oletools
oletools copied to clipboard
oletools - python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging.
**Affected tool:** pip install oletool **Describe the bug** Can not install oletool offline, because installation process tries to load dependent files from internet **File/Malware sample to reproduce the bug** **How...
Add CLSID 00000FE0-8804-4CA8-8868-36F59DEFD14D Also ZED containers always have a stream named "5haaaaqaIekzeecnWj31zxh0Nc", which could be checked in ftguess for better identification. Source: https://filext.com/file-extension/ZED - https://www.zedencrypt.com ZED containers are encrypted.
see https://www.zscaler.com/blogs/research/malicious-documents-leveraging-new-anti-vm-anti-sandbox-techniques/
The other day I was analyzing a file and olevba detected VBA stomping. Only after researching I found out that olevba already has a tool included for showing the disassembled...
**Affected tool:** olevba **Describe the bug** olevba flags excel macro-enabled documents (.xls & .xlsm) as containing suspicious hex strings and suspicious keywords on any document scanned - using olevba 0.55.dev3...
For each CLSID, we could add a tag to show if it is suspicious (e.g. related to a CVE or a Package object). This would require to change the format...
**Affected tool:** oleid, oleobj, msodde **Describe the bug** Packaging a flat zipbomb inside an OOXML file will impact the `iter_xml` function used by `oleid`, `oleobj` and `msodde` slowing down the...
An OLE file without root storage CLSID is not properly identified by ftguess, for example this sample: 167949ba90da85c8b56878d95be19c1a - https://app.any.run/tasks/b42b3dff-1ff9-49ac-96f6-df8e4d9927bd/# ``` ftguess.py khaosat_trieuchung.doc ftguess 0.60.2dev3 on Python 3.9.0 - http://decalage.info/python/oletools...
I run it with administrator rights. I got this: ``` C:\WINDOWS\system32>mraptor "C:\*" MacroRaptor 0.56.2 - http://decalage.info/python/oletools This is work in progress, please report issues at https://github.com/decalage2/oletools/issues ----------+-----+----+-------------------------------------------------------- Result |Flags|Type|File ----------+-----+----+--------------------------------------------------------...
this sample is detected as Generic Zip Archive instead of DOCX: f1cdd47f7a2502902d15adf3ac79c0f86348ba09f4a482ab9108ad98258edb55 source: https://twitter.com/Timele9527/status/1195272502135549953 https://app.any.run/tasks/fc3ac788-a109-4184-93a6-cb96021de0ac/