCONTEXT_Size' , 0x0004 , oooOo )
- oo0oo0O0 = struct . unpack ( "<L" , oO0Oo . read ( 4 ) ) [ 0 ]
- if 18 - 18: iIii1I11I1II1 + OOooOOo + iIii1I11I1II1 . I1ii11iIi11i + I1Ii111 . ooOoO0o
- if 7 - 7: I1ii11iIi11i + iIii1I11I1II1 * I11i * I11i / II111iiii - Ii1I
- oOOOo0o = struct . unpack ( "<H" , oO0Oo . read ( 2 ) ) [ 0 ]
- O00o ( 'PROJECTLIBFLAGS_Id' , 0x0008 , oOOOo0o )
- iiiii11I1 = struct . unpack ( "<L" , oO0Oo . read ( 4 ) ) [ 0 ]
- O00o ( 'PROJECTLIBFLAGS_Size' , 0x0004 , iiiii11I1 )
- Ii1 = struct . unpack ( "<L" , oO0Oo . read ( 4 ) ) [ 0 ]
- O00o ( 'PROJECTLIBFLAGS_ProjectLibFlags' , 0x0000 , Ii1 )
- if 77 - 77: OOooOOo / II111iiii + IiII + ooOoO0o - i11iIiiIii
- if 44 - 44: I1IiiI + OoOoOO00 + I1ii11iIi11i . I1IiiI * OoOoOO00 % iIii1I11I1II1
- o0OO0OOO0O = struct . unpack ( "<H" , oO0Oo . read ( 2 ) ) [ 0 ]
- O00o ( 'PROJECTVERSION_Id' , 0x0009 , o0OO0OOO0O )
- Iii1I = struct . unpack ( "<L" , oO0Oo . read ( 4 ) ) [ 0 ]
- O00o ( 'PROJECTVERSION_Reserved' , 0x0004 , Iii1I )
- oOoOOOOoOO0o = struct . unpack ( "<L" , oO0Oo . read ( 4 ) ) [ 0 ]
- ii = struct . unpack ( "<H" , oO0Oo . read ( 2 ) ) [ 0 ]
- if 47 - 47: I1Ii111 - OOooOOo / ooOoO0o - Oo0Ooo + iII111i - iIii1I11I1II1
- if 68 - 68: Ii1I - oO0o + Oo0Ooo
- i11Iii1Ii1i1 = struct . unpack ( "<H" , oO0Oo . read ( 2 ) ) [ 0 ]
- O00o ( 'PROJECTCONSTANTS_Id' , 0x000C , i11Iii1Ii1i1 )
- i1iIi1IIiIII1 = struct . unpack ( "<L" , oO0Oo . read ( 4 ) ) [ 0 ]
- if i1iIi1IIiIII1 > 1015 :
- logging . error (
- "PROJECTCONSTANTS_SizeOfConstants value not in range: {0}" . format ( i1iIi1IIiIII1 ) )
- i1Ii11I1II = oO0Oo . read ( i1iIi1IIiIII1 )
- oOOOoo0o = struct . unpack ( "<H" , oO0Oo . read ( 2 ) ) [ 0 ]
- O00o ( 'PROJECTCONSTANTS_Reserved' , 0x003C , oOOOoo0o )
- iiiI1IiIIii = struct . unpack ( "<L" , oO0Oo . read ( 4 ) ) [ 0 ]
- if iiiI1IiIIii % 2 != 0 :
- logging . error ( "PROJECTCONSTANTS_SizeOfConstantsUnicode is not even" )
- IIIIiii = oO0Oo . read ( iiiI1IiIIii )
- if 26 - 26: OoooooooOO - ooOoO0o * i11iIiiIii + O0 * oO0o
- if 87 - 87: Oo0Ooo + O0 - I11i * iIii1I11I1II1 . I1Ii111 % o0oOOo0O0Ooo
- Oo0oo0oOO0oOo = None
- while True :
- Oo0oo0oOO0oOo = struct . unpack ( "<H" , oO0Oo . read ( 2 ) ) [ 0 ]
- logging . debug ( "reference type = {0:04X}" . format ( Oo0oo0oOO0oOo ) )
- if Oo0oo0oOO0oOo == 0x000F :
- break
- if 18 - 18: II111iiii + OoOoOO00 - I1Ii111 + OoO0O00 / ooOoO0o % IiII
- if Oo0oo0oOO0oOo == 0x0016 :
- if 94 - 94: iII111i % ooOoO0o . oO0o
- O00oOo0O0o00O = Oo0oo0oOO0oOo
- ooo0oo00O00Oo = struct . unpack ( "<L" , oO0Oo . read ( 4 ) ) [ 0 ]
- OOO000000OOO0 = oO0Oo . read ( ooo0oo00O00Oo )
- ooOoOOoooO000 = struct . unpack ( "<H" , oO0Oo . read ( 2 ) ) [ 0 ]
- O00o ( 'REFERENCE_Reserved' , 0x003E , ooOoOOoooO000 )
- OoO0o000oOo = struct . unpack ( "<L" , oO0Oo . read ( 4 ) ) [ 0 ]
- Oo00OO00o0oO = oO0Oo . read ( OoO0o000oOo )
- continue
- if 43 - 43: Oo0Ooo . I1Ii111
- if Oo0oo0oOO0oOo == 0x0033 :
- if 12 - 12: I1Ii111 + OOooOOo + I11i . IiII / Ii1I
- i1I = Oo0oo0oOO0oOo
- oOOoooO0O0 = struct . unpack ( "<L" , oO0Oo . read ( 4 ) ) [ 0 ]
- ii1 = oO0Oo . read ( oOOoooO0O0 )
- continue
- if 69 - 69: I11i % O0 / I1IiiI . I1Ii111 / ooOoO0o
- if Oo0oo0oOO0oOo == 0x002F :
- if 94 - 94: I11i - II111iiii . I1IiiI - Oo0Ooo + I1ii11iIi11i * I1ii11iIi11i
- I1iiIiiii1111 = Oo0oo0oOO0oOo
- I1ii1i11i = struct . unpack ( "<L" , oO0Oo . read ( 4 ) ) [ 0 ]
- Oooooo0O00o = struct . unpack ( "<L" , oO0Oo . read ( 4 ) ) [ 0 ]
- II11ii1 = oO0Oo . read ( Oooooo0O00o )
- ii1II1II = struct . unpack ( "<L" , oO0Oo . read ( 4 ) ) [ 0 ]
- O00o ( 'REFERENCECONTROL_Reserved1' , 0x0000 , ii1II1II )
- i11i11II11i = struct . unpack ( "<H" , oO0Oo . read ( 2 ) ) [ 0 ]
- O00o ( 'REFERENCECONTROL_Reserved2' , 0x0000 , i11i11II11i )
- if 9 - 9: OoOoOO00 - I1ii11iIi11i * ooOoO0o . ooOoO0o - I1IiiI
- OOooOooo0OOo0 = struct . unpack ( "<H" , oO0Oo . read ( 2 ) ) [ 0 ]
- if OOooOooo0OOo0 == 0x0016 :
- oo0o0OoOO0o0 = Oo0oo0oOO0oOo
- III1III11II = struct . unpack ( "<L" , oO0Oo . read ( 4 ) ) [ 0 ]
- iIi1iI = oO0Oo . read (
- III1III11II )
- OO0Oo = struct . unpack ( "<H" , oO0Oo . read ( 2 ) ) [ 0 ]
- O00o ( 'REFERENCECONTROL_NameRecordExtended_Reserved' , 0x003E ,
- OO0Oo )
- IIiiiiiIiIIi = struct . unpack ( "<L" , oO0Oo . read ( 4 ) ) [ 0 ]
- iiIiiIi1 = oO0Oo . read (
- IIiiiiiIiIIi )
- I1Ii11i = struct . unpack ( "<H" , oO0Oo . read ( 2 ) ) [ 0 ]
- else :
- I1Ii11i = OOooOooo0OOo0
- if 19 - 19: IiII - o0oOOo0O0Ooo . iIii1I11I1II1 . OoOoOO00 / OOooOOo
- O00o ( 'REFERENCECONTROL_Reserved3' , 0x0030 , I1Ii11i )
- OOO0O00Oo = struct . unpack ( "<L" , oO0Oo . read ( 4 ) ) [ 0 ]
- ii1oOOO0ooOO = struct . unpack ( "<L" , oO0Oo . read ( 4 ) ) [ 0 ]
- i11IiI1iiI11 = oO0Oo . read ( ii1oOOO0ooOO )
- OOoOOOO00 = struct . unpack ( "<L" , oO0Oo . read ( 4 ) ) [ 0 ]
- IIii1III = struct . unpack ( "<H" , oO0Oo . read ( 2 ) ) [ 0 ]
- ooooOoo0OO = oO0Oo . read ( 16 )
- Oo0 = struct . unpack ( "<L" , oO0Oo . read ( 4 ) ) [ 0 ]
- continue
- if 96 - 96: I11i % Ii1I % oO0o * I11i / OOooOOo
- if Oo0oo0oOO0oOo == 0x000D :
- if 13 - 13: iIii1I11I1II1 - OoO0O00
- ooo0 = Oo0oo0oOO0oOo
- i1iiIIiiiII = struct . unpack ( "<L" , oO0Oo . read ( 4 ) ) [ 0 ]
- Ii1I1 = struct . unpack ( "<L" , oO0Oo . read ( 4 ) ) [ 0 ]
- OO0ooO0 = oO0Oo . read ( Ii1I1 )
- OoOooOO0oOOo0O = struct . unpack ( "<L" , oO0Oo . read ( 4 ) ) [ 0 ]
- O00o ( 'REFERENCEREGISTERED_Reserved1' , 0x0000 , OoOooOO0oOOo0O )
- I1II = struct . unpack ( "<H" , oO0Oo . read ( 2 ) ) [ 0 ]
- O00o ( 'REFERENCEREGISTERED_Reserved2' , 0x0000 , I1II )
- continue
- if 9 - 9: Oo0Ooo % OoooooooOO - Ii1I
- if Oo0oo0oOO0oOo == 0x000E :
- if 43 - 43: OoO0O00 % OoO0O00
- IIiii11ii1i = Oo0oo0oOO0oOo
- II1iI1IIi = struct . unpack ( "<L" , oO0Oo . read ( 4 ) ) [ 0 ]
- Ii11iiI1 = struct . unpack ( "<L" , oO0Oo . read ( 4 ) ) [ 0 ]
- oO0O = oO0Oo . read ( Ii11iiI1 )
- OOoooO00o0o = struct . unpack ( "<L" , oO0Oo . read ( 4 ) ) [ 0 ]
- I1ii1Ii1 = oO0Oo . read ( OOoooO00o0o )
- OoO = struct . unpack ( "<L" , oO0Oo . read ( 4 ) ) [ 0 ]
- oOiI111I1III = struct . unpack ( "<H" , oO0Oo . read ( 2 ) ) [ 0 ]
- continue
- if 36 - 36: I11i % OOooOOo
- logging . error ( 'invalid or unknown check Id {0:04X}' . format ( Oo0oo0oOO0oOo ) )
- sys . exit ( 0 )
- if 72 - 72: I1IiiI / iII111i - O0 + I11i
- o0 = Oo0oo0oOO0oOo
- O00o ( 'PROJECTMODULES_Id' , 0x000F , o0 )
- iIIIIi = struct . unpack ( "<L" , oO0Oo . read ( 4 ) ) [ 0 ]
- O00o ( 'PROJECTMODULES_Size' , 0x0002 , iIIIIi )
- i1I11ii = struct . unpack ( "<H" , oO0Oo . read ( 2 ) ) [ 0 ]
- o0ooO00O0O = struct . unpack ( "<H" , oO0Oo . read ( 2 ) ) [ 0 ]
- O00o ( 'PROJECTMODULES_ProjectCookieRecord_Id' , 0x0013 , o0ooO00O0O )
- iiiI1iI1 = struct . unpack ( "<L" , oO0Oo . read ( 4 ) ) [ 0 ]
- O00o ( 'PROJECTMODULES_ProjectCookieRecord_Size' , 0x0002 , iiiI1iI1 )
- I1oOoO0OOO00O = struct . unpack ( "<H" , oO0Oo . read ( 2 ) ) [ 0 ]
- if 73 - 73: o0oOOo0O0Ooo % OoO0O00 + IiII + I1IiiI
- logging . debug ( "parsing {0} modules" . format ( i1I11ii ) )
- for OoOO00 in xrange ( 0 , i1I11ii ) :
- O0O00OoOoOOo = struct . unpack ( "<H" , oO0Oo . read ( 2 ) ) [ 0 ]
- O00o ( 'MODULENAME_Id' , 0x0019 , O0O00OoOoOOo )
- o0o0oo0 = struct . unpack ( "<L" , oO0Oo . read ( 4 ) ) [ 0 ]
- II1IIi1iII1i = oO0Oo . read ( o0o0oo0 )
- if 26 - 26: O0
- iiiIi = struct . unpack ( "<H" , oO0Oo . read ( 2 ) ) [ 0 ]
- if iiiIi == 0x0047 :
- ooiiI1ii = iiiIi
- O0OooOO = struct . unpack ( "<L" , oO0Oo . read ( 4 ) ) [ 0 ]
- i1i1 = oO0Oo . read ( O0OooOO )
- iiiIi = struct . unpack ( "<H" , oO0Oo . read ( 2 ) ) [ 0 ]
- if iiiIi == 0x001A :
- o0oOoOo0 = iiiIi
- III1IiI1i1i = struct . unpack ( "<L" , oO0Oo . read ( 4 ) ) [ 0 ]
- o0OOOOOo0 = oO0Oo . read ( III1IiI1i1i )
- oooOoO = struct . unpack ( "<H" , oO0Oo . read ( 2 ) ) [ 0 ]
