from oletools.olevba import VBA_Parser, TYPE_OLE, TYPE_OpenXML, TYPE_Word2003_XML, TYPE_MHTML
import sys
import re

vbaparser = VBA_Parser(sys.argv[1])

replace_regex = r"\s*([^=]+)\s*=\s*Replace\(\s*([^,]+)\s*,\s*\"([^,]*)\"\s*,\s*\"([^,]*)\"\s*\)"
replace = re.compile(replace_regex, re.MULTILINE)

regex_url = "http(s)?://[^,\"]+"
url = re.compile(regex_url, re.MULTILINE)

if vbaparser.detect_vba_macros():
    urls = []
    for (filename, stream_path, vba_filename, vba_code) in vbaparser.extract_macros():
            vba_code = vba_code.replace("_\r\n", "")
            match = replace.search(vba_code)
            if match:
                var_name = match.group(1)
                str_name = match.group(2)
                old_val = match.group(3)
                new_val = match.group(4)

            sentences =[]
            for sentence in vba_code.split("\r\n"):
                if str_name in sentence:
                    sentence = sentence.replace(old_val, new_val)
                sentences.append(sentence)
            deobfuscated_code = '\r\n'.join(sentences)

            print(deobfuscated_code)

            url_iter = url.finditer(deobfuscated_code)
            for url_match in url_iter:
                urls.append(url_match.group().rstrip('\\').rstrip('/'))

    print("\r\n[ORIGINAL URLS]")
    for url in urls:
        print(url)

    # defanged urls
    print("\r\n[DEFANGED URLS]")
    for url in urls:
        print(url.replace(".","[.").replace(":","[:"))