oletools
oletools copied to clipboard
decalage2
oletools - python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging.
See https://twitter.com/InQuest/status/1555145408342622209
Currently, the repr() of the property bytes is returned in the metadata. This attempts to decode it with the Properties code page.
Consider the following analysis for attached sample [sneaky.ole.zipped-for-github.zip](https://github.com/decalage2/oletools/files/9182249/sneaky.ole.zipped-for-github.zip): ``` $ file sneaky.ole sneaky.ole: Composite Document File V2 Document, Cannot read section info $ olevba -j sneaky.ole [ { "script_name": "olevba",...
Hi! **Is your feature request related to a problem? Please describe.** oletools does not detect the malicious macros in this sample: https://bazaar.abuse.ch/sample/907012a9e2eff4291cd1162a0f2ac726f93bad0ef57e326d5767489e89bc0b0a/ you first have to extract the embedded excel...
This PR includes one bug fix and one enhancement addition. 1. The properties of type String are stored in OLE form stream with a padding of multiples of four bytes...
Use log_helper in oleobj and use it to create json-output. This PR includes the two commits of PR #769 to simplify testing and two other unrelated commits ("Fix occurrence of...
Python 3.8+ now produces a SyntaxWarning when identify checks are used with certain literals. This was documented in the 3.8 release notes here https://docs.python.org/3/whatsnew/3.8.html#porting-to-python-3-8 On import, the oletools package currently...
olevba detects a suspicious macro with autoexec: ``` $ olevba Mail_56520.xls olevba 0.60 on Python 3.6.8 - http://decalage.info/python/oletools =============================================================================== FILE: Mail_56520.xls Type: OLE ------------------------------------------------------------------------------- VBA MACRO xlm_macro.txt in file: xlm_macro...
- report OLE2Link objects from rtfobj - report LINK htmlfile from msodde For example this could be used to detect Follina samples.
Analyses of the attacks using ms-msdt links show that there is a multitude of attack vectors based on links or general "external relations" in office documents. It is therefore prudent...