- O00o ( 'MODULESTREAMNAME_Reserved' , 0x0032 , oooOoO )
- O0Oo0 = struct . unpack ( "<L" , oO0Oo . read ( 4 ) ) [ 0 ]
- iIIIi1IiI11I1 = oO0Oo . read ( O0Oo0 )
- iiiIi = struct . unpack ( "<H" , oO0Oo . read ( 2 ) ) [ 0 ]
- if iiiIi == 0x001C :
- O0Ooo000 = iiiIi
- O00o ( 'MODULEDOCSTRING_Id' , 0x001C , O0Ooo000 )
- IIi11iI1Iii = struct . unpack ( "<L" , oO0Oo . read ( 4 ) ) [ 0 ]
- IiIi1i = oO0Oo . read ( IIi11iI1Iii )
- i11ii = struct . unpack ( "<H" , oO0Oo . read ( 2 ) ) [ 0 ]
- O00o ( 'MODULEDOCSTRING_Reserved' , 0x0048 , i11ii )
- oOOOOO0Ooooo = struct . unpack ( "<L" , oO0Oo . read ( 4 ) ) [ 0 ]
- o0o000Oo = oO0Oo . read ( oOOOOO0Ooooo )
- iiiIi = struct . unpack ( "<H" , oO0Oo . read ( 2 ) ) [ 0 ]
- if iiiIi == 0x0031 :
- oO0o0O0o0OO00 = iiiIi
- O00o ( 'MODULEOFFSET_Id' , 0x0031 , oO0o0O0o0OO00 )
- iIiiiIi = struct . unpack ( "<L" , oO0Oo . read ( 4 ) ) [ 0 ]
- O00o ( 'MODULEOFFSET_Size' , 0x0004 , iIiiiIi )
- OooooOo = struct . unpack ( "<L" , oO0Oo . read ( 4 ) ) [ 0 ]
- iiiIi = struct . unpack ( "<H" , oO0Oo . read ( 2 ) ) [ 0 ]
- if iiiIi == 0x001E :
- IIIiiiIiI = iiiIi
- O00o ( 'MODULEHELPCONTEXT_Id' , 0x001E , IIIiiiIiI )
- OO0OOoooo0o = struct . unpack ( "<L" , oO0Oo . read ( 4 ) ) [ 0 ]
- O00o ( 'MODULEHELPCONTEXT_Size' , 0x0004 , OO0OOoooo0o )
- IiIi1Ii = struct . unpack ( "<L" , oO0Oo . read ( 4 ) ) [ 0 ]
- iiiIi = struct . unpack ( "<H" , oO0Oo . read ( 2 ) ) [ 0 ]
- if iiiIi == 0x002C :
- iiIIiI11II1 = iiiIi
- O00o ( 'MODULECOOKIE_Id' , 0x002C , iiIIiI11II1 )
- oooOooOoO0Oo0 = struct . unpack ( "<L" , oO0Oo . read ( 4 ) ) [ 0 ]
- O00o ( 'MODULECOOKIE_Size' , 0x0002 , oooOooOoO0Oo0 )
- i11i11i = struct . unpack ( "<H" , oO0Oo . read ( 2 ) ) [ 0 ]
- iiiIi = struct . unpack ( "<H" , oO0Oo . read ( 2 ) ) [ 0 ]
- if iiiIi == 0x0021 or iiiIi == 0x0022 :
- iiI1iI = iiiIi
- Ooo00O0 = struct . unpack ( "<L" , oO0Oo . read ( 4 ) ) [ 0 ]
- iiiIi = struct . unpack ( "<H" , oO0Oo . read ( 2 ) ) [ 0 ]
- if iiiIi == 0x0025 :
- OoO0OOoO0 = iiiIi
- O00o ( 'MODULEREADONLY_Id' , 0x0025 , OoO0OOoO0 )
- iiI11i = struct . unpack ( "<L" , oO0Oo . read ( 4 ) ) [ 0 ]
- O00o ( 'MODULEREADONLY_Reserved' , 0x0000 , iiI11i )
- iiiIi = struct . unpack ( "<H" , oO0Oo . read ( 2 ) ) [ 0 ]
- if iiiIi == 0x0028 :
- o0Oo = iiiIi
- O00o ( 'MODULEPRIVATE_Id' , 0x0028 , o0Oo )
- iiI1i = struct . unpack ( "<L" , oO0Oo . read ( 4 ) ) [ 0 ]
- O00o ( 'MODULEPRIVATE_Reserved' , 0x0000 , iiI1i )
- iiiIi = struct . unpack ( "<H" , oO0Oo . read ( 2 ) ) [ 0 ]
- if iiiIi == 0x002B :
- i11I = struct . unpack ( "<L" , oO0Oo . read ( 4 ) ) [ 0 ]
- O00o ( 'MODULE_Reserved' , 0x0000 , i11I )
- iiiIi = None
- if iiiIi != None :
- logging . warning ( 'unknown or invalid module section id {0:04X}' . format ( iiiIi ) )
- if 56 - 56: iII111i . I1Ii111
- logging . debug ( 'Project CodePage = %d' % iiiIIIii )
- I1i1ii = 'cp%d' % iiiIIIii
- logging . debug ( "ModuleName = {0}" . format ( II1IIi1iII1i ) )
- logging . debug ( "StreamName = {0}" . format ( repr ( o0OOOOOo0 ) ) )
- O0000oo00oOOO = o0OOOOOo0 . decode ( I1i1ii )
- logging . debug ( "StreamName.decode('%s') = %s" % ( I1i1ii , repr ( O0000oo00oOOO ) ) )
- logging . debug ( "StreamNameUnicode = {0}" . format ( repr ( iIIIi1IiI11I1 ) ) )
- logging . debug ( "TextOffset = {0}" . format ( OooooOo ) )
- if 98 - 98: oO0o . OoooooooOO
- Oo000 = vba_root + u'VBA/' + O0000oo00oOOO
- if 97 - 97: O0 / OOooOOo + o0oOOo0O0Ooo . oO0o % OoOoOO00 - OoOoOO00
- logging . debug ( 'opening VBA code stream %s' % repr ( Oo000 ) )
- i1IiI1Iiii = ole . openstream ( Oo000 ) . read ( )
- logging . debug ( "length of code_data = {0}" . format ( len ( i1IiI1Iiii ) ) )
- logging . debug ( "offset of code_data = {0}" . format ( OooooOo ) )
- i1IiI1Iiii = i1IiI1Iiii [ OooooOo : ]
- if len ( i1IiI1Iiii ) > 0 :
- i1IiI1Iiii = OOoO ( i1IiI1Iiii )
- if 87 - 87: IiII / I1Ii111 - Oo0Ooo
- oOO = oO000o0Oo00 . get ( II1IIi1iII1i . lower ( ) , 'bin' )
- oOOO0oOoo = '{0}.{1}' . format ( II1IIi1iII1i , oOO )
- if 65 - 65: iII111i . oO0o - Ii1I
- yield ( Oo000 , oOOO0oOoo , i1IiI1Iiii )
- if 93 - 93: O0
- if 4 - 4: I1IiiI / I1IiiI
- if 82 - 82: I11i / ooOoO0o * I11i % i11iIiiIii * II111iiii
- if 83 - 83: OoO0O00 + OOooOOo - o0oOOo0O0Ooo + iIii1I11I1II1 % Oo0Ooo
- if 23 - 23: o0oOOo0O0Ooo + Ii1I % OoOoOO00 % I1IiiI % OoooooooOO
- logging . debug ( 'extracted file {0}' . format ( oOOO0oOoo ) )
- else :
- logging . warning ( "module stream {0} has code data length 0" . format ( o0OOOOOo0 ) )
- return
- if 78 - 78: OoO0O00 / Oo0Ooo - iIii1I11I1II1 - i11iIiiIii * iII111i
- if 84 - 84: OOooOOo + Ii1I + o0oOOo0O0Ooo
- def i1i1iIII11i ( vba_code ) :
- if 40 - 40: iIii1I11I1II1 / OoOoOO00 - O0 * iIii1I11I1II1
- vba_code = vba_code . replace ( ' _\r\n' , ' ' )
- if 56 - 56: OOooOOo
- if 49 - 49: ooOoO0o . II111iiii
- if 24 - 24: O0 . OoooooooOO - OoO0O00 * OoooooooOO
- if 12 - 12: O0 + IiII * i1IIi . OoO0O00
- if 71 - 71: I1Ii111 - o0oOOo0O0Ooo - OOooOOo
- if 28 - 28: iIii1I11I1II1
- if 7 - 7: o0oOOo0O0Ooo % IiII * OoOoOO00
- vba_code = vba_code . replace ( ' _\r' , ' ' )
- vba_code = vba_code . replace ( ' _\n' , ' ' )
- return vba_code
- if 58 - 58: IiII / I11i + II111iiii % iII111i - OoooooooOO
- if 25 - 25: OoOoOO00 % OoooooooOO * Oo0Ooo - i1IIi * II111iiii * oO0o
- def I1iI1I1ii1 ( vba_code ) :
- iIIi1 = vba_code . splitlines ( )
- if 75 - 75: IiII % i11iIiiIii + iIii1I11I1II1
- if 92 - 92: OoOoOO00 % O0
- if 55 - 55: iIii1I11I1II1 * iII111i
- if 85 - 85: iIii1I11I1II1 . II111iiii
- if 54 - 54: Ii1I . OoooooooOO % Oo0Ooo
- if 22 - 22: OOooOOo
- if 22 - 22: iII111i * I11i - Oo0Ooo * O0 / i11iIiiIii
- if 78 - 78: Oo0Ooo * O0 / ooOoO0o + OoooooooOO + OOooOOo
- if 23 - 23: iII111i % OoooooooOO / iIii1I11I1II1 + I1ii11iIi11i / i1IIi / o0oOOo0O0Ooo
- if 94 - 94: i1IIi
- if 36 - 36: I1IiiI + Oo0Ooo
- oo0OOOOOO0 = 0
- for o0O in iIIi1 :
- if o0O . startswith ( "Attribute VB_" ) and not ':' in o0O :
- oo0OOOOOO0 += 1
- else :
- break
- if 46 - 46: iII111i
- ooIiI11i1I11111 = '\n' . join ( iIIi1 [ oo0OOOOOO0 : ] )
- return ooIiI11i1I11111
- if 34 - 34: I1IiiI * OoOoOO00 * oO0o + I1ii11iIi11i
- if 39 - 39: I1ii11iIi11i / i1IIi * IiII - I1IiiI
- def OoOoooo0O ( vba_code , obfuscation = None ) :
- if 95 - 95: II111iiii / Ii1I - ooOoO0o - II111iiii - i11iIiiIii
- if 85 - 85: o0oOOo0O0Ooo / I1Ii111
- if 67 - 67: I11i % oO0o
- ii1iiIi = [ ]
- if 21 - 21: I1ii11iIi11i
- if 84 - 84: O0 / I1IiiI % i1IIi % i1IIi / OoO0O00 / oO0o
- if 28 - 28: ooOoO0o . OoooooooOO + o0oOOo0O0Ooo + Ii1I % iII111i
- if 80 - 80: Oo0Ooo
- if 86 - 86: I1ii11iIi11i * I11i . OoOoOO00 / Oo0Ooo + oO0o
- if 8 - 8: OoOoOO00
- if 16 - 16: o0oOOo0O0Ooo . I11i
- if 50 - 50: ooOoO0o * OoOoOO00 + I1ii11iIi11i - i11iIiiIii + Oo0Ooo * I1ii11iIi11i
- if 20 - 20: I1Ii111 / o0oOOo0O0Ooo % OoOoOO00
- O00oo0O00 = ''
- if obfuscation :
- O00oo0O00 = ' (obfuscation: %s)' % obfuscation
- for o0oO00o , OOO0OoO0oo0OO in i1iI . items ( ) :
- for i1iI1Ii11Ii1 in OOO0OoO0oo0OO :
- if 82 - 82: O0
- if 70 - 70: I11i - Oo0Ooo / OoooooooOO % OoooooooOO
- if re . search ( r'(?i)\b' + i1iI1Ii11Ii1 + r'\b' , vba_code ) :
- if 95 - 95: OoooooooOO % OoooooooOO . Ii1I
- ii1iiIi . append ( ( i1iI1Ii11Ii1 , o0oO00o + O00oo0O00 ) )
- return ii1iiIi
- if 26 - 26: oO0o + IiII - II111iiii . II111iiii + I1ii11iIi11i + OoOoOO00
- if 68 - 68: O0
- def o0oOoO00 ( vba_code , obfuscation = None ) :
- if 94 - 94: OoO0O00 + IiII + ooOoO0o
- if 82 - 82: Oo0Ooo - Oo0Ooo . iIii1I11I1II1 / OOooOOo + IiII % iIii1I11I1II1
- ii1iiIi = [ ]
- if 61 - 61: OOooOOo / Oo0Ooo % OOooOOo - OoO0O00 + ooOoO0o / ooOoO0o
- if 82 - 82: Oo0Ooo
- if 5 - 5: OoO0O00 / OoO0O00 - O0 - I1Ii111 + I1Ii111
- if 99 - 99: I11i * OoooooooOO / o0oOOo0O0Ooo . IiII - iIii1I11I1II1 - Ii1I
- if 31 - 31: IiII - OoO0O00 / OOooOOo . i1IIi / Ii1I
