oletools
oletools copied to clipboard
olevba: add keywords for AMSI bypass
See this sample: https://labs.inquest.net/dfi/sha256/9404cbeacd30e170fe03bfdeb54663cb1439ccf73309e172e11349aa64fdbd00
Potential keywords (can be obfuscated):
- amsi
- AmsiUacInitialize
- "4C8BDC49895B08"
- "4883EC384533DB"
- "8B450C85" & "C0745A85DB"
- "8B550C85D" & "27434837D"
Another post: https://codewhitesec.blogspot.com/2019/07/heap-based-amsi-bypass-in-vba.html
Also this one: https://depthsecurity.com/blog/obfuscating-malicious-macro-enabled-word-docs