oletools icon indicating copy to clipboard operation
oletools copied to clipboard

Published 20 hours ago verified publisher icon decalage2

olevba: add keywords for AMSI bypass

Open decalage2 opened this issue 4 years ago • 2 comments

See this sample: https://labs.inquest.net/dfi/sha256/9404cbeacd30e170fe03bfdeb54663cb1439ccf73309e172e11349aa64fdbd00

Potential keywords (can be obfuscated):

  • amsi
  • AmsiUacInitialize
  • "4C8BDC49895B08"
  • "4883EC384533DB"
  • "8B450C85" & "C0745A85DB"
  • "8B550C85D" & "27434837D"

decalage2 avatar Nov 29 '19 19:11 decalage2

Another post: https://codewhitesec.blogspot.com/2019/07/heap-based-amsi-bypass-in-vba.html

decalage2 avatar Feb 27 '21 07:02 decalage2

Also this one: https://depthsecurity.com/blog/obfuscating-malicious-macro-enabled-word-docs

decalage2 avatar Jan 31 '22 08:01 decalage2