- if 66 - 66: OoO0O00
- if 72 - 72: I1Ii111
- if 91 - 91: II111iiii / IiII + iIii1I11I1II1 . I11i - O0
- O00oo0O00 = ''
- if obfuscation :
- O00oo0O00 = ' (obfuscation: %s)' % obfuscation
- for o0oO00o , OOO0OoO0oo0OO in oo000O0OoooO . items ( ) :
- for i1iI1Ii11Ii1 in OOO0OoO0oo0OO :
- if 70 - 70: Ii1I * oO0o - I11i + Oo0Ooo % I1ii11iIi11i - IiII
- if re . search ( r'(?i)\b' + i1iI1Ii11Ii1 + r'\b' , vba_code ) :
- if 81 - 81: O0 . O0
- ii1iiIi . append ( ( i1iI1Ii11Ii1 , o0oO00o + O00oo0O00 ) )
- return ii1iiIi
- if 75 - 75: iIii1I11I1II1 % IiII + I1ii11iIi11i * O0 . iII111i - ooOoO0o
- if 32 - 32: Ii1I % oO0o - i1IIi
- def Ii11III ( vba_code , obfuscation = None ) :
- ii1iiIi = [ ]
- if 15 - 15: I11i % I1IiiI - iIii1I11I1II1 * ooOoO0o
- if 71 - 71: OoOoOO00 % Oo0Ooo % ooOoO0o
- if 34 - 34: I11i / I11i % IiII . OoOoOO00 / Oo0Ooo
- if 99 - 99: ooOoO0o * I1IiiI - ooOoO0o % Ii1I
- if 40 - 40: OOooOOo / IiII / iIii1I11I1II1 + Ii1I
- if 59 - 59: I11i * OoooooooOO + OOooOOo . iIii1I11I1II1 / i1IIi
- if 75 - 75: I11i . OOooOOo - iIii1I11I1II1 * OoO0O00 * iII111i
- ooo0OO0OOooO0 = set ( )
- O00oo0O00 = ''
- if obfuscation :
- O00oo0O00 = ' (obfuscation: %s)' % obfuscation
- for O00O00 , oOooO0OoO in III11I1 :
- for I1iiiiii in oOooO0OoO . finditer ( vba_code ) :
- I1iIII1IiiI = I1iiiiii . group ( )
- if I1iIII1IiiI not in ooo0OO0OOooO0 :
- ii1iiIi . append ( ( O00O00 + O00oo0O00 , I1iIII1IiiI ) )
- ooo0OO0OOooO0 . add ( I1iIII1IiiI )
- return ii1iiIi
- if 58 - 58: Ii1I % OoooooooOO
- if 49 - 49: I1ii11iIi11i + O0 . Ii1I * OoooooooOO
- def oO0OOO00 ( vba_code ) :
- ii1iiIi = [ ]
- if 13 - 13: IiII * I1ii11iIi11i / I1ii11iIi11i / iIii1I11I1II1 % iIii1I11I1II1
- if 21 - 21: I1ii11iIi11i
- if 86 - 86: ooOoO0o
- if 51 - 51: OoO0O00 - i11iIiiIii * I1IiiI
- if 95 - 95: OOooOOo % I1ii11iIi11i + o0oOOo0O0Ooo % ooOoO0o
- if 36 - 36: O0 / i1IIi % II111iiii / iII111i
- ooo0OO0OOooO0 = set ( )
- for I1iiiiii in Oo0oooO0oO . finditer ( vba_code ) :
- I1iIII1IiiI = I1iiiiii . group ( )
- if I1iIII1IiiI not in ooo0OO0OOooO0 :
- OOoOi1IiiI = binascii . unhexlify ( I1iIII1IiiI )
- ii1iiIi . append ( ( I1iIII1IiiI , OOoOi1IiiI ) )
- ooo0OO0OOooO0 . add ( I1iIII1IiiI )
- return ii1iiIi
- if 70 - 70: I11i . OOooOOo * Oo0Ooo / OOooOOo
- if 83 - 83: OoooooooOO + OoO0O00 * oO0o . O0
- def iiIIIi1i ( vba_code ) :
- if 1 - 1: Oo0Ooo * I1Ii111 . OoooooooOO
- ii1iiIi = [ ]
- if 73 - 73: OoOoOO00 % o0oOOo0O0Ooo
- if 71 - 71: oO0o - OoooooooOO * Oo0Ooo * I11i + o0oOOo0O0Ooo * I1ii11iIi11i
- if 85 - 85: i11iIiiIii . OoooooooOO - iIii1I11I1II1
- if 38 - 38: I11i . I11i * oO0o / OoooooooOO % ooOoO0o
- if 80 - 80: OoO0O00 / IiII * I1IiiI % IiII
- if 95 - 95: O0 / I11i . I1Ii111
- ooo0OO0OOooO0 = set ( )
- for I1iiiiii in ooO . finditer ( vba_code ) :
- if 17 - 17: I11i
- I1iIII1IiiI = I1iiiiii . group ( ) . strip ( '"' )
- if 56 - 56: ooOoO0o * o0oOOo0O0Ooo + I11i
- if not i11i11111i1i . search ( I1iIII1IiiI ) :
- continue
- if 48 - 48: IiII * OoO0O00 % I1Ii111 - I11i
- if I1iIII1IiiI not in ooo0OO0OOooO0 and I1iIII1IiiI . lower ( ) not in I1Iii1 :
- try :
- OOoOi1IiiI = base64 . b64decode ( I1iIII1IiiI )
- ii1iiIi . append ( ( I1iIII1IiiI , OOoOi1IiiI ) )
- ooo0OO0OOooO0 . add ( I1iIII1IiiI )
- except :
- if 72 - 72: i1IIi % ooOoO0o % IiII % oO0o - oO0o
- pass
- return ii1iiIi
- if 97 - 97: o0oOOo0O0Ooo * O0 / o0oOOo0O0Ooo * OoO0O00 * Oo0Ooo
- if 38 - 38: I1Ii111
- def Iiiii1Iii1I ( vba_code ) :
- from thirdparty . DridexUrlDecoder . DridexUrlDecoder import DridexUrlDecode
- if 83 - 83: OoOoOO00
- if 62 - 62: oO0o + Oo0Ooo / i11iIiiIii
- if 90 - 90: iIii1I11I1II1 + OoOoOO00
- if 9 - 9: iIii1I11I1II1 . OoooooooOO + i1IIi - Oo0Ooo
- if 30 - 30: iII111i / OoO0O00 . iII111i
- if 17 - 17: Oo0Ooo + OoooooooOO * OoooooooOO
- if 5 - 5: I1Ii111 % OoooooooOO . OoOoOO00
- ii1iiIi = [ ]
- ooo0OO0OOooO0 = set ( )
- for I1iiiiii in II1Iiiiii . finditer ( vba_code ) :
- I1iIII1IiiI = I1iiiiii . group ( ) [ 1 : - 1 ]
- if 67 - 67: I1ii11iIi11i + Ii1I
- if not i11i11111i1i . search ( I1iIII1IiiI ) :
- continue
- if I1iIII1IiiI not in ooo0OO0OOooO0 :
- try :
- OOoOi1IiiI = DridexUrlDecode ( I1iIII1IiiI )
- ii1iiIi . append ( ( I1iIII1IiiI , OOoOi1IiiI ) )
- ooo0OO0OOooO0 . add ( I1iIII1IiiI )
- except :
- if 72 - 72: IiII % o0oOOo0O0Ooo
- pass
- return ii1iiIi
- if 93 - 93: iIii1I11I1II1 + i11iIiiIii . o0oOOo0O0Ooo . i1IIi % I1IiiI % ooOoO0o
- if 74 - 74: OoOoOO00 / i1IIi % OoooooooOO
- def o00o0o000Oo ( vba_code ) :
- if 100 - 100: i1IIi - i11iIiiIii . I1Ii111 * OoO0O00
- ii1iiIi = [ ]
- if 62 - 62: O0
- if 41 - 41: i1IIi - I1IiiI
- if 48 - 48: I1IiiI - II111iiii / OoO0O00 + I1IiiI
- if 5 - 5: O0
- if 75 - 75: I1Ii111 + iIii1I11I1II1
- if 19 - 19: I1IiiI + i11iIiiIii . IiII - I11i / Ii1I + o0oOOo0O0Ooo
- if 38 - 38: Oo0Ooo / iIii1I11I1II1 * iIii1I11I1II1 % I1ii11iIi11i
- ooo0OO0OOooO0 = set ( )
- if 92 - 92: I11i / O0 * I1IiiI - I11i
- if 99 - 99: i11iIiiIii % OoooooooOO
- if 56 - 56: IiII * I1Ii111
- vba_code = vba_code . expandtabs ( )
- for O00oO0O , oo0OOOOOO0 , IiiI111I11 in O000Oo0o . scanString ( vba_code ) :
- oO0Ooooo000 = vba_code [ oo0OOOOOO0 : IiiI111I11 ]
- OOoOi1IiiI = O00oO0O [ 0 ]
- if isinstance ( OOoOi1IiiI , I111i1II ) :
- if 46 - 46: I1IiiI - I11i / OoooooooOO - i1IIi . i11iIiiIii
- if 15 - 15: II111iiii * oO0o % iII111i / i11iIiiIii - oO0o + Oo0Ooo
- if 9 - 9: I11i - oO0o + O0 / iII111i % i1IIi
- if 97 - 97: o0oOOo0O0Ooo * ooOoO0o
- if 78 - 78: I11i . OOooOOo + oO0o * iII111i - i1IIi
- if 27 - 27: Ii1I % i1IIi . Oo0Ooo % I1Ii111
- if 10 - 10: IiII / OoooooooOO
- if 50 - 50: i11iIiiIii - OoooooooOO . oO0o + O0 . i1IIi
- if oO0Ooooo000 not in ooo0OO0OOooO0 and OOoOi1IiiI != oO0Ooooo000 :
- ii1iiIi . append ( ( oO0Ooooo000 , OOoOi1IiiI ) )
- ooo0OO0OOooO0 . add ( oO0Ooooo000 )
- if 91 - 91: o0oOOo0O0Ooo . iII111i % Oo0Ooo - iII111i . oO0o % i11iIiiIii
- if 25 - 25: iIii1I11I1II1
- return ii1iiIi
- if 63 - 63: ooOoO0o
- if 96 - 96: I11i
- class IIII ( object ) :
- if 17 - 17: O0 . OOooOOo
- if 63 - 63: iII111i
- if 11 - 11: iII111i - iIii1I11I1II1
- if 92 - 92: OoO0O00
- if 15 - 15: IiII / IiII + iIii1I11I1II1 % OoooooooOO
- def __init__ ( self , vba_code ) :
- if 12 - 12: ooOoO0o
- self . code = i1i1iIII11i ( vba_code )
- if 36 - 36: I1Ii111 . IiII * OoooooooOO - o0oOOo0O0Ooo
- if 60 - 60: OOooOOo . iII111i / iIii1I11I1II1 + OOooOOo * I1Ii111
- if 82 - 82: i11iIiiIii . iIii1I11I1II1 * I1IiiI - I11i + Ii1I
- if 48 - 48: I1ii11iIi11i
- if 96 - 96: ooOoO0o . OoooooooOO
- self . code_hex = ''
- self . code_hex_rev = ''
- self . code_rev_hex = ''
- self . code_base64 = ''
- self . code_dridex = ''
- self . code_vba = ''
- self . strReverse = None
- if 39 - 39: OOooOOo + OoO0O00
- self . results = None
- self . autoexec_keywords = None
- self . suspicious_keywords = None
- self . iocs = None
- self . hex_strings = None
- self . base64_strings = None
- self . dridex_strings = None
- self . vba_strings = None
- if 80 - 80: OOooOOo % OoO0O00 / OoOoOO00
- if 54 - 54: Oo0Ooo % OoO0O00 - OOooOOo - I11i
- def scan ( self , include_decoded_strings = False ) :
- if 71 - 71: ooOoO0o . i11iIiiIii
- self . hex_strings = oO0OOO00 ( self . code )
- if 56 - 56: O0 * iII111i + iII111i * iIii1I11I1II1 / ooOoO0o * I1Ii111
- if 25 - 25: iIii1I11I1II1 . I11i * i11iIiiIii + Oo0Ooo * I11i
- if 67 - 67: iII111i
- if 88 - 88: Oo0Ooo
- if 8 - 8: I1ii11iIi11i
- if 82 - 82: OoooooooOO
- if 75 - 75: II111iiii % I1IiiI + OOooOOo % OoooooooOO / IiII
- if 4 - 4: i11iIiiIii - OOooOOo % I1ii11iIi11i * I1Ii111 % o0oOOo0O0Ooo
- if 71 - 71: ooOoO0o . ooOoO0o - iIii1I11I1II1
- if 22 - 22: OoooooooOO / I1ii11iIi11i % iII111i * OoOoOO00
- self . strReverse = False
- if 'strreverse' in self . code . lower ( ) : self . strReverse = True
