oletools
oletools copied to clipboard
decalage2
oletools - python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging.
example (technique used by icedid): https://twitter.com/filescan_itsec/status/1575841289718874115 https://isc.sans.edu//forums/diary/Word+Maldoc+With+CustomXML+and+Renamed+VBAProjectbin/29056/
When running oleobj on a PPT 97-2003 file (e.g. https://www.hybrid-analysis.com/sample/d1bceccf5d2b900a6b601c612346fdb3fa5bb0e2faeefcac3f9c29dc1d74838d/631b2c1d8501f5745e1ca88d), oleobj tries to parse it as an OpenXML file and triggers exceptions: ``` oleobj 0.60.1.dev5 - http://decalage.info/oletools THIS IS WORK...
A few legitimate files are classified as suspicious by mraptor: - https://malwr.com/analysis/MmY1MzRmMzM3NDU3NDM0YmE1ZDk5NDUxYWMyODYxMmE/ => A huge macro creating files and other things. Apparently a legit IEEE document. But I don't think...
In python 3.12+ this escaping is reported as syntax error. Moving the dash to the end of the regex avoids the need for escaping it. oletools/oleobj.py:537 /rpmbuild/BUILD/oletools-78b2d459a33df378a4f69ffc6c33313509cecfe4/oletools/oleobj.py:537: SyntaxWarning: invalid escape...
In python 3.12+ it is reporting the syntax error oletools/rtfobj.py:272 /rpmbuild/BUILD/oletools-78b2d459a33df378a4f69ffc6c33313509cecfe4/oletools/rtfobj.py:272: SyntaxWarning: invalid escape sequence '\d' DECIMAL_GROUP = b'(\d{1,250})'
the sample with hash 061e17f3b2fd4a4dce1bf4f8a31198273f1abc47c32456d06fd5997ea4363578 (available on MalwareBazaar) is not parsed correctly by ftguess and oleid: oleid prints a warning that some XML could not be parsed: Actually this is...
https://malapi.io/
Several recent samples use `LoadXML` and `transformNode` methods (on a `MSXML2.DomDocument` COM object) to apply an XSL stylesheet to XML data and obtain a malicious JavaScript which seems to be...
This is mostly useful when downloading malware samples that have filenames without extension, e.g. just a file hash. ftguess could guess the file type and add the corresponding file extension...
--formats: list all supported file formats, with their main characteristics --extensions: list all known extensions, with the corresponding file formats