oletools
oletools copied to clipboard
mraptor: write and execute should lead to "suspicious"
Is your feature request related to a problem? Please describe. Samples with autoexec and (write or execute) are currently flagged as suspicious. Threat actors are delivering malicious files without autoexec. They trigger the macro on pressing a button. Such samples have write and execute characteristics. See attached. sample.zip
Describe the solution you'd like Besides
if self.autoexec and (self.execute or self.write):
self.suspicious = True
This could be added:
if self.execute and self.write:
self.suspicious = True
Describe alternatives you've considered Looking at the attached sample, there is no alternative.
Additional context Droppers like the attached sample are currently being delivered via email campaigns.