- if 32 - 32: OoooooooOO % oO0o % iIii1I11I1II1 / O0
- for oO0Ooooo000 , OOoOi1IiiI in self . hex_strings :
- self . code_hex += '\n' + OOoOi1IiiI
- if 61 - 61: II111iiii . O0 - Ii1I - I1ii11iIi11i / i11iIiiIii - II111iiii
- if self . strReverse :
- if 98 - 98: Ii1I - I1IiiI . i11iIiiIii * Oo0Ooo
- self . code_hex_rev += '\n' + OOoOi1IiiI [ : : - 1 ]
- if 29 - 29: Ii1I / ooOoO0o % I11i
- self . code_rev_hex += '\n' + binascii . unhexlify ( oO0Ooooo000 [ : : - 1 ] )
- if 10 - 10: iIii1I11I1II1 % OoooooooOO % I1ii11iIi11i
- if 39 - 39: II111iiii * OoOoOO00 . O0 * I11i
- if 89 - 89: Ii1I - ooOoO0o . I11i - I1Ii111 - I1IiiI
- self . base64_strings = iiIIIi1i ( self . code )
- for oO0Ooooo000 , OOoOi1IiiI in self . base64_strings :
- self . code_base64 += '\n' + OOoOi1IiiI
- if 79 - 79: IiII + IiII + Ii1I
- self . dridex_strings = Iiiii1Iii1I ( self . code )
- for oO0Ooooo000 , OOoOi1IiiI in self . dridex_strings :
- self . code_dridex += '\n' + OOoOi1IiiI
- if 39 - 39: O0 - OoooooooOO
- self . vba_strings = o00o0o000Oo ( self . code )
- for oO0Ooooo000 , OOoOi1IiiI in self . vba_strings :
- self . code_vba += '\n' + OOoOi1IiiI
- ii1iiIi = [ ]
- self . autoexec_keywords = [ ]
- self . suspicious_keywords = [ ]
- self . iocs = [ ]
- if 63 - 63: iIii1I11I1II1 % o0oOOo0O0Ooo * ooOoO0o
- for oo0 , iii1iI in (
- ( self . code , None ) ,
- ( self . code_hex , 'Hex' ) ,
- ( self . code_hex_rev , 'Hex+StrReverse' ) ,
- ( self . code_rev_hex , 'StrReverse+Hex' ) ,
- ( self . code_base64 , 'Base64' ) ,
- ( self . code_dridex , 'Dridex' ) ,
- ( self . code_vba , 'VBA expression' ) ,
- ) :
- self . autoexec_keywords += OoOoooo0O ( oo0 , iii1iI )
- self . suspicious_keywords += o0oOoO00 ( oo0 , iii1iI )
- self . iocs += Ii11III ( oo0 , iii1iI )
- if 26 - 26: iIii1I11I1II1 - I1ii11iIi11i . IiII . IiII + iIii1I11I1II1 * Oo0Ooo
- if 85 - 85: OOooOOo + II111iiii - OOooOOo * oO0o - i1IIi % iII111i
- if self . hex_strings :
- self . suspicious_keywords . append ( ( 'Hex Strings' ,
- 'Hex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)' ) )
- if self . base64_strings :
- self . suspicious_keywords . append ( ( 'Base64 Strings' ,
- 'Base64-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)' ) )
- if self . dridex_strings :
- self . suspicious_keywords . append ( ( 'Dridex Strings' ,
- 'Dridex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)' ) )
- if self . vba_strings :
- self . suspicious_keywords . append ( ( 'VBA obfuscated Strings' ,
- 'VBA string expressions were detected, may be used to obfuscate strings (option --decode to see all)' ) )
- if 1 - 1: OoooooooOO / O0 + OoOoOO00 + OoOoOO00 . I1Ii111 - OoOoOO00
- I11iii1I1Iiii = set ( )
- for i1iI1Ii11Ii1 , o0oO00o in self . autoexec_keywords :
- if i1iI1Ii11Ii1 not in I11iii1I1Iiii :
- ii1iiIi . append ( ( 'AutoExec' , i1iI1Ii11Ii1 , o0oO00o ) )
- I11iii1I1Iiii . add ( i1iI1Ii11Ii1 )
- I11iii1I1Iiii = set ( )
- for i1iI1Ii11Ii1 , o0oO00o in self . suspicious_keywords :
- if i1iI1Ii11Ii1 not in I11iii1I1Iiii :
- ii1iiIi . append ( ( 'Suspicious' , i1iI1Ii11Ii1 , o0oO00o ) )
- I11iii1I1Iiii . add ( i1iI1Ii11Ii1 )
- I11iii1I1Iiii = set ( )
- for O00O00 , I1iIII1IiiI in self . iocs :
- if I1iIII1IiiI not in I11iii1I1Iiii :
- ii1iiIi . append ( ( 'IOC' , I1iIII1IiiI , O00O00 ) )
- I11iii1I1Iiii . add ( I1iIII1IiiI )
- if 47 - 47: i11iIiiIii / Oo0Ooo - Oo0Ooo * OoO0O00
- if 48 - 48: IiII
- for oO0Ooooo000 , OOoOi1IiiI in self . hex_strings :
- if include_decoded_strings or i1oO ( OOoOi1IiiI ) :
- ii1iiIi . append ( ( 'Hex String' , OOoOi1IiiI , oO0Ooooo000 ) )
- for oO0Ooooo000 , OOoOi1IiiI in self . base64_strings :
- if include_decoded_strings or i1oO ( OOoOi1IiiI ) :
- ii1iiIi . append ( ( 'Base64 String' , OOoOi1IiiI , oO0Ooooo000 ) )
- for oO0Ooooo000 , OOoOi1IiiI in self . dridex_strings :
- if include_decoded_strings or i1oO ( OOoOi1IiiI ) :
- ii1iiIi . append ( ( 'Dridex string' , OOoOi1IiiI , oO0Ooooo000 ) )
- for oO0Ooooo000 , OOoOi1IiiI in self . vba_strings :
- if include_decoded_strings or i1oO ( OOoOi1IiiI ) :
- ii1iiIi . append ( ( 'VBA string' , OOoOi1IiiI , oO0Ooooo000 ) )
- self . results = ii1iiIi
- return ii1iiIi
- if 96 - 96: oO0o / O0 . II111iiii + IiII % o0oOOo0O0Ooo
- def scan_summary ( self ) :
- if 67 - 67: O0 % I1Ii111
- if self . results is None :
- if 35 - 35: I1IiiI . OoOoOO00 + OoooooooOO % Oo0Ooo % OOooOOo
- if 39 - 39: Ii1I
- if 60 - 60: OOooOOo
- if 62 - 62: I1Ii111 * I11i
- if 74 - 74: OoOoOO00 . iIii1I11I1II1
- if 87 - 87: ooOoO0o
- if 41 - 41: OoOoOO00 . iIii1I11I1II1 % ooOoO0o + O0
- if 22 - 22: o0oOOo0O0Ooo + Oo0Ooo . ooOoO0o + I1ii11iIi11i * iII111i . i11iIiiIii
- self . scan ( )
- return ( len ( self . autoexec_keywords ) , len ( self . suspicious_keywords ) ,
- len ( self . iocs ) , len ( self . hex_strings ) , len ( self . base64_strings ) ,
- len ( self . dridex_strings ) , len ( self . vba_strings ) )
- if 90 - 90: OOooOOo * OoOoOO00 - Oo0Ooo + o0oOOo0O0Ooo
- if 53 - 53: OoooooooOO . OoooooooOO + o0oOOo0O0Ooo - iII111i + OOooOOo
- def i1111iIII ( vba_code , include_decoded_strings ) :
- return IIII ( vba_code ) . scan ( include_decoded_strings )
- if 50 - 50: O0 * I1ii11iIi11i + II111iiii . i1IIi + OoOoOO00
- if 39 - 39: iIii1I11I1II1 + ooOoO0o
- if 92 - 92: I11i % i11iIiiIii % Oo0Ooo
- if 23 - 23: II111iiii * iII111i
- if 80 - 80: I1Ii111 / i11iIiiIii + OoooooooOO
- if 38 - 38: I1ii11iIi11i % ooOoO0o + i1IIi * OoooooooOO * oO0o
- if 83 - 83: iIii1I11I1II1 - ooOoO0o - I1Ii111 / OoO0O00 - O0
- if 81 - 81: Ii1I - oO0o * I1ii11iIi11i / I1Ii111
- if 21 - 21: OoO0O00
- if 63 - 63: I11i . O0 * I11i + iIii1I11I1II1
- if 46 - 46: i1IIi + II111iiii * i1IIi - Ii1I
- if 79 - 79: II111iiii - oO0o * I1ii11iIi11i - OoOoOO00 . I1ii11iIi11i
- if 11 - 11: O0 * OoOoOO00
- if 37 - 37: OoOoOO00 + O0 . O0 * Oo0Ooo % I1Ii111 / iII111i
- if 18 - 18: OoooooooOO
- class O0oOo00oooO ( object ) :
- if 16 - 16: i1IIi . i1IIi / I1Ii111 % OoOoOO00 / I1IiiI * I1ii11iIi11i
- if 30 - 30: o0oOOo0O0Ooo + OoooooooOO + OOooOOo / II111iiii * Oo0Ooo
- if 59 - 59: Ii1I / OoOoOO00 * OoO0O00 * iII111i % oO0o
- if 61 - 61: Oo0Ooo - O0 - OoooooooOO
- if 4 - 4: II111iiii - oO0o % Oo0Ooo * i11iIiiIii
- if 18 - 18: Oo0Ooo % O0
- if 66 - 66: iIii1I11I1II1 % i11iIiiIii / I1IiiI
- if 47 - 47: I1ii11iIi11i * oO0o + iIii1I11I1II1 - oO0o / IiII
- if 86 - 86: IiII
- if 43 - 43: I1IiiI / iII111i / ooOoO0o + iIii1I11I1II1 + OoooooooOO
- if 33 - 33: II111iiii - IiII - ooOoO0o
- if 92 - 92: OoO0O00 * IiII
- def __init__ ( self , filename , data = None , container = None ) :
- if 92 - 92: oO0o
- if 7 - 7: iII111i
- if 73 - 73: OoO0O00 % I1ii11iIi11i
- if data is None :
- if 32 - 32: OOooOOo + iII111i + iIii1I11I1II1 * Oo0Ooo
- if 62 - 62: i11iIiiIii
- if 2 - 2: I1IiiI
- if 69 - 69: OoooooooOO / Oo0Ooo * I1Ii111
- if 99 - 99: II111iiii * iIii1I11I1II1 % O0 * oO0o / II111iiii % OoooooooOO
- if 14 - 14: IiII . IiII % ooOoO0o
- if 42 - 42: o0oOOo0O0Ooo . OOooOOo - ooOoO0o
- if 33 - 33: II111iiii / O0 / IiII - I11i - i1IIi
- if 8 - 8: i11iIiiIii . iII111i / iIii1I11I1II1 / I1ii11iIi11i / IiII - Ii1I
- if 32 - 32: o0oOOo0O0Ooo . i1IIi * Oo0Ooo
- if 98 - 98: Ii1I - II111iiii / I1IiiI . oO0o * IiII . I11i
- if 25 - 25: i11iIiiIii / OoOoOO00 - I1Ii111 / OoO0O00 . o0oOOo0O0Ooo . o0oOOo0O0Ooo
- if 6 - 6: oO0o . I11i
- iIIII1 = filename
- else :
- if 65 - 65: O0 / II111iiii . iIii1I11I1II1 . oO0o / Oo0Ooo % iIii1I11I1II1
- iIIII1 = cStringIO . StringIO ( data )
- if 74 - 74: i1IIi / I1IiiI % I1ii11iIi11i / O0 % I11i - OoOoOO00
- self . ole_file = None
- self . ole_subfiles = [ ]
- self . filename = filename
- self . container = container
- self . type = None
- self . vba_projects = None
- self . contains_macros = None
- self . vba_code_all_modules = None
