Skip to content

Instantly share code, notes, and snippets.

View DissectMalware's full-sized avatar

Malwrologist DissectMalware

View GitHub Profile
@DissectMalware
DissectMalware / deobfuscator.py
Last active January 18, 2022 15:18
VBA deobfuscation - Emotet XLSM
from oletools.olevba import VBA_Parser, TYPE_OLE, TYPE_OpenXML, TYPE_Word2003_XML, TYPE_MHTML
import sys
import re
vbaparser = VBA_Parser(sys.argv[1])
replace_regex = r"\s*([^=]+)\s*=\s*Replace\(\s*([^,]+)\s*,\s*\"([^,]*)\"\s*,\s*\"([^,]*)\"\s*\)"
replace = re.compile(replace_regex, re.MULTILINE)
regex_url = "http(s)?://[^,\"]+"
import re
import argparse
def deobfuscate(input_str):
regex_str = r"[\(\{]\s*\"(?P<format>[^\)]*?)\"\s*\-f\s*(?P<params>.*?)[\)\}]"
regex = re.compile(regex_str, re.MULTILINE | re.IGNORECASE)
for match in reversed(list(regex.finditer(input_str))):
format_str = match.group('format')
@DissectMalware
DissectMalware / urls.py
Last active December 11, 2021 18:08
Obtain url redirects with python
import requests
def get_redirect_urls(url):
result = []
resp = requests.get(url)
for i in resp.history:
result.append(i.url)
result.append(resp.url)
return result
@DissectMalware
DissectMalware / hybridanalysis.ps1
Last active April 28, 2023 12:42
Take a look at recent malware instances on hybrib-analysis
# get the SHA256 hashes of recent malware instances published by Hybrid-Analysis
Invoke-WebRequest 'https://www.hybrid-analysis.com/feed?json' -Headers @{"User-Agent"="Mozilla/5.0 (Android 4.4; Mobile; rv:41.0) Gecko/41.0 Firefox/41.0"} | ConvertFrom-Json | Select-Object -Expand Data | select sha256, threatscore, vt_detect, type | Where-Object{$_.vt_detect -lt 10} | Sort-Object type,threatscore -desc