Commit 13a71c47548d16d98cbe9f4e7048fdc6f63d05e3
1 parent
6c64d5d1
olevba: fixed issue #5 in doc, --hex option renamed to --decode
Showing
2 changed files
with
7 additions
and
7 deletions
oletools/doc/olevba.html
| ... | ... | @@ -64,15 +64,15 @@ Options: |
| 64 | 64 | -i INPUT, --input=INPUT |
| 65 | 65 | input file containing VBA source code to be analyzed |
| 66 | 66 | (no parsing) |
| 67 | - --hex display all the hex-encoded strings with their decoded | |
| 68 | - content.</code></pre> | |
| 67 | + --decode display all the obfuscated strings with their decoded | |
| 68 | + content (Hex, Base64, StrReverse, Dridex). </code></pre> | |
| 69 | 69 | <h3 id="examples">Examples</h3> |
| 70 | 70 | <p>Scan a single file:</p> |
| 71 | 71 | <pre><code>olevba.py file.doc</code></pre> |
| 72 | 72 | <p>Scan a single file, stored in a Zip archive with password "infected":</p> |
| 73 | 73 | <pre><code>olevba.py malicious_file.xls.zip -z infected</code></pre> |
| 74 | 74 | <p>Scan a single file, showing all obfuscated strings decoded:</p> |
| 75 | -<pre><code>olevba.py file.doc --hex</code></pre> | |
| 75 | +<pre><code>olevba.py file.doc --decode</code></pre> | |
| 76 | 76 | <p>Scan VBA source code extracted into a text file:</p> |
| 77 | 77 | <pre><code>olevba.py -i source_code.vba</code></pre> |
| 78 | 78 | <p>Scan a collection of files stored in a folder:</p> | ... | ... |
oletools/doc/olevba.md
| ... | ... | @@ -76,9 +76,9 @@ and potential IOCs (URLs, IP addresses, e-mail addresses, executable filenames, |
| 76 | 76 | -i INPUT, --input=INPUT |
| 77 | 77 | input file containing VBA source code to be analyzed |
| 78 | 78 | (no parsing) |
| 79 | - --hex display all the hex-encoded strings with their decoded | |
| 80 | - content. | |
| 81 | - | |
| 79 | + --decode display all the obfuscated strings with their decoded | |
| 80 | + content (Hex, Base64, StrReverse, Dridex). | |
| 81 | + | |
| 82 | 82 | ### Examples |
| 83 | 83 | |
| 84 | 84 | Scan a single file: |
| ... | ... | @@ -94,7 +94,7 @@ Scan a single file, stored in a Zip archive with password "infected": |
| 94 | 94 | Scan a single file, showing all obfuscated strings decoded: |
| 95 | 95 | |
| 96 | 96 | :::text |
| 97 | - olevba.py file.doc --hex | |
| 97 | + olevba.py file.doc --decode | |
| 98 | 98 | |
| 99 | 99 | Scan VBA source code extracted into a text file: |
| 100 | 100 | ... | ... |