- if 31 - 31: I1IiiI / OoooooooOO . iIii1I11I1II1 * OoOoOO00 . OoooooooOO + II111iiii
- self . modules = None
- if 8 - 8: I1ii11iIi11i * I1ii11iIi11i * i1IIi + iII111i . I1ii11iIi11i
- self . analysis_results = None
- if 100 - 100: OoooooooOO - O0 . I11i / I11i + II111iiii * OoOoOO00
- self . nb_macros = 0
- self . nb_autoexec = 0
- self . nb_suspicious = 0
- self . nb_iocs = 0
- self . nb_hexstrings = 0
- self . nb_base64strings = 0
- self . nb_dridexstrings = 0
- self . nb_vbastrings = 0
- if 37 - 37: Oo0Ooo
- if 72 - 72: IiII % I1ii11iIi11i * OOooOOo . i11iIiiIii % IiII * OOooOOo
- if 15 - 15: I11i / Oo0Ooo * I11i
- if 20 - 20: ooOoO0o - OOooOOo * OoO0O00 * o0oOOo0O0Ooo * OOooOOo / IiII
- if 40 - 40: I1IiiI * o0oOOo0O0Ooo . I1IiiI
- if 62 - 62: ooOoO0o + II111iiii % ooOoO0o
- if 50 - 50: OoooooooOO + oO0o * I1IiiI - Ii1I / i11iIiiIii
- if 5 - 5: O0 - I1IiiI
- if 44 - 44: II111iiii . II111iiii + OOooOOo * Ii1I
- if olefile . isOleFile ( iIIII1 ) :
- if 16 - 16: II111iiii
- logging . info ( 'Opening OLE file %s' % self . filename )
- if 100 - 100: O0 - i1IIi
- self . type = II
- if 48 - 48: oO0o % ooOoO0o + O0
- self . ole_file = olefile . OleFileIO ( iIIII1 , path_encoding = None )
- if 27 - 27: I1ii11iIi11i / OOooOOo
- elif zipfile . is_zipfile ( iIIII1 ) :
- if 33 - 33: OoooooooOO % I1ii11iIi11i . O0 / I1ii11iIi11i
- if 63 - 63: IiII + iIii1I11I1II1 + I1IiiI + I1Ii111
- if 72 - 72: OoO0O00 + i11iIiiIii + I1ii11iIi11i
- if 96 - 96: oO0o % i1IIi / o0oOOo0O0Ooo
- logging . info ( 'Opening ZIP/OpenXML file %s' % self . filename )
- self . type = o0Oo0oO0oOO00
- Ii1IIi11 = zipfile . ZipFile ( iIIII1 )
- if 47 - 47: O0
- if 83 - 83: O0 + OoOoOO00 / O0 / I11i
- if 68 - 68: i1IIi . I11i . i1IIi + IiII % I1IiiI
- for IIoO in Ii1IIi11 . namelist ( ) :
- iI1I = Ii1IIi11 . open ( IIoO ) . read ( len ( olefile . MAGIC ) )
- if iI1I == olefile . MAGIC :
- logging . debug ( 'Opening OLE file %s within zip' % IIoO )
- i111I1 = Ii1IIi11 . open ( IIoO ) . read ( )
- try :
- self . ole_subfiles . append ( O0oOo00oooO ( filename = IIoO , data = i111I1 ) )
- except :
- logging . debug ( '%s is not a valid OLE file' % IIoO )
- continue
- Ii1IIi11 . close ( )
- else :
- if 69 - 69: OoO0O00 - OoooooooOO - OOooOOo % I11i / OoOoOO00 - II111iiii
- if 67 - 67: OOooOOo + OOooOOo + OoO0O00 . i11iIiiIii + I1ii11iIi11i + i11iIiiIii
- if data is None :
- data = open ( filename , 'rb' ) . read ( )
- if 31 - 31: oO0o * I1Ii111 . OoOoOO00 * I11i
- I1II1I = data . lower ( )
- if 7 - 7: I11i + I11i + II111iiii % Ii1I
- if 31 - 31: oO0o * OoOoOO00 + OOooOOo
- if 'http://schemas.microsoft.com/office/word/2003/wordml' in data :
- logging . info ( 'Opening Word 2003 XML file %s' % self . filename )
- try :
- if 58 - 58: o0oOOo0O0Ooo % I1IiiI . I1IiiI * OoO0O00 - IiII . OoooooooOO
- if 10 - 10: I1Ii111
- I11i1i11IiIi1 = ET . fromstring ( data )
- if 8 - 8: iII111i - I1IiiI * Oo0Ooo % I1ii11iIi11i * OoooooooOO
- self . type = oo00OO0000oO
- if 26 - 26: i1IIi / iII111i . iII111i
- for I1i11IIIi in I11i1i11IiIi1 . getiterator ( I1iiii1I ) :
- if 19 - 19: oO0o * iII111i + OoOoOO00 - oO0o + I1ii11iIi11i
- if 14 - 14: OoO0O00
- if 38 - 38: O0
- ooOi1i1i11iI11II = I1i11IIIi . get ( OOo0 , 'noname.mso' )
- if 6 - 6: OoOoOO00 . II111iiii * I1IiiI . I1IiiI / Ii1I
- I1I1ii1111 = binascii . a2b_base64 ( I1i11IIIi . text )
- if OOoo0oo ( I1I1ii1111 ) :
- if 4 - 4: I1ii11iIi11i * O0 - I1Ii111 - i11iIiiIii / o0oOOo0O0Ooo . OOooOOo
- if 44 - 44: ooOoO0o * i11iIiiIii
- i111I1 = OO0O0ooOOO00 ( I1I1ii1111 )
- try :
- self . ole_subfiles . append ( O0oOo00oooO ( filename = ooOi1i1i11iI11II , data = i111I1 ) )
- except :
- logging . error ( '%s does not contain a valid OLE file' % ooOi1i1i11iI11II )
- else :
- logging . error ( '%s is not a valid MSO file' % ooOi1i1i11iI11II )
- except :
- if 6 - 6: o0oOOo0O0Ooo % OOooOOo * I1ii11iIi11i % Ii1I . OOooOOo
- logging . exception ( 'Failed XML parsing for file %r' % self . filename )
- pass
- if 43 - 43: OoO0O00 . ooOoO0o * Oo0Ooo
- if 20 - 20: i1IIi . i1IIi - I11i
- if 89 - 89: ooOoO0o - I11i . O0 % OoooooooOO . i11iIiiIii
- if 35 - 35: II111iiii / OoOoOO00 - O0 . II111iiii
- if 55 - 55: Oo0Ooo % i1IIi * I11i
- if 95 - 95: OOooOOo / II111iiii - o0oOOo0O0Ooo % I1Ii111 . I11i
- if self . type is None and 'mime' in I1II1I and 'version' in I1II1I and 'multipart' in I1II1I :
- logging . info ( 'Opening MHTML file %s' % self . filename )
- try :
- if 63 - 63: iIii1I11I1II1 / ooOoO0o
- if 24 - 24: Oo0Ooo / iIii1I11I1II1 % OOooOOo * OoOoOO00 - iIii1I11I1II1
- iI1ii = data . lstrip ( '\r\n\t ' )
- oOoooOooOOoO = email . message_from_string ( iI1ii )
- self . type = I1II1
- if 90 - 90: iII111i * Ii1I - iII111i + OoO0O00 + I11i % O0
- for i111IIIIiI in oOoooOooOOoO . walk ( ) :
- Oo0oOOO = i111IIIIiI . get_content_type ( )
- ooOi1i1i11iI11II = i111IIIIiI . get_filename ( None )
- if 62 - 62: Ii1I - oO0o % iIii1I11I1II1
- logging . debug ( 'MHTML part: filename=%r, content-type=%r' % ( ooOi1i1i11iI11II , Oo0oOOO ) )
- ooOOO = i111IIIIiI . get_payload ( decode = True )
- if 97 - 97: i1IIi * I1Ii111 . II111iiii
- if 62 - 62: OoooooooOO . Ii1I
- if 28 - 28: oO0o . oO0o . iIii1I11I1II1 . OOooOOo . I1ii11iIi11i * i11iIiiIii
- if 72 - 72: I11i
- if 26 - 26: IiII % Oo0Ooo
- if isinstance ( ooOOO , str ) and OOoo0oo ( ooOOO ) :
- logging . debug ( 'Found ActiveMime header, decompressing MSO container' )
- try :
- i111I1 = OO0O0ooOOO00 ( ooOOO )
- try :
- if 72 - 72: O0 + o0oOOo0O0Ooo + I1IiiI / Oo0Ooo
- if 83 - 83: IiII - I1IiiI . Ii1I
- self . ole_subfiles . append ( O0oOo00oooO ( filename = ooOi1i1i11iI11II , data = i111I1 ) )
- except :
- logging . debug ( '%s does not contain a valid OLE file' % ooOi1i1i11iI11II )
- except :
- logging . exception ( 'Failed decompressing an MSO container in %r - %s'
- % ( ooOi1i1i11iI11II , o00oo0 ) )
- if 34 - 34: OoOoOO00 - oO0o * OoooooooOO
- except :
- logging . exception ( 'Failed MIME parsing for file %r - %s'
- % ( self . filename , o00oo0 ) )
- pass
- if 5 - 5: i11iIiiIii * iII111i - Ii1I - I1ii11iIi11i - i1IIi + iII111i
- if 4 - 4: ooOoO0o + O0 . i1IIi * I1ii11iIi11i - o0oOOo0O0Ooo
- if 42 - 42: o0oOOo0O0Ooo * OoOoOO00 . OoO0O00 - iII111i / II111iiii
- if 25 - 25: Oo0Ooo % OoOoOO00
- if self . type is None :
- o00O = '%s is not a supported file type, cannot extract VBA Macros.' % self . filename
- logging . error ( o00O )
- raise TypeError ( o00O )
- if 36 - 36: OOooOOo * OoO0O00 - I1ii11iIi11i + iII111i
- def find_vba_projects ( self ) :
- if 13 - 13: OoO0O00 % iIii1I11I1II1 - II111iiii / I1IiiI
- if self . ole_file is None :
- if 9 - 9: I1ii11iIi11i * Ii1I - IiII
- if 88 - 88: iIii1I11I1II1
- if 27 - 27: I11i * i11iIiiIii . OOooOOo + ooOoO0o
- if 14 - 14: I1Ii111 * OoO0O00 + I11i - IiII . I1ii11iIi11i * oO0o
- if 100 - 100: I11i
- if 36 - 36: OoO0O00 + II111iiii * OoOoOO00
- if 14 - 14: I1Ii111 % I1Ii111
- if 9 - 9: Oo0Ooo - Oo0Ooo - o0oOOo0O0Ooo + I1Ii111 - II111iiii . I1IiiI
- if 57 - 57: iII111i - I1IiiI + OoooooooOO / iII111i . ooOoO0o % i1IIi
- if 52 - 52: O0 - iIii1I11I1II1 / OoO0O00 / IiII
- if 29 - 29: Ii1I * OOooOOo * i1IIi . Ii1I * I1Ii111 . ooOoO0o
- if 54 - 54: iII111i . i1IIi . I1ii11iIi11i * o0oOOo0O0Ooo % iII111i
- if 30 - 30: I11i
- if 85 - 85: II111iiii + ooOoO0o * I11i
- if 12 - 12: Ii1I . I1IiiI % o0oOOo0O0Ooo
- if 28 - 28: Ii1I - I1IiiI % OoO0O00 * I1Ii111
- if 80 - 80: OOooOOo * IiII
- return None
- if 4 - 4: iIii1I11I1II1 . I1Ii111 + II111iiii % OoooooooOO
- if 82 - 82: OoooooooOO / ooOoO0o * I11i * O0 . I1ii11iIi11i
- if self . vba_projects is not None :
- return self . vba_projects
- if 21 - 21: II111iiii + Oo0Ooo
- if 59 - 59: OOooOOo + I1IiiI / II111iiii / OoOoOO00
- if 80 - 80: OoOoOO00 + iIii1I11I1II1 . IiII
