Commit 13a71c47548d16d98cbe9f4e7048fdc6f63d05e3
1 parent
6c64d5d1
olevba: fixed issue #5 in doc, --hex option renamed to --decode
Showing
2 changed files
with
7 additions
and
7 deletions
oletools/doc/olevba.html
| @@ -64,15 +64,15 @@ Options: | @@ -64,15 +64,15 @@ Options: | ||
| 64 | -i INPUT, --input=INPUT | 64 | -i INPUT, --input=INPUT |
| 65 | input file containing VBA source code to be analyzed | 65 | input file containing VBA source code to be analyzed |
| 66 | (no parsing) | 66 | (no parsing) |
| 67 | - --hex display all the hex-encoded strings with their decoded | ||
| 68 | - content.</code></pre> | 67 | + --decode display all the obfuscated strings with their decoded |
| 68 | + content (Hex, Base64, StrReverse, Dridex). </code></pre> | ||
| 69 | <h3 id="examples">Examples</h3> | 69 | <h3 id="examples">Examples</h3> |
| 70 | <p>Scan a single file:</p> | 70 | <p>Scan a single file:</p> |
| 71 | <pre><code>olevba.py file.doc</code></pre> | 71 | <pre><code>olevba.py file.doc</code></pre> |
| 72 | <p>Scan a single file, stored in a Zip archive with password "infected":</p> | 72 | <p>Scan a single file, stored in a Zip archive with password "infected":</p> |
| 73 | <pre><code>olevba.py malicious_file.xls.zip -z infected</code></pre> | 73 | <pre><code>olevba.py malicious_file.xls.zip -z infected</code></pre> |
| 74 | <p>Scan a single file, showing all obfuscated strings decoded:</p> | 74 | <p>Scan a single file, showing all obfuscated strings decoded:</p> |
| 75 | -<pre><code>olevba.py file.doc --hex</code></pre> | 75 | +<pre><code>olevba.py file.doc --decode</code></pre> |
| 76 | <p>Scan VBA source code extracted into a text file:</p> | 76 | <p>Scan VBA source code extracted into a text file:</p> |
| 77 | <pre><code>olevba.py -i source_code.vba</code></pre> | 77 | <pre><code>olevba.py -i source_code.vba</code></pre> |
| 78 | <p>Scan a collection of files stored in a folder:</p> | 78 | <p>Scan a collection of files stored in a folder:</p> |
oletools/doc/olevba.md
| @@ -76,9 +76,9 @@ and potential IOCs (URLs, IP addresses, e-mail addresses, executable filenames, | @@ -76,9 +76,9 @@ and potential IOCs (URLs, IP addresses, e-mail addresses, executable filenames, | ||
| 76 | -i INPUT, --input=INPUT | 76 | -i INPUT, --input=INPUT |
| 77 | input file containing VBA source code to be analyzed | 77 | input file containing VBA source code to be analyzed |
| 78 | (no parsing) | 78 | (no parsing) |
| 79 | - --hex display all the hex-encoded strings with their decoded | ||
| 80 | - content. | ||
| 81 | - | 79 | + --decode display all the obfuscated strings with their decoded |
| 80 | + content (Hex, Base64, StrReverse, Dridex). | ||
| 81 | + | ||
| 82 | ### Examples | 82 | ### Examples |
| 83 | 83 | ||
| 84 | Scan a single file: | 84 | Scan a single file: |
| @@ -94,7 +94,7 @@ Scan a single file, stored in a Zip archive with password "infected": | @@ -94,7 +94,7 @@ Scan a single file, stored in a Zip archive with password "infected": | ||
| 94 | Scan a single file, showing all obfuscated strings decoded: | 94 | Scan a single file, showing all obfuscated strings decoded: |
| 95 | 95 | ||
| 96 | :::text | 96 | :::text |
| 97 | - olevba.py file.doc --hex | 97 | + olevba.py file.doc --decode |
| 98 | 98 | ||
| 99 | Scan VBA source code extracted into a text file: | 99 | Scan VBA source code extracted into a text file: |
| 100 | 100 |