oletimes.html
4.07 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="" xml:lang="">
<head>
<meta charset="utf-8" />
<meta name="generator" content="pandoc" />
<meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=yes" />
<title>Untitled</title>
<style type="text/css">
code{white-space: pre-wrap;}
span.smallcaps{font-variant: small-caps;}
span.underline{text-decoration: underline;}
div.column{display: inline-block; vertical-align: top; width: 50%;}
</style>
<!--[if lt IE 9]>
<script src="//cdnjs.cloudflare.com/ajax/libs/html5shiv/3.7.3/html5shiv-printshiv.min.js"></script>
<![endif]-->
</head>
<body>
<h1 id="oletimes">oletimes</h1>
<p>oletimes is a script to parse OLE files such as MS Office documents (e.g. Word, Excel), to extract creation and modification times of all streams and storages in the OLE file.</p>
<p>It is part of the <a href="http://www.decalage.info/python/oletools">python-oletools</a> package.</p>
<h2 id="usage">Usage</h2>
<pre class="text"><code>oletimes <file></code></pre>
<h3 id="example">Example</h3>
<p>Checking the malware sample <a href="https://malwr.com/analysis/M2I4YWRhM2IwY2QwNDljN2E3ZWFjYTg3ODk4NmZhYmE/">DIAN_caso-5415.doc</a>:</p>
<pre class="text"><code>>oletimes DIAN_caso-5415.doc
+----------------------------+---------------------+---------------------+
| Stream/Storage name | Modification Time | Creation Time |
+----------------------------+---------------------+---------------------+
| Root | 2014-05-14 12:45:24 | None |
| '\x01CompObj' | None | None |
| '\x05DocumentSummaryInform | None | None |
| ation' | | |
| '\x05SummaryInformation' | None | None |
| '1Table' | None | None |
| 'Data' | None | None |
| 'Macros' | 2014-05-14 12:45:24 | 2014-05-14 12:45:24 |
| 'Macros/PROJECT' | None | None |
| 'Macros/PROJECTwm' | None | None |
| 'Macros/VBA' | 2014-05-14 12:45:24 | 2014-05-14 12:45:24 |
| 'Macros/VBA/ThisDocument' | None | None |
| 'Macros/VBA/_VBA_PROJECT' | None | None |
| 'Macros/VBA/__SRP_0' | None | None |
| 'Macros/VBA/__SRP_1' | None | None |
| 'Macros/VBA/__SRP_2' | None | None |
| 'Macros/VBA/__SRP_3' | None | None |
| 'Macros/VBA/dir' | None | None |
| 'WordDocument' | None | None |
+----------------------------+---------------------+---------------------+</code></pre>
<h2 id="how-to-use-oletimes-in-python-applications">How to use oletimes in Python applications</h2>
<p>TODO</p>
<hr />
<h2 id="python-oletools-documentation">python-oletools documentation</h2>
<ul>
<li><a href="Home.html">Home</a></li>
<li><a href="License.html">License</a></li>
<li><a href="Install.html">Install</a></li>
<li><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</li>
<li>Tools:
<ul>
<li><a href="mraptor.html">mraptor</a></li>
<li><a href="msodde.html">msodde</a></li>
<li><a href="olebrowse.html">olebrowse</a></li>
<li><a href="oledir.html">oledir</a></li>
<li><a href="oleid.html">oleid</a></li>
<li><a href="olemap.html">olemap</a></li>
<li><a href="olemeta.html">olemeta</a></li>
<li><a href="oleobj.html">oleobj</a></li>
<li><a href="oletimes.html">oletimes</a></li>
<li><a href="olevba.html">olevba</a></li>
<li><a href="pyxswf.html">pyxswf</a></li>
<li><a href="rtfobj.html">rtfobj</a></li>
</ul></li>
</ul>
</body>
</html>