oletools
oletools copied to clipboard
oletools - python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging.
**Affected tool:** olevba **Describe the bug** xlsb file with macro is not detected **File/Malware sample to reproduce the bug** https://app.any.run/tasks/27c6c716-0af3-40b7-b458-06108fe4bfbe 6f1d133d9753818c8c455e1dbf27755e fv_8.xlsb **How To Reproduce the bug** olevba3 -l debug...
Hello @decalage2, Recently, while analyzing the PowerPoint document containing VBAs, I found that some errors were outputted in the olevba output result. The error was better revealed by activating the...
https://github.com/S3cur3Th1sSh1t/OffensiveVBA
**Is your feature request related to a problem? Please describe.** The attached sample uses ScriptControl to execute code that downloads and installs malware. ScriptControl allows to execute scripts in different...
see https://gist.github.com/mint177/8338f33783e77702eec497d94c021e6d or https://gist.github.com/decalage2/e9569a25934ebcd509a1f0265487cb0b
See a number of examples on those posts: https://www.whiteoaksecurity.com/blog/2020-3-11-alternative-execution-a-macro-saga-part-1/ https://www.whiteoaksecurity.com/blog/2020-3-17-alternative-execution-a-macro-saga-part-2/ https://www.whiteoaksecurity.com/blog/2020-3-26-alternative-execution-a-macro-saga-part-3/ https://www.whiteoaksecurity.com/blog/2020-7-13-alternative-execution-a-macro-saga-part-4/ https://www.whiteoaksecurity.com/blog/2020-8-3-alternative-execution-a-macro-saga-part-5/ https://www.whiteoaksecurity.com/blog/alternative-execution-a-macro-saga-part-6/ https://www.whiteoaksecurity.com/blog/alternative-execution-a-macro-saga-part-7/
**Affected tool:** tested with mraptor **Describe the bug** This sample is detected as "Macro OK" by mraptor. **File/Malware sample to reproduce the bug** [zample.zip](https://github.com/decalage2/oletools/files/4504824/zample.zip) Also: https://www.hybrid-analysis.com/sample/2bde927f70e5eab71bcc40c35edda033547150c5a2b055080abbc668d23955a4 https://www.virustotal.com/gui/file/2bde927f70e5eab71bcc40c35edda033547150c5a2b055080abbc668d23955a4/detection **How To Reproduce...
Add the following keywords: RtlCopyMemory, QueueUserAPC, NtTestAlert References: - https://fortynorthsecurity.com/blog/excelntdonut/ - https://www.cybereason.com/blog/excel4.0-macros-now-with-twice-the-bits
**Affected tool:** olevba **Describe the bug** Crash when analysing malicious file [excel_4_malware.zip](https://github.com/decalage2/oletools/files/4525035/excel_4_malware.zip) pw: ZSinfected **Console output / Screenshots** ``` Type: OLE ERROR Error when running oledump.plugin_biff, please report to https://github.com/decalage2/oletools/issues...
**Is your feature request related to a problem? Please describe.** The most recent version of olevba looks like it includes the most of the XLM macro information needed to analyze/emulate...