Exchange.Windows.Applications.OfficeMacros.MacroRaptor - High false positive rate

[angry-bender]

Describe the issue
When using the artefact, the false positive rate is very high when compared to the source MacroRaptor tool.

To Reproduce

1. Add upload(file=FullPath) to line 47 of the artefact.

               ...
                    dict(Type=Type,StreamName=StreamName,ModuleName=ModuleName,Code=Code) as MacroCode,
                    upload(file=FullPath)
                FROM olevba(file=FullPath)
               ...

2. Create your hunt using the artefact. Download the collection which should contain any files which match.
3. Extract the collection to a Linux VM.
4. From the clients directory use the following command to consolidate all the files into one place mkdir files, find . -type f -exec cp {} files \;, rm *.csv, rm *.json.
5. Then use your own copy of MacroRaptor (To install use pip3 install oletools) .
6. Use the following command mraptor * -m -l critical to show the results. The output of this command will clear up to approximately 70% of macros as Macro OK

Expected behavior
The artefacts regex logic only identifies SUSPICIOUS macros

Screenshots
I currently don't have a dataset for testing, as this was found during an investigation. However, if requested I can try to get one together.

Version:

• Version 0.6.3

Additional context
I believe this may be due to the artefacts regex behavior. It could be worth comparting to the MacroRaptor source, and classifying macro's in a similar behavior to https://github.com/decalage2/oletools/wiki/mraptor

[mgreen27]

I can add another field.... we use the same regex but when I originally wrote this I thought it was best to just present results and a decision was moot. You can use notebook to exclude the results.

Macroraptor just marks as suspicious any found with Autoexec one of the other two entries: https://github.com/decalage2/oletools/blob/89e4dda01b53c12b75b9af0a04fc51582cb23b87/oletools/mraptor.py#L217-L218

Keep in mind macro parsing in general is fragile and I wouldnt put complete faith in any macro parsing tool.

[angry-bender]

I think having the suspicious field would be quite useful, particularly in the case where you have thousands of macro's to review it would help cut down the results significantly.

[mgreen27]

I agree - results are much user friendly now
https://docs.velociraptor.app/exchange/artifacts/pages/macroraptor/

Edit: Just updated again and tested in a live hunt. Significantly cut down Notebook filtering requirements with the new version.