Malwrologist DissectMalware

## deobfuscator.py
from oletools.olevba import VBA_Parser, TYPE_OLE, TYPE_OpenXML, TYPE_Word2003_XML, TYPE_MHTML
import sys
import re

vbaparser = VBA_Parser(sys.argv[1])

replace_regex = r"\s*([^=]+)\s*=\s*Replace\(\s*([^,]+)\s*,\s*\"([^,]*)\"\s*,\s*\"([^,]*)\"\s*\)"
replace = re.compile(replace_regex, re.MULTILINE)

regex_url = "http(s)?://[^,\"]+"

## deobfuscate_string_format.py
import re
import argparse


def deobfuscate(input_str):
    regex_str = r"[\(\{]\s*\"(?P<format>[^\)]*?)\"\s*\-f\s*(?P<params>.*?)[\)\}]"
    regex = re.compile(regex_str, re.MULTILINE | re.IGNORECASE)
    for match in reversed(list(regex.finditer(input_str))):

        format_str = match.group('format')

## urls.py
import requests

def get_redirect_urls(url):
	result = []
	resp = requests.get(url)
	for i in resp.history:
		result.append(i.url)
	result.append(resp.url)
	return result


## hybridanalysis.ps1
# get the SHA256 hashes of recent malware instances published by Hybrid-Analysis
Invoke-WebRequest 'https://www.hybrid-analysis.com/feed?json' -Headers @{"User-Agent"="Mozilla/5.0 (Android 4.4; Mobile; rv:41.0) Gecko/41.0 Firefox/41.0"} | ConvertFrom-Json | Select-Object -Expand Data | select sha256, threatscore, vt_detect, type | Where-Object{$_.vt_detect -lt 10} | Sort-Object type,threatscore -desc
	from oletools.olevba import VBA_Parser, TYPE_OLE, TYPE_OpenXML, TYPE_Word2003_XML, TYPE_MHTML
	import sys
	import re

	vbaparser = VBA_Parser(sys.argv[1])

	replace_regex = r"\s([^=]+)\s=\sReplace\(\s([^,]+)\s,\s\"([^,])\"\s,\s\"([^,])\"\s*\)"
	replace = re.compile(replace_regex, re.MULTILINE)

	regex_url = "http(s)?://[^,\"]+"
	import re
	import argparse


	def deobfuscate(input_str):
	regex_str = r"[\(\{]\s\"(?P<format>[^\)]?)\"\s\-f\s(?P<params>.*?)[\)\}]"
	regex = re.compile(regex_str, re.MULTILINE \| re.IGNORECASE)
	for match in reversed(list(regex.finditer(input_str))):

	format_str = match.group('format')
	import requests

	def get_redirect_urls(url):
	result = []
	resp = requests.get(url)
	for i in resp.history:
	result.append(i.url)
	result.append(resp.url)
	return result
	# get the SHA256 hashes of recent malware instances published by Hybrid-Analysis
	Invoke-WebRequest 'https://www.hybrid-analysis.com/feed?json' -Headers @{"User-Agent"="Mozilla/5.0 (Android 4.4; Mobile; rv:41.0) Gecko/41.0 Firefox/41.0"} \| ConvertFrom-Json \| Select-Object -Expand Data \| select sha256, threatscore, vt_detect, type \| Where-Object{$_.vt_detect -lt 10} \| Sort-Object type,threatscore -desc