- if 76 - 76: I1IiiI * OOooOOo
- if 12 - 12: iIii1I11I1II1 / I11i % Ii1I
- if 49 - 49: OoO0O00 + II111iiii / IiII - O0 % Ii1I
- if 27 - 27: OoO0O00 + Oo0Ooo
- if 92 - 92: I1IiiI % iII111i
- if 31 - 31: OoooooooOO - oO0o / I1Ii111
- if 62 - 62: i11iIiiIii - I11i
- if 81 - 81: I11i
- if 92 - 92: OOooOOo - Oo0Ooo - OoooooooOO / IiII - i1IIi
- if 81 - 81: i1IIi / I1Ii111 % i11iIiiIii . iIii1I11I1II1 * OoOoOO00 + OoooooooOO
- if 31 - 31: i1IIi % II111iiii
- if 13 - 13: iIii1I11I1II1 - II111iiii % O0 . Ii1I % OoO0O00
- if 2 - 2: OoooooooOO - Ii1I % oO0o / I1IiiI / o0oOOo0O0Ooo
- self . vba_projects = [ ]
- if 3 - 3: II111iiii / OOooOOo
- i1IIiiIIIIi = self . ole_file
- for IiIIIi in i1IIiiIIIIi . listdir ( streams = False , storages = True ) :
- if 81 - 81: OoooooooOO . OoOoOO00 * iIii1I11I1II1 / OoOoOO00 - I1ii11iIi11i % i1IIi
- if IiIIIi [ - 1 ] . upper ( ) == 'VBA' :
- logging . debug ( 'Found VBA storage: %s' % ( '/' . join ( IiIIIi ) ) )
- oOooO = '/' . join ( IiIIIi [ : - 1 ] )
- if 41 - 41: OOooOOo
- if 76 - 76: I1IiiI - I1IiiI - o0oOOo0O0Ooo % ooOoO0o * O0
- if oOooO != '' :
- oOooO += '/'
- logging . debug ( 'Checking vba_root="%s"' % oOooO )
- if 11 - 11: Ii1I + I11i . OoO0O00 . i11iIiiIii * OoO0O00
- def I1IIiIi ( ole , vba_root , stream_path ) :
- OOOOoOoO = vba_root + stream_path
- if ole . exists ( OOOOoOoO ) and ole . get_type ( OOOOoOoO ) == olefile . STGTY_STREAM :
- logging . debug ( 'Found %s stream: %s' % ( stream_path , OOOOoOoO ) )
- return OOOOoOoO
- else :
- logging . debug ( 'Missing %s stream, this is not a valid VBA project structure' % stream_path )
- return False
- if 72 - 72: OoOoOO00 / I1Ii111 * IiII % iIii1I11I1II1
- if 53 - 53: OoO0O00 . O0 . I1IiiI * OOooOOo / o0oOOo0O0Ooo
- iiIIiI1 = I1IIiIi ( i1IIiiIIIIi , oOooO , 'PROJECT' )
- if not iiIIiI1 : continue
- if 28 - 28: I1ii11iIi11i * oO0o / II111iiii + OOooOOo - O0
- Iii1IoOo000Oo00o = I1IIiIi ( i1IIiiIIIIi , oOooO , 'VBA/_VBA_PROJECT' )
- if not Iii1IoOo000Oo00o : continue
- if 81 - 81: OoooooooOO
- ooOOOoOoOOOO = I1IIiIi ( i1IIiiIIIIi , oOooO , 'VBA/dir' )
- if not ooOOOoOoOOOO : continue
- if 32 - 32: IiII - ooOoO0o * iII111i * I11i
- logging . debug ( 'VBA root storage: "%s"' % oOooO )
- if 84 - 84: Ii1I + I1ii11iIi11i % I1IiiI + i11iIiiIii
- self . vba_projects . append ( ( oOooO , iiIIiI1 , ooOOOoOoOOOO ) )
- return self . vba_projects
- if 37 - 37: I11i % I1ii11iIi11i / ooOoO0o
- def detect_vba_macros ( self ) :
- if 94 - 94: I11i / OoO0O00 . o0oOOo0O0Ooo
- if 1 - 1: Oo0Ooo . II111iiii
- if 93 - 93: II111iiii . i11iIiiIii + II111iiii % oO0o
- if self . contains_macros is not None :
- if 98 - 98: I1Ii111 * oO0o * OoOoOO00 + Ii1I * iII111i
- if 4 - 4: IiII
- if 16 - 16: iIii1I11I1II1 * iII111i + oO0o . O0 . o0oOOo0O0Ooo
- if 99 - 99: i11iIiiIii - iII111i
- if 85 - 85: I1Ii111 % I1ii11iIi11i
- if 95 - 95: OoO0O00 * OOooOOo * iII111i . o0oOOo0O0Ooo
- if 73 - 73: OoO0O00
- if 28 - 28: OoooooooOO - I11i
- if 84 - 84: II111iiii
- if 36 - 36: OOooOOo - OoOoOO00 - iIii1I11I1II1
- if 10 - 10: I1ii11iIi11i / Ii1I * i1IIi % O0 + I11i
- if 25 - 25: I1Ii111 - Ii1I / O0 . OoooooooOO % I1IiiI . i1IIi
- if 19 - 19: II111iiii / II111iiii % I1ii11iIi11i + oO0o + oO0o + iII111i
- if 4 - 4: o0oOOo0O0Ooo + I11i / iII111i + i1IIi % o0oOOo0O0Ooo % iII111i
- if 80 - 80: Ii1I
- return self . contains_macros
- if 26 - 26: iIii1I11I1II1 . OoooooooOO - iIii1I11I1II1
- if self . ole_file is None :
- for oOo0O0 in self . ole_subfiles :
- if oOo0O0 . detect_vba_macros ( ) :
- self . contains_macros = True
- return True
- if 1 - 1: oO0o + I1Ii111 . I1IiiI
- self . contains_macros = False
- return False
- if 47 - 47: iII111i . OoOoOO00
- o0oOO0 = self . find_vba_projects ( )
- if len ( o0oOO0 ) == 0 :
- self . contains_macros = False
- else :
- self . contains_macros = True
- return self . contains_macros
- if 31 - 31: Ii1I * o0oOOo0O0Ooo * Ii1I + OoO0O00 * o0oOOo0O0Ooo . I1Ii111
- def extract_macros ( self ) :
- if self . ole_file is None :
- if 89 - 89: OoooooooOO * Ii1I * I1IiiI . ooOoO0o * Ii1I / iII111i
- if 46 - 46: i11iIiiIii
- if 15 - 15: O0 / i1IIi / i1IIi . iII111i % OoOoOO00 + I1IiiI
- if 48 - 48: I1Ii111 % iII111i % Ii1I % iIii1I11I1II1 . Ii1I
- if 14 - 14: iII111i * OoO0O00 % O0 + I11i + I1ii11iIi11i
- if 23 - 23: Oo0Ooo % iII111i + Ii1I - I1Ii111
- if 65 - 65: OoooooooOO
- if 22 - 22: OOooOOo + II111iiii + Oo0Ooo
- for oOo0O0 in self . ole_subfiles :
- for ii1iiIi in oOo0O0 . extract_macros ( ) :
- yield ii1iiIi
- else :
- self . find_vba_projects ( )
- for oOooO , iiIIiI1 , ooOOOoOoOOOO in self . vba_projects :
- if 83 - 83: ooOoO0o
- for i1Ii1i11ii , oO0O0oo , OOOOOOO00OO in ooOO0o ( self . ole_file , oOooO , iiIIiI1 ,
- ooOOOoOoOOOO ) :
- yield ( self . filename , i1Ii1i11ii , oO0O0oo , OOOOOOO00OO )
- if 68 - 68: I1IiiI
- if 94 - 94: iII111i / OoOoOO00 % II111iiii . iIii1I11I1II1
- def extract_all_macros ( self ) :
- if self . modules is None :
- if 49 - 49: OOooOOo * I1IiiI / II111iiii
- if 82 - 82: Oo0Ooo / I1IiiI . I1ii11iIi11i - Oo0Ooo
- if 4 - 4: O0 / I11i . OoO0O00 - ooOoO0o / OOooOOo
- if 25 - 25: I11i * OoOoOO00 - Oo0Ooo . ooOoO0o . oO0o
- if 89 - 89: O0 * I11i * OoO0O00
- if 3 - 3: OOooOOo / iII111i * iIii1I11I1II1 + II111iiii / o0oOOo0O0Ooo / IiII
- self . modules = [ ]
- for ( II1I11 , i1Ii1i11ii , oO0O0oo , OOOOOOO00OO ) in self . extract_macros ( ) :
- self . modules . append ( ( II1I11 , i1Ii1i11ii , oO0O0oo , OOOOOOO00OO ) )
- self . nb_macros = len ( self . modules )
- return self . modules
- if 28 - 28: I1Ii111 - II111iiii % i11iIiiIii + iIii1I11I1II1 + II111iiii
- if 60 - 60: i1IIi / I1IiiI . II111iiii . iII111i % oO0o - I1IiiI
- if 39 - 39: I1IiiI . OoO0O00 + I11i + OOooOOo / II111iiii % i11iIiiIii
- def analyze_macros ( self , show_decoded_strings = False ) :
- if self . detect_vba_macros ( ) :
- if 86 - 86: I1ii11iIi11i - i1IIi + Oo0Ooo * I1IiiI / i11iIiiIii % oO0o
- if 17 - 17: ooOoO0o + ooOoO0o . I1ii11iIi11i
- if 50 - 50: iIii1I11I1II1 * oO0o
- if 85 - 85: i1IIi
- if 100 - 100: OoooooooOO / I11i % OoO0O00 + Ii1I
- if self . analysis_results is not None :
- return self . analysis_results
- if 42 - 42: Oo0Ooo / IiII . Ii1I * I1IiiI
- if self . vba_code_all_modules is None :
- self . vba_code_all_modules = ''
- for ( II1I11 , i1Ii1i11ii , oO0O0oo , OOOOOOO00OO ) in self . extract_all_macros ( ) :
- if 54 - 54: OoOoOO00 * iII111i + OoO0O00
- self . vba_code_all_modules += OOOOOOO00OO + '\n'
- if 93 - 93: o0oOOo0O0Ooo / I1IiiI
- iII1IIIiI1I1 = IIII ( self . vba_code_all_modules )
- self . analysis_results = iII1IIIiI1I1 . scan ( show_decoded_strings )
- oOOo , III11iI1i11i , IIiI , OOoOo0oO0oo00 , OO , I1I , o0oO00O = iII1IIIiI1I1 . scan_summary ( )
- self . nb_autoexec += oOOo
- self . nb_suspicious += III11iI1i11i
- self . nb_iocs += IIiI
- self . nb_hexstrings += OOoOo0oO0oo00
- self . nb_base64strings += OO
- self . nb_dridexstrings += I1I
- self . nb_vbastrings += o0oO00O
- if 72 - 72: OoO0O00 - iIii1I11I1II1 . iII111i / Ii1I
- return self . analysis_results
- if 12 - 12: I1IiiI + I1Ii111
- if 80 - 80: oO0o . O0
- if 90 - 90: II111iiii / OoO0O00 / Ii1I
- if 70 - 70: Ii1I - II111iiii . Oo0Ooo / Oo0Ooo
- if 30 - 30: oO0o . OoO0O00 + I11i / iIii1I11I1II1 % Oo0Ooo / oO0o
- def close ( self ) :
- if self . ole_file is None :
- if 3 - 3: I1ii11iIi11i / II111iiii
- if 73 - 73: OoO0O00 * OoooooooOO - OoooooooOO + I1IiiI * Oo0Ooo
- if 87 - 87: o0oOOo0O0Ooo / IiII / i11iIiiIii
- if 95 - 95: i1IIi / Ii1I / Ii1I
- for oOo0O0 in self . ole_subfiles :
- oOo0O0 . close ( )
- else :
- self . ole_file . close ( )
- if 65 - 65: I1Ii111 + iII111i * iII111i
- if 79 - 79: i1IIi / Oo0Ooo - I1IiiI . O0
- if 56 - 56: IiII % O0 * i1IIi - II111iiii
- class Oo0OoOOoo ( O0oOo00oooO ) :
- if 84 - 84: I1Ii111
