DissectMalware · January 18, 2022 15:18
diff --git a/deobfuscator.py b/deobfuscator.py
 from oletools.olevba import VBA_Parser, TYPE_OLE, TYPE_OpenXML, TYPE_Word2003_XML, TYPE_MHTML
 import sys
 import re

 vbaparser = VBA_Parser(sys.argv[1])

 replace_regex = r"\s*([^=]+)\s*=\s*Replace\(\s*([^,]+)\s*,\s*\"([^,]*)\"\s*,\s*\"([^,]*)\"\s*\)"
 replace = re.compile(replace_regex, re.MULTILINE)

 regex_url = "http(s)?://[^,\"]+"
 url = re.compile(regex_url, re.MULTILINE)

 if vbaparser.detect_vba_macros():
    urls = []
    for (filename, stream_path, vba_filename, vba_code) in vbaparser.extract_macros():
            vba_code = vba_code.replace("_\r\n", "")
            match = replace.search(vba_code)
            if match:
                var_name = match.group(1)
                str_name = match.group(2)
                old_val = match.group(3)
                new_val = match.group(4)

            sentences =[]
            for sentence in vba_code.split("\r\n"):
                if str_name in sentence:
                    sentence = sentence.replace(old_val, new_val)
                sentences.append(sentence)
            deobfuscated_code = '\r\n'.join(sentences)

            print(deobfuscated_code)

            url_iter = url.finditer(deobfuscated_code)
            for url_match in url_iter:
                urls.append(url_match.group().rstrip('\\').rstrip('/'))

    print("\r\n[ORIGINAL URLS]")
    for url in urls:
        print(url)

    # defanged urls
    print("\r\n[DEFANGED URLS]")
    for url in urls:
        print(url.replace(".","[.").replace(":","[:"))
	from oletools.olevba import VBA_Parser, TYPE_OLE, TYPE_OpenXML, TYPE_Word2003_XML, TYPE_MHTML
	import sys
	import re

	vbaparser = VBA_Parser(sys.argv[1])

	replace_regex = r"\s([^=]+)\s=\sReplace\(\s([^,]+)\s,\s\"([^,])\"\s,\s\"([^,])\"\s*\)"
	replace = re.compile(replace_regex, re.MULTILINE)

	regex_url = "http(s)?://[^,\"]+"
	url = re.compile(regex_url, re.MULTILINE)

	if vbaparser.detect_vba_macros():
	urls = []
	for (filename, stream_path, vba_filename, vba_code) in vbaparser.extract_macros():
	vba_code = vba_code.replace("_\r\n", "")
	match = replace.search(vba_code)
	if match:
	var_name = match.group(1)
	str_name = match.group(2)
	old_val = match.group(3)
	new_val = match.group(4)

	sentences =[]
	for sentence in vba_code.split("\r\n"):
	if str_name in sentence:
	sentence = sentence.replace(old_val, new_val)
	sentences.append(sentence)
	deobfuscated_code = '\r\n'.join(sentences)

	print(deobfuscated_code)

	url_iter = url.finditer(deobfuscated_code)
	for url_match in url_iter:
	urls.append(url_match.group().rstrip('\\').rstrip('/'))

	print("\r\n[ORIGINAL URLS]")
	for url in urls:
	print(url)

	# defanged urls
	print("\r\n[DEFANGED URLS]")
	for url in urls:
	print(url.replace(".","[.").replace(":","[:"))