oletools
oletools copied to clipboard
oletools - python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging.
This technique can be used to detect sandboxing: https://conference.hitb.org/hitbsecconf2018ams/materials/D2T1%20-%20Aviv%20Grafi%20&%20Amit%20Dori%20-%20Sandbox%20Evasion%20Using%20VBA%20Referencing.pdf The VBA code could also check if Protected View is disabled, probably by looking at the registry.
**Affected tool:** olevba version 0.6 (latest) **Describe the bug** OLEVBA failed to show and detect the macro inside XLS file. While OleId do indicate that. ``` FILE: 062d8e8c3de4faeb07f686514dbb8f9d.xls Type: OLE...
I need to improve the parsing of XLM macros, probably something like this: - if format = OLE: - if XLMMacroDeobfuscator is installed, use it. - if not, or if...
**Affected tool:** olevba,oleid **Describe the bug** XLM4 exists in the file, but oletools do not detect it. **File/Malware sample to reproduce the bug** https://bazaar.abuse.ch/sample/306433cdeddadf922a7849ab12431fbdb1f1f7f23dc4de1c2e378dcf9a05ca8a/ **How To Reproduce the bug** Tested...
**Affected tool:** **olevba** **Describe the bug** A clear and concise description of what the bug is. **File/Malware sample to reproduce the bug** **password : infected [REJ-113925551-Feb-21.xlsb.zip](https://github.com/decalage2/oletools/files/8115583/REJ-113925551-Feb-21.xlsb.zip)** **How To Reproduce the...
**Affected tool:** olevba **Describe the bug** When an input file has on the order of ~100,000s of strings, `analyze_macros()` becomes very slow. Profiling reveals most of the time is spent...
Change addressing #749 When an input file has on the order of ~100,000s of strings, `analyze_macros()` becomes very slow. Let's change this behavior to instead store extracted strings in their...
At the moment `XLMMacroDeobfuscator` can't process files like `.slk` (it's not supported file extension there) However, if `XLMMacroDeobfuscator` is installed, it is automatically used for xlm-analysis in the current code,...
I'm not sure if this is a bug, or I'm missing a new feature or a specific action I should make, so i'll open it as a bug. Affected tool:...