A tool for security researchers, who waste their time analyzing malicious Office macros.
Generates a VBA call graph, with potential malicious keywords highlighted.
Allows for quick analysis of malicious macros, and easy understanding of the execution flow.
- Keyword highlighting
- VBA Properties support
- External function declaration support
- Tricky macros with “_Change” execution triggers
- Fancy colour schemes!
✓ Pretty fast
✓ Works well on most malicious macros observed in the wild
✗ Static (dynamically resolved calls would not be recognized)
Install Python Requirements
pip2 install -r requirements.txt
Install Graphviz msi:
Add “dot.exe” to PATH env variable or just:
set PATH=%PATH%;C:\Program Files (x86)\Graphviz2.38\bin
brew install graphviz
sudo apt-get install graphviz
sudo pacman -S graphviz
Only Python 2 is supported:
You’ll get 4 folders in your output folder:
- png: the actual graph image you are looking for
- svg: same graph image, just in vector graphics
- dot: the dot file which was used to create the graph image
- bas: the VBA functions code that was recognized by the script (for debugging)
batch.sh script file is attached for running olevba and vba2graph on an input folder of malicious docs.
Deletes output dir. use with caution.
Trickbot downloader – utilizes object Resize event as an initial trigger, followed by TextBox_Change triggers.