- if 53 - 53: i1IIi
- if 59 - 59: o0oOOo0O0Ooo + I1IiiI % OoooooooOO - iIii1I11I1II1
- if 9 - 9: i1IIi - OoOoOO00
- if 57 - 57: iIii1I11I1II1 * Ii1I * iII111i / oO0o
- def __init__ ( self , filename , data = None , container = None ) :
- try :
- if 46 - 46: Ii1I
- if 61 - 61: o0oOOo0O0Ooo / ooOoO0o - II111iiii
- if 87 - 87: I1ii11iIi11i / I1IiiI
- if 45 - 45: OoOoOO00 * ooOoO0o / OoooooooOO + OoO0O00 . I1Ii111 / OoO0O00
- if 64 - 64: Ii1I / i1IIi % I1IiiI - o0oOOo0O0Ooo
- if 11 - 11: I1ii11iIi11i - OoooooooOO
- if 16 - 16: IiII % OoooooooOO - ooOoO0o * Ii1I - Ii1I
- if 27 - 27: IiII + iIii1I11I1II1 / Oo0Ooo + OoO0O00 % Oo0Ooo + OoO0O00
- if 77 - 77: Oo0Ooo * ooOoO0o % Ii1I
- if 2 - 2: I11i / Oo0Ooo / Ii1I / I1ii11iIi11i / OoooooooOO
- if 22 - 22: iIii1I11I1II1 * I1IiiI / I11i + OoOoOO00
- if 98 - 98: OOooOOo
- if 69 - 69: II111iiii + Oo0Ooo - oO0o . Oo0Ooo / iIii1I11I1II1 * iIii1I11I1II1
- if 75 - 75: OoO0O00 % OoooooooOO
- O0oOo00oooO . __init__ ( self , filename , data = data , container = container )
- except TypeError :
- if 16 - 16: O0 / i1IIi
- pass
- if 58 - 58: o0oOOo0O0Ooo / i11iIiiIii / O0 % I11i % I1IiiI
- if 86 - 86: IiII + OoOoOO00 / I1IiiI + I11i % I11i / i11iIiiIii
- def print_analysis ( self , show_decoded_strings = False ) :
- if 12 - 12: OoOoOO00 + o0oOOo0O0Ooo . I1Ii111
- if sys . stdout . isatty ( ) :
- if 52 - 52: OoO0O00
- if 4 - 4: Ii1I % I1ii11iIi11i + I11i - I1ii11iIi11i
- if 98 - 98: Ii1I - O0 * oO0o * Ii1I * Ii1I
- if 44 - 44: IiII + I11i
- if 66 - 66: oO0o
- if 34 - 34: iII111i % i11iIiiIii + i11iIiiIii - iII111i
- if 2 - 2: II111iiii + i1IIi
- print 'Analysis...\r' ,
- sys . stdout . flush ( )
- ii1iiIi = self . analyze_macros ( show_decoded_strings )
- if ii1iiIi :
- iII1111III1I = prettytable . PrettyTable ( ( 'Type' , 'Keyword' , 'Description' ) )
- iII1111III1I . align = 'l'
- iII1111III1I . max_width [ 'Type' ] = 10
- iII1111III1I . max_width [ 'Keyword' ] = 20
- iII1111III1I . max_width [ 'Description' ] = 39
- for oO0OO00 , i1iI1Ii11Ii1 , o0oO00o in ii1iiIi :
- if 16 - 16: OoooooooOO / oO0o . Ii1I * ooOoO0o - I1IiiI
- if not i1oO ( i1iI1Ii11Ii1 ) :
- i1iI1Ii11Ii1 = repr ( i1iI1Ii11Ii1 )
- if not i1oO ( o0oO00o ) :
- o0oO00o = repr ( o0oO00o )
- iII1111III1I . add_row ( ( oO0OO00 , i1iI1Ii11Ii1 , o0oO00o ) )
- print iII1111III1I
- else :
- print 'No suspicious keyword or IOC found.'
- if 32 - 32: I1IiiI / OoO0O00
- if 28 - 28: Oo0Ooo / IiII . iII111i + OoO0O00 + I11i % Oo0Ooo
- def reveal ( self ) :
- if 45 - 45: Oo0Ooo / O0 % OoooooooOO
- print 'MACRO SOURCE CODE WITH DEOBFUSCATED VBA STRINGS (EXPERIMENTAL):\n'
- if 92 - 92: Ii1I . OoOoOO00 . I11i - OoooooooOO / ooOoO0o
- ooOo0 = self . analyze_macros ( show_decoded_strings = False )
- if 41 - 41: I1Ii111 + OoO0O00 * I1IiiI * O0 * Oo0Ooo - OoOoOO00
- if 96 - 96: I1IiiI - iIii1I11I1II1
- ooOo0 = sorted ( ooOo0 , key = lambda Ii1o0OOOoo0000 : len ( Ii1o0OOOoo0000 [ 2 ] ) , reverse = True )
- if 19 - 19: OoooooooOO . I1IiiI + I1Ii111 - I1IiiI / I1IiiI % IiII
- IiIIIii1i1iI = self . vba_code_all_modules
- for oO0OO00 , OOoOi1IiiI , oO0Ooooo000 in ooOo0 :
- if oO0OO00 == 'VBA string' :
- if 99 - 99: iIii1I11I1II1 - oO0o - OoOoOO00 / iIii1I11I1II1 * Oo0Ooo - oO0o
- if 72 - 72: IiII % i1IIi / iIii1I11I1II1
- if 95 - 95: O0 . OoO0O00
- OOoOi1IiiI = OOoOi1IiiI . replace ( '"' , '""' )
- IiIIIii1i1iI = IiIIIii1i1iI . replace ( oO0Ooooo000 , '"%s"' % OOoOi1IiiI )
- print ''
- print IiIIIii1i1iI
- if 89 - 89: i1IIi
- if 19 - 19: ooOoO0o / o0oOOo0O0Ooo % IiII - Ii1I
- if 14 - 14: I1ii11iIi11i - i11iIiiIii * I1Ii111
- def process_file ( self , show_decoded_strings = False ,
- display_code = True , global_analysis = True , hide_attributes = True ,
- vba_code_only = False , show_deobfuscated_code = False ) :
- if 39 - 39: OoooooooOO
- if 19 - 19: i11iIiiIii
- if vba_code_only and not display_code :
- if 80 - 80: I1IiiI
- if 58 - 58: oO0o + I1ii11iIi11i % OoOoOO00
- if 22 - 22: iIii1I11I1II1 - Ii1I / I1IiiI * IiII
- if 26 - 26: o0oOOo0O0Ooo + OOooOOo - o0oOOo0O0Ooo + Oo0Ooo . oO0o
- if 97 - 97: i1IIi
- if 46 - 46: I1ii11iIi11i
- if 30 - 30: OoO0O00 / O0 * o0oOOo0O0Ooo * I1Ii111 + OoooooooOO * iII111i
- if 23 - 23: I11i
- if 36 - 36: IiII . iII111i - i1IIi + I1Ii111
- if 54 - 54: OoooooooOO . oO0o - iII111i
- if 76 - 76: I1Ii111
- display_code = True
- if self . container :
- O00o0 = '%s in %s' % ( self . filename , self . container )
- else :
- O00o0 = self . filename
- print '=' * 79
- print 'FILE:' , O00o0
- try :
- if 98 - 98: iIii1I11I1II1 + i11iIiiIii * I1ii11iIi11i / I1Ii111 / ooOoO0o - O0
- print 'Type:' , self . type
- if self . detect_vba_macros ( ) :
- if 42 - 42: iII111i
- for ( II1I11 , i1Ii1i11ii , oO0O0oo , OOOOOOO00OO ) in self . extract_all_macros ( ) :
- if hide_attributes :
- if 77 - 77: i1IIi * oO0o % OoooooooOO + O0 * ooOoO0o
- I11i1iiiiIIIi = I1iI1I1ii1 ( OOOOOOO00OO )
- else :
- I11i1iiiiIIIi = OOOOOOO00OO
- print '-' * 79
- print 'VBA MACRO %s ' % oO0O0oo
- print 'in file: %s - OLE stream: %s' % ( II1I11 , repr ( i1Ii1i11ii ) )
- if display_code :
- print '- ' * 39
- if 13 - 13: O0 + I1Ii111 * II111iiii + Oo0Ooo * IiII
- if I11i1iiiiIIIi . strip ( ) == '' :
- print '(empty macro)'
- else :
- print I11i1iiiiIIIi
- if not global_analysis and not vba_code_only :
- if 12 - 12: IiII - Ii1I % Ii1I
- raise NotImplementedError
- print '- ' * 39
- print 'ANALYSIS:'
- if 23 - 23: ooOoO0o
- self . print_analysis ( show_decoded_strings )
- if global_analysis and not vba_code_only :
- if 61 - 61: IiII + iII111i - OoO0O00 * oO0o
- self . print_analysis ( show_decoded_strings )
- if show_deobfuscated_code :
- self . reveal ( )
- else :
- print 'No VBA macros found.'
- except :
- if 87 - 87: II111iiii % II111iiii
- if 51 - 51: ooOoO0o * iIii1I11I1II1 . iII111i
- if 25 - 25: OOooOOo - Ii1I . I11i
- if 57 - 57: o0oOOo0O0Ooo + Oo0Ooo * I1ii11iIi11i - ooOoO0o % iIii1I11I1II1 - Ii1I
- traceback . print_exc ( )
- print ''
- if 37 - 37: OoO0O00 * I11i + Ii1I + I1ii11iIi11i * o0oOOo0O0Ooo
- if 95 - 95: Ii1I - i11iIiiIii % i11iIiiIii - O0 * I1Ii111
- def process_file_triage ( self ) :
- if 81 - 81: II111iiii * I1IiiI % i1IIi * i11iIiiIii + OoOoOO00
- oo0OoOO000O = ''
- if 62 - 62: i1IIi * iIii1I11I1II1 % oO0o % OoOoOO00 / OoooooooOO
- if 39 - 39: Oo0Ooo % iII111i
- if 90 - 90: I1IiiI * I1ii11iIi11i . I11i * Ii1I - o0oOOo0O0Ooo
- try :
- if self . type is not None :
- if 40 - 40: O0 / IiII - II111iiii + o0oOOo0O0Ooo % Oo0Ooo
- if self . detect_vba_macros ( ) :
- if 93 - 93: ooOoO0o
- if sys . stdout . isatty ( ) :
- print 'Analysis...\r' ,
- sys . stdout . flush ( )
- self . analyze_macros ( )
- OOo0O = ooo [ self . type ]
- IiI11iiIii = oOOo = III11iI1i11i = IIiI = OOoOo0oO0oo00 = i1IIII1II = I1I = O000oO00oO = '-'
- if self . nb_macros : IiI11iiIii = 'M'
- if self . nb_autoexec : oOOo = 'A'
- if self . nb_suspicious : III11iI1i11i = 'S'
- if self . nb_iocs : IIiI = 'I'
- if self . nb_hexstrings : OOoOo0oO0oo00 = 'H'
- if self . nb_base64strings : i1IIII1II = 'B'
- if self . nb_dridexstrings : I1I = 'D'
- if self . nb_vbastrings : O000oO00oO = 'V'
- OOo0O += '%s%s%s%s%s%s%s%s' % ( IiI11iiIii , oOOo , III11iI1i11i , IIiI , OOoOo0oO0oo00 ,
- i1IIII1II , I1I , O000oO00oO )
- if 96 - 96: IiII
- if 99 - 99: iIii1I11I1II1 - ooOoO0o
- if 79 - 79: I1IiiI + oO0o % I11i % oO0o
- if 56 - 56: I1ii11iIi11i + oO0o . OoO0O00 + OoooooooOO * I1ii11iIi11i - O0
- if 35 - 35: OOooOOo . I11i . I1Ii111 - I11i % I11i + I1Ii111
- if 99 - 99: o0oOOo0O0Ooo + OOooOOo
- if 34 - 34: I1Ii111 * o0oOOo0O0Ooo . I1IiiI % i11iIiiIii
- if 61 - 61: iIii1I11I1II1 + oO0o * I11i - i1IIi % oO0o
- if 76 - 76: oO0o / OoOoOO00
- else :
- if 12 - 12: I1Ii111
- if 58 - 58: OoO0O00 + iIii1I11I1II1 % O0 + I11i + OoOoOO00 * OoooooooOO
- OOo0O = '?'
