mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-12 14:14:56 +03:00

Files

T

mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills

Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders

2026-03-10 21:02:12 +01:00

2.9 KiB

Raw Blame History

API Reference: Office Macro Malware Analysis Tools

olevba - VBA Macro Extraction (oletools)

CLI Syntax

olevba document.docm                   # Full analysis
olevba --decode --deobf document.docm  # Decode + deobfuscate
olevba --code document.docm            # Extract VBA source only
olevba --json document.docm            # JSON output
olevba --reveal document.docm          # Reveal hidden content

Output Sections

Section	Content
`AutoExec`	Auto-execution triggers (AutoOpen, Document_Open)
`Suspicious`	Dangerous functions (Shell, WScript, CreateObject)
`IOC`	Extracted indicators (URLs, IPs, file paths)
`Hex String`	Decoded hex-encoded strings

Python API

from oletools.olevba import VBA_Parser
vba = VBA_Parser("document.docm")
if vba.detect_vba_macros():
    for (fn, stream, vba_fn, code) in vba.extract_macros():
        print(code)
    for (kw_type, keyword, desc) in vba.analyze_macros():
        print(f"{kw_type}: {keyword}")
vba.close()

oleid - Document Capability Identification

CLI Syntax

oleid document.docm

Indicators

Indicator	Risk Values
`VBA Macros`	True/False
`XLM Macros`	True/False
`External Relationships`	True/False
`ObjectPool`	True/False
`Flash`	True/False

oledump.py - OLE Stream Analysis

CLI Syntax

oledump.py document.docm                    # List streams
oledump.py -s 8 -v document.docm           # Extract stream 8
oledump.py -p plugin_vba_dco document.docm  # VBA decompile
oledump.py -p plugin_msg.py document.msg    # MSG file parsing

Stream Markers

Marker	Meaning
`M`	Contains VBA macros
`m`	Contains macro attributes
`O`	Contains OLE objects

XLMDeobfuscator - Excel 4.0 Macros

CLI Syntax

xlmdeobfuscator -f document.xlsm
xlmdeobfuscator -f document.xlsm --output-format json

Dangerous XLM Functions

Function	Purpose
`EXEC()`	Execute shell command
`CALL()`	Call DLL function
`REGISTER()`	Register DLL function
`URLDownloadToFileA`	Download file from URL

VBA Auto-Execution Triggers

Trigger	Application
`Auto_Open` / `AutoOpen`	Word
`Document_Open`	Word
`Workbook_Open`	Excel
`Auto_Close`	Word
`AutoExec`	Word

VBA Suspicious Functions

Function	Risk
`Shell()`	Command execution
`WScript.Shell`	Windows scripting
`CreateObject()`	COM object instantiation
`URLDownloadToFile`	File download
`MSXML2.XMLHTTP`	HTTP requests
`ADODB.Stream`	Binary file writing
`CallByName`	Indirect method invocation
`Environ()`	Environment variable access

ViperMonkey - VBA Emulation

Syntax

vmonkey document.docm
vmonkey --iocs document.docm   # Extract IOCs only

2.9 KiB Raw Blame History

API Reference: Office Macro Malware Analysis Tools

olevba - VBA Macro Extraction (oletools)

CLI Syntax

Output Sections

Python API

oleid - Document Capability Identification

CLI Syntax

Indicators

oledump.py - OLE Stream Analysis

CLI Syntax

Stream Markers

XLMDeobfuscator - Excel 4.0 Macros

CLI Syntax

Dangerous XLM Functions

VBA Auto-Execution Triggers

VBA Suspicious Functions

ViperMonkey - VBA Emulation

Syntax

2.9 KiB

Raw Blame History