Skip to content

Instantly share code, notes, and snippets.

@DissectMalware

DissectMalware/deobfuscator.py

Last active January 18, 2022 15:18
Show Gist options
  • Save DissectMalware/92de377c6570f899439d150ac1cf25eb to your computer and use it in GitHub Desktop.
Save DissectMalware/92de377c6570f899439d150ac1cf25eb to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. DissectMalware revised this gist Nov 17, 2021. 1 changed file with 20 additions and 1 deletion.
    21 changes: 20 additions & 1 deletion deobfuscator.py
    View file
    Original file line number Diff line number Diff line change
    @@ -6,7 +6,12 @@

    replace_regex = r"\s*([^=]+)\s*=\s*Replace\(\s*([^,]+)\s*,\s*\"([^,]*)\"\s*,\s*\"([^,]*)\"\s*\)"
    replace = re.compile(replace_regex, re.MULTILINE)

    regex_url = "http(s)?://[^,\"]+"
    url = re.compile(regex_url, re.MULTILINE)

    if vbaparser.detect_vba_macros():
    urls = []
    for (filename, stream_path, vba_filename, vba_code) in vbaparser.extract_macros():
    vba_code = vba_code.replace("_\r\n", "")
    match = replace.search(vba_code)
    @@ -21,5 +26,19 @@
    if str_name in sentence:
    sentence = sentence.replace(old_val, new_val)
    sentences.append(sentence)
    print('\r\n'.join(sentences))
    deobfuscated_code = '\r\n'.join(sentences)

    print(deobfuscated_code)

    url_iter = url.finditer(deobfuscated_code)
    for url_match in url_iter:
    urls.append(url_match.group().rstrip('\\').rstrip('/'))

    print("\r\n[ORIGINAL URLS]")
    for url in urls:
    print(url)

    # defanged urls
    print("\r\n[DEFANGED URLS]")
    for url in urls:
    print(url.replace(".","[.").replace(":","[:"))
  2. DissectMalware created this gist Nov 16, 2021.
    25 changes: 25 additions & 0 deletions deobfuscator.py
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,25 @@
    from oletools.olevba import VBA_Parser, TYPE_OLE, TYPE_OpenXML, TYPE_Word2003_XML, TYPE_MHTML
    import sys
    import re

    vbaparser = VBA_Parser(sys.argv[1])

    replace_regex = r"\s*([^=]+)\s*=\s*Replace\(\s*([^,]+)\s*,\s*\"([^,]*)\"\s*,\s*\"([^,]*)\"\s*\)"
    replace = re.compile(replace_regex, re.MULTILINE)
    if vbaparser.detect_vba_macros():
    for (filename, stream_path, vba_filename, vba_code) in vbaparser.extract_macros():
    vba_code = vba_code.replace("_\r\n", "")
    match = replace.search(vba_code)
    if match:
    var_name = match.group(1)
    str_name = match.group(2)
    old_val = match.group(3)
    new_val = match.group(4)

    sentences =[]
    for sentence in vba_code.split("\r\n"):
    if str_name in sentence:
    sentence = sentence.replace(old_val, new_val)
    sentences.append(sentence)
    print('\r\n'.join(sentences))