oletools
oletools copied to clipboard
oletools - python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging.
add an exefilter-like mode, to recognize file types in a stricter/safer way by matching file extension and content, and avoid issue with polyglots: 1. if the filename has an extension,...
for now, oleobj reports all hyperlinks the same way, and oleid reports them as high risk, even if those are legitimate hyperlinks in Excel or Word documents. It would at...
The sample reported in this article https://research.checkpoint.com/2024/maldocs-of-word-and-excel-vigor-of-the-ages/#enormous-oleobject contains several OLE objects in an XLSM file, one of which is 2GB large. That object seems to contain an equation editor exploit,...
When an OpenXML file with VBA macros contains a malformed OLE file (which triggers an exception when olefile attempts to parse it), the exception is not handled and olevba stops....
vbaData.xml contains useful info, for example macroName
This would be mostly useful for text-based formats, which cannot be easily identified. https://opensource.googleblog.com/2024/02/magika-ai-powered-fast-and-efficient-file-type-identification.html https://github.com/google/magika Compared to other solutions, which are mostly magic-based, magika should provide better results for text-based...
This PR addresses https://github.com/decalage2/oletools/issues/817 Regex demo: https://regex101.com/r/QUnpRh/2
This pull request is related to #859 and #723. I made some additional adjustments to the changes from #859. @christian-intra2net, it would be great if you could review it. The...
List from http://justsolve.archiveteam.org/wiki/Microsoft_Compound_File : ``` {00000000-0000-0000-0000-000000000000} Unspecified (could be Thumbs.db, SUO, PageMaker, Microsoft Access wizard template, Easy CD Creator 2 ...) {00000257-0000-0000-0000-000000000000} Family Tree Maker FTW {00020810-0000-0000-c000-000000000046} Excel 5-95 XLS...
This is a potential fix for https://github.com/decalage2/oletools/issues/490 . Based on the behavior of oledump and some VBA payload decoders that decode extended ASCII strings it looks like VBA code bytes...