Vba2Graph

A tool for security researchers, who waste their time analyzing malicious Office macros.

Generates a VBA call graph, with potential malicious keywords highlighted.

Allows for quick analysis of malicious macros, and easy understanding of the execution flow.

Features

• Keyword highlighting
• VBA Properties support
• External function declaration support
• Tricky macros with “_Change” execution triggers
• Fancy colour schemes!

Pros

✓ Pretty fast

✓ Works well on most malicious macros observed in the wild

Cons

✗ Static (dynamically resolved calls would not be recognized)

Installation

Install oletools:

Install Python Requirements

Install Graphviz

Windows

Install Graphviz msi:

Add “dot.exe” to PATH env variable or just:

Mac

Ubuntu

Arch

Usage

usage: vba2graph.py [-h] [-o OUTPUT] [-c {0,1,2,3}] (-i INPUT | -f FILE)



optional arguments:

  -h, --help            show this help message and exit

  -o OUTPUT, --output OUTPUT

                        output folder (default: "output")

  -c {0,1,2,3}, --colors {0,1,2,3}

                        color scheme number [0, 1, 2, 3] (default: 0 - B&W)

  -i INPUT, --input INPUT

                        olevba generated file or .bas file

  -f FILE, --file FILE  Office file with macros

Only Python 2 is supported:

# Generate call graph directly from an Office file with macros [tnx @doomedraven]

python2 vba2graph.py -f malicious.doc -c 2    



# Generate vba code using olevba then pipe it to vba2graph

olevba malicious.doc | python2 vba2graph.py -c 1



# Generate call graph from VBA code

python2 vba2graph.py -i vba_code.bas -o output_folder

Output

You’ll get 4 folders in your output folder:

• png: the actual graph image you are looking for
• svg: same graph image, just in vector graphics
• dot: the dot file which was used to create the graph image
• bas: the VBA functions code that was recognized by the script (for debugging)

Batch Processing

Mac/Linux:

batch.sh script file is attached for running olevba and vba2graph on an input folder of malicious docs.

Deletes output dir. use with caution.

Example 1:

Trickbot downloader – utilizes object Resize event as an initial trigger, followed by TextBox_Change triggers.

Example 2:

Author: @MalwareCantFly

Source: https://github.com/MalwareCantFly/