oletools
oletools copied to clipboard
decalage2
oletools - python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging.
**Is your feature request related to a problem? Please describe.** Samples with autoexec and (write or execute) are currently flagged as suspicious. Threat actors are delivering malicious files without autoexec....
**Affected tool:** general oletools **Describe the bug** When trying to install, pip cannot find Pyparsing in version below 3.0 (tried to install manually and upgrade pip, nothing works) and thus...
found rtf file with such objdata obfuscation method: {\*\objdata 0105000002000000 09000{\*\Comment: NYnvC2fji...eSs9iMZ}0004f{\*\Comment: W9PwfYW96HEpr etc. i had to change this: if cword in DESTINATION_CONTROL_WORDS: to: if cword.lower() in DESTINATION_CONTROL_WORDS: i'm not...
VSDM and VSDX have a relationship type different from other Office formats: `http://schemas.microsoft.com/visio/2010/relationships/document` ``` ftguess.py nomacro.vsdx -l debug ftguess 0.60.1.dev8 on Python 3.9.0 - http://decalage.info/python/oletools THIS IS WORK IN PROGRESS...
**Affected tool:** olevba **Describe the bug** With Olevba 0.56, I could watch and analyze the macros of vsdm files. On latest (0.60), it is impossible because of an Error: `ERROR...
**Affected tool:** olevba, mraptor, rtfobj, oleid, etc **Describe the bug** Failed to analyze OOXML XLSX files due to undetected file format. **File/Malware sample to reproduce the bug** [Please attach the...
**Affected tool:** olevba, oleid, etc **Describe the bug** A clear and concise description of what the bug is. OLEVBA/OLEID do not detect XLM macro. **File/Malware sample to reproduce the bug**...
**Affected tool:** olevba, mraptor, oleid **Describe the bug** Oletools do not detect the existence of the macro inside these xls. **File/Malware sample to reproduce the bug** Link: https://labs.inquest.net/dfi/sha256/c3d288a9284810a199d41d9bed7d3bfe3daf478b2a5bbd7a96f20876997c429a **How To...
See https://www.x33fcon.com/archive/2018/slides/x33fcon18_SandboxEvasionUsingVBAReferencing_ADori_AGrafi.pdf
Assume a module contains following (pseudo) code: ``` #If myarg = 1 Then Call AnyProc #End If ``` I need to know the value of myarg to see if AnyProc...