- oo0OoOO000O = 'File format not supported'
- except :
- if 41 - 41: oO0o * I1IiiI
- if 76 - 76: oO0o . O0 * OoooooooOO + ooOoO0o
- if 53 - 53: Oo0Ooo
- if 3 - 3: IiII - OoooooooOO * OoooooooOO - I1IiiI / I1Ii111 * I1ii11iIi11i
- OOo0O = '!ERROR'
- oo0OoOO000O = sys . exc_value
- o0O = '%-12s %s' % ( OOo0O , self . filename )
- if oo0OoOO000O :
- o0O += ' - %s' % oo0OoOO000O
- print o0O
- if 58 - 58: IiII % iIii1I11I1II1 / i11iIiiIii % o0oOOo0O0Ooo . I1Ii111 * iII111i
- if 32 - 32: OoooooooOO + o0oOOo0O0Ooo
- if 91 - 91: ooOoO0o - I1Ii111 * I1Ii111
- if 55 - 55: iIii1I11I1II1 + I1IiiI - Oo0Ooo
- if 24 - 24: OoO0O00 / I1Ii111 + iII111i * I11i * iII111i
- if 10 - 10: I1IiiI - I1ii11iIi11i - Oo0Ooo - o0oOOo0O0Ooo
- if 21 - 21: OoooooooOO + I1Ii111
- if 43 - 43: i11iIiiIii . I1ii11iIi11i . oO0o
- if 31 - 31: Ii1I % o0oOOo0O0Ooo % I1Ii111 . I1ii11iIi11i / o0oOOo0O0Ooo * oO0o
- if 74 - 74: I1IiiI . ooOoO0o / iII111i . IiII
- if 74 - 74: Oo0Ooo / I1Ii111 % I1Ii111 . IiII
- if 72 - 72: i1IIi
- if 21 - 21: I1Ii111 . OOooOOo / i11iIiiIii * i1IIi
- if 82 - 82: ooOoO0o * Oo0Ooo % i11iIiiIii * i1IIi . OOooOOo
- if 89 - 89: IiII - i1IIi - IiII
- if 74 - 74: OoO0O00 % OoO0O00
- if 28 - 28: OoOoOO00 % oO0o - OOooOOo + OOooOOo + oO0o / iIii1I11I1II1
- def oo0o ( ) :
- OOoOoo = 'usage: %prog [options] <filename> [filename2 ...]'
- if 83 - 83: I1ii11iIi11i * iIii1I11I1II1 + OoOoOO00 * i1IIi . OoooooooOO % Ii1I
- if 81 - 81: OoO0O00 - iIii1I11I1II1
- if 60 - 60: I1Ii111
- ooO0 = optparse . OptionParser ( usage = OOoOoo )
- if 35 - 35: Oo0Ooo * oO0o / OoooooooOO + O0 / OoooooooOO / OOooOOo
- if 44 - 44: i1IIi . I1ii11iIi11i - ooOoO0o . OOooOOo . o0oOOo0O0Ooo + oO0o
- if 17 - 17: iIii1I11I1II1 + i1IIi . I1ii11iIi11i + Ii1I % i1IIi . oO0o
- if 57 - 57: oO0o
- ooO0 . add_option ( "-r" , action = "store_true" , dest = "recursive" ,
- help = 'find files recursively in subdirectories.' )
- ooO0 . add_option ( "-z" , "--zip" , dest = 'zip_password' , type = 'str' , default = None ,
- help = 'if the file is a zip archive, open all files from it, using the provided password (requires Python 2.6+)' )
- ooO0 . add_option ( "-f" , "--zipfname" , dest = 'zip_fname' , type = 'str' , default = '*' ,
- help = 'if the file is a zip archive, file(s) to be opened within the zip. Wildcards * and ? are supported. (default:*)' )
- ooO0 . add_option ( "-t" , '--triage' , action = "store_true" , dest = "triage_mode" ,
- help = 'triage mode, display results as a summary table (default for multiple files)' )
- ooO0 . add_option ( "-d" , '--detailed' , action = "store_true" , dest = "detailed_mode" ,
- help = 'detailed mode, display full results (default for single file)' )
- ooO0 . add_option ( "-a" , '--analysis' , action = "store_false" , dest = "display_code" , default = True ,
- help = 'display only analysis results, not the macro source code' )
- ooO0 . add_option ( "-c" , '--code' , action = "store_true" , dest = "vba_code_only" , default = False ,
- help = 'display only VBA source code, do not analyze it' )
- ooO0 . add_option ( "-i" , "--input" , dest = 'input' , type = 'str' , default = None ,
- help = 'input file containing VBA source code to be analyzed (no parsing)' )
- ooO0 . add_option ( "--decode" , action = "store_true" , dest = "show_decoded_strings" ,
- help = 'display all the obfuscated strings with their decoded content (Hex, Base64, StrReverse, Dridex, VBA).' )
- ooO0 . add_option ( "--attr" , action = "store_false" , dest = "hide_attributes" , default = True ,
- help = 'display the attribute lines at the beginning of VBA source code' )
- ooO0 . add_option ( "--reveal" , action = "store_true" , dest = "show_deobfuscated_code" ,
- help = 'display the macro source code after replacing all the obfuscated strings by their decoded content.' )
- if 92 - 92: II111iiii - OoO0O00 - OOooOOo % I1IiiI - OoOoOO00 * I1Ii111
- if 16 - 16: iIii1I11I1II1 + OoooooooOO - ooOoO0o * IiII
- if 37 - 37: iII111i
- if 15 - 15: o0oOOo0O0Ooo % OoO0O00 / iII111i
- if 36 - 36: OoO0O00 + OoO0O00 % Oo0Ooo + Oo0Ooo / i1IIi % i1IIi
- if 20 - 20: OOooOOo * oO0o
- if 91 - 91: OoO0O00 % i1IIi - iIii1I11I1II1 . OOooOOo
- ( IIiiIiIIiI1 , I1IiI ) = ooO0 . parse_args ( )
- if 79 - 79: OoOoOO00 + IiII
- if 14 - 14: I1Ii111 / I11i - OOooOOo * O0 % IiII . O0
- if len ( I1IiI ) == 0 and not IIiiIiIIiI1 . input :
- print __doc__
- ooO0 . print_help ( )
- sys . exit ( )
- if 86 - 86: i1IIi * OoooooooOO
- if 22 - 22: I1Ii111 + iII111i - I11i + iIii1I11I1II1 / I1Ii111 - OoooooooOO
- print 'olevba %s - http://decalage.info/python/oletools' % __version__
- if 42 - 42: OoooooooOO - OoOoOO00 - OOooOOo * I1Ii111
- if 98 - 98: OoO0O00 . iIii1I11I1II1 % Oo0Ooo + OoooooooOO
- logging . basicConfig ( format = '%(levelname)s: %(message)s' , level = logging . WARNING )
- if 2 - 2: I1Ii111 % OoooooooOO - ooOoO0o * I1ii11iIi11i * IiII
- logging . disable ( logging . CRITICAL )
- if 99 - 99: iIii1I11I1II1 . Oo0Ooo / ooOoO0o . OOooOOo % I1IiiI * I11i
- if IIiiIiIIiI1 . input :
- if 95 - 95: oO0o
- raise NotImplementedError
- if 80 - 80: IiII
- print 'Analysis of VBA source code from %s:' % IIiiIiIIiI1 . input
- OOOOOOO00OO = open ( IIiiIiIIiI1 . input ) . read ( )
- print_analysis ( OOOOOOO00OO , show_decoded_strings = IIiiIiIIiI1 . show_decoded_strings )
- sys . exit ( )
- if 42 - 42: OoooooooOO * II111iiii
- if 53 - 53: I1Ii111 + i1IIi . OoO0O00 / i11iIiiIii + Ii1I % OoOoOO00
- if 9 - 9: ooOoO0o . I11i - Oo0Ooo . I1Ii111
- if 39 - 39: OOooOOo
- if 70 - 70: IiII % OoO0O00 % I1IiiI
- if 95 - 95: OoOoOO00 - I1Ii111 / O0 * I1IiiI - o0oOOo0O0Ooo
- if not IIiiIiIIiI1 . detailed_mode or IIiiIiIIiI1 . triage_mode :
- print '%-12s %-65s' % ( 'Flags' , 'Filename' )
- print '%-12s %-65s' % ( '-' * 11 , '-' * 65 )
- if 12 - 12: iIii1I11I1II1 % Oo0Ooo . iII111i . IiII % i11iIiiIii
- IIiI1I11ii1i = None
- o0o = 0
- ooIi1Iii1 = oOOO0oOoo = ooooI11iii1iIIIIi = None
- III1i1iiI1 = None
- for ooIi1Iii1 , oOOO0oOoo , ooooI11iii1iIIIIi in xglob . iter_files ( I1IiI , recursive = IIiiIiIIiI1 . recursive ,
- zip_password = IIiiIiIIiI1 . zip_password , zip_fname = IIiiIiIIiI1 . zip_fname ) :
- if 62 - 62: Ii1I . i11iIiiIii % O0 % I1Ii111 - Oo0Ooo
- if ooIi1Iii1 and oOOO0oOoo . endswith ( '/' ) :
- continue
- if 69 - 69: II111iiii . OoOoOO00 * OoOoOO00 % Ii1I + I1IiiI
- III1i1iiI1 = Oo0OoOOoo ( oOOO0oOoo , data = ooooI11iii1iIIIIi , container = ooIi1Iii1 )
- if IIiiIiIIiI1 . detailed_mode and not IIiiIiIIiI1 . triage_mode :
- if 100 - 100: i11iIiiIii - Oo0Ooo
- III1i1iiI1 . process_file ( show_decoded_strings = IIiiIiIIiI1 . show_decoded_strings ,
- display_code = IIiiIiIIiI1 . display_code , global_analysis = True ,
- hide_attributes = IIiiIiIIiI1 . hide_attributes , vba_code_only = IIiiIiIIiI1 . vba_code_only ,
- show_deobfuscated_code = IIiiIiIIiI1 . show_deobfuscated_code )
- else :
- if 47 - 47: iII111i * OoOoOO00 * IiII
- if ooIi1Iii1 != IIiI1I11ii1i :
- if ooIi1Iii1 is not None :
- print '\nFiles in %s:' % ooIi1Iii1
- IIiI1I11ii1i = ooIi1Iii1
- if 46 - 46: Ii1I
- III1i1iiI1 . process_file_triage ( )
- o0o += 1
- if not IIiiIiIIiI1 . detailed_mode or IIiiIiIIiI1 . triage_mode :
- print '\n(Flags: OpX=OpenXML, XML=Word2003XML, MHT=MHTML, M=Macros, ' 'A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, ' 'B=Base64 strings, D=Dridex strings, V=VBA strings, ?=Unknown)\n'
- if 42 - 42: iIii1I11I1II1
- if 32 - 32: Oo0Ooo - Ii1I . OoooooooOO - OoooooooOO - Oo0Ooo . iIii1I11I1II1
- if 34 - 34: Oo0Ooo
- if o0o == 1 and not IIiiIiIIiI1 . triage_mode and not IIiiIiIIiI1 . detailed_mode :
- if 31 - 31: i1IIi - I11i + I1Ii111 + ooOoO0o . ooOoO0o . O0
- III1i1iiI1 . process_file ( show_decoded_strings = IIiiIiIIiI1 . show_decoded_strings ,
- display_code = IIiiIiIIiI1 . display_code , global_analysis = True ,
- hide_attributes = IIiiIiIIiI1 . hide_attributes , vba_code_only = IIiiIiIIiI1 . vba_code_only ,
- show_deobfuscated_code = IIiiIiIIiI1 . show_deobfuscated_code )
- if 33 - 33: i1IIi / iII111i * OoO0O00
- if 2 - 2: oO0o . OOooOOo
- if __name__ == '__main__' :
- oo0o ( )
- if 43 - 43: iIii1I11I1II1
- if 29 - 29: IiII % ooOoO0o + OoO0O00 . i1IIi + I1IiiI
- # dd678faae9ac167bc83abf78e5cb2f3f0688d3a3
Add Comment
Please, Sign In to add comment