Wie teste ich, ob rspamd mit den OLEtools funktioniert

Carsten Rosenberg cr at ncxs.de
Do Nov 28 11:08:03 CET 2019


Hallo Frank,

danke für die Datei. Da ist tatsächlich eine neue Variante des AutoExec
drin. die aktuelle Git Version von oletools hat das schon integriert:

+----------+----------------+-----------------------------------------+
|Type      |Keyword         |Description                              |
+----------+----------------+-----------------------------------------+
|AutoExec  |Image1_Click    |Runs when the file is opened and ActiveX |
|          |                |objects trigger events                   |
|AutoExec  |Image1_MouseMove|Runs when the file is opened and ActiveX |
    |          |                |objects trigger events                   |
|Suspicious|Open            |May open a file                          |
|Suspicious|Output          |May write to a file (if combined with Open)  |
|Suspicious|Print #         |May write to a file (if combined with Open)  |
|Suspicious|MkDir           |May create a directory                   |
|Suspicious|CreateObject    |May create an OLE object                 |
|Suspicious|CallByName      |May attempt to obfuscate malicious function  |
|          |                |calls                                     |
|Suspicious|Chr             |May attempt to obfuscate specific strings|
|          |                |(use option --deobf to deobfuscate)      |
|Suspicious|VBA obfuscated  |VBA string expressions were detected, may be |
|          |Strings         |used to obfuscate strings (option --decode to|
|          |                |see all)
+----------+--------------------+-------------------------------------+

Die git Version kannst du so benutzen:

git clone --recurse-submodules https://github.com/decalage2/oletools.git
/opt/oletools

und in /etc/olefy.conf:

OLEFY_OLEVBA_PATH=/opt/oletools/oletools/olevba.py

VG Carsten

On 27.11.19 12:03, Frank Fiene wrote:
> Wo soll ich sie dir hinlegen?
> 
> Aktuelle Virenpattern erkennen die Datei schon als Virus.
> 
> 
> Viele Grüße! 


Mehr Informationen über die Mailingliste Postfixbuch-users