readme, documentation and comment updates for v0.56 release

decalage2
1 parent a854e61e
Showing 12 changed files with 103 additions and 128 deletions
LICENSE.md
MANIFEST.in
README.md
oletools/README.html
oletools/README.rst
oletools/doc/Home.html
oletools/doc/Home.md
oletools/doc/License.html
oletools/doc/License.md
oletools/mraptor.py
oletools/oleobj.py
oletools/olevba.py
 This license applies to the python-oletools package, apart from the thirdparty folder which contains third-party files 
 published with their own license.
  
-The python-oletools package is copyright (c) 2012-2019 Philippe Lagadec (http://www.decalage.info)
+The python-oletools package is copyright (c) 2012-2020 Philippe Lagadec (http://www.decalage.info)
  
 All rights reserved.
  
@@ -7,6 +7,7 @@ include oletools/README.html
 include oletools/LICENSE.txt
 include oletools/DocVarDump.vba
 recursive-include oletools/thirdparty *.*
+prune oletools/thirdparty/oledump/old
 recursive-include cheatsheet *.*
 global-exclude *.pyc
  
@@ -26,6 +26,28 @@ Note: python-oletools is not related to OLETools published by BeCubed Software.
 News
 ----
  
+- **2020-09-28 v0.56**:
+    - olevba/mraptor:
+        - added detection of trigger _OnConnecting
+    - olevba:
+        - updated plugin_biff to v0.0.17 to improve Excel 4/XLM macros parsing
+        - added simple analysis of Excel 4/XLM macros in XLSM files (PR #569)
+        - added detection of template injection (PR #569)
+        - added detection of many suspicious keywords (PR #591 and #569, see https://www.certego.net/en/news/advanced-vba-macros/)
+        - improved MHT detection (PR #532)
+        - added --no-xlm option to disable Excel 4/XLM macros parsing (PR #532)
+        - fixed bug when decompressing raw chunks in VBA (issue #575)
+        - fixed bug with email package due to monkeypatch for MHT parsing (issue #602, PR #604)
+        - fixed option --relaxed (issue #596, PR #595)
+        - enabled relaxed mode by default (issues #477, #593)
+        - fixed detect_vba_macros to always return VBA code as
+          unicode on Python 3 (issues  #455, #477, #587, #593)
+        - replaced option --pcode by --show-pcode and --no-pcode,
+          replaced optparse by argparse (PR #479)
+    - oleform: improved form parsing (PR #532)
+    - oleobj: "Ole10Native" is now case insensitive (issue #541)
+    - clsid: added PDF (issue #552), Microsoft Word Picture (issue #571)
+    - ppt_parser: fixed bug on Python 3 (issues #177, #607, PR #450)
 - **2019-12-03 v0.55**:
     - olevba:
         - added support for SLK files and XLM macro extraction from SLK
@@ -39,35 +61,6 @@ News
     - tests: 
         - test files can now be encrypted, to avoid antivirus alerts (PR #217, issue #215)
         - tests that trigger antivirus alerts have been temporarily disabled (issue #215)
-- **2019-05-22 v0.54.2**:
-    - bugfix release: fixed several issues related to encrypted documents
-      and XLM/XLF Excel 4 macros
-    - msoffcrypto-tool is now installed by default to handle encrypted documents
-    - olevba and msodde now handle documents encrypted with common passwords such
-      as 123, 1234, 4321, 12345, 123456, VelvetSweatShop automatically.
-- **2019-04-04 v0.54**:
-    - olevba, msodde: added support for encrypted MS Office files 
-    - olevba: added detection and extraction of XLM/XLF Excel 4 macros (thanks to plugin_biff from Didier Stevens' oledump)
-    - olevba, mraptor: added detection of VBA running Excel 4 macros
-    - olevba: detect and display special characters such as backspace
-    - olevba: colorized output showing suspicious keywords in the VBA code
-    - olevba, mraptor: full Python 3 compatibility, no separate olevba3/mraptor3 anymore
-    - olevba: improved handling of code pages and unicode
-    - olevba: fixed a false-positive in VBA macro detection
-    - rtfobj: improved OLE Package handling, improved Equation object detection
-    - oleobj: added detection of external links to objects in OpenXML
-    - replaced third party packages by PyPI dependencies
-- 2018-05-30 v0.53:
-    - olevba and mraptor can now parse Word/PowerPoint 2007+ pure XML files (aka Flat OPC format)
-    - improved support for VBA forms in olevba (oleform)
-    - rtfobj now displays the CLSID of OLE objects, which is the best way to identify them. Known-bad CLSIDs such as MS Equation Editor are highlighted in red.
-    - Updated rtfobj to handle obfuscated RTF samples.
-    - rtfobj now handles the "\\'" obfuscation trick seen in recent samples such as https://twitter.com/buffaloverflow/status/989798880295444480, by emulating the MS Word bug described in https://securelist.com/disappearing-bytes/84017/
-    - msodde: improved detection of DDE formulas in CSV files
-    - oledir now displays the tree of storage/streams, along with CLSIDs and their meaning.
-    - common.clsid contains the list of known CLSIDs, and their links to CVE vulnerabilities when relevant.
-    - oleid now detects encrypted OpenXML files
-    - fixed bugs in oleobj, rtfobj, oleid, olevba
  
 See the [full changelog](https://github.com/decalage2/oletools/wiki/Changelog) for more information.
  
@@ -193,7 +186,7 @@ License
 This license applies to the python-oletools package, apart from the thirdparty folder which contains third-party files 
 published with their own license.
  
-The python-oletools package is copyright (c) 2012-2019 Philippe Lagadec (http://www.decalage.info)
+The python-oletools package is copyright (c) 2012-2020 Philippe Lagadec (http://www.decalage.info)
  
 All rights reserved.
  
@@ -23,6 +23,32 @@
 <p>Note: python-oletools is not related to OLETools published by BeCubed Software.</p>
 <h2 id="news">News</h2>
 <ul>
+<li><strong>2020-09-28 v0.56</strong>:
+<ul>
+<li>olevba/mraptor:
+<ul>
+<li>added detection of trigger _OnConnecting</li>
+</ul></li>
+<li>olevba:
+<ul>
+<li>updated plugin_biff to v0.0.17 to improve Excel 4/XLM macros parsing</li>
+<li>added simple analysis of Excel 4/XLM macros in XLSM files (PR #569)</li>
+<li>added detection of template injection (PR #569)</li>
+<li>added detection of many suspicious keywords (PR #591 and #569, see https://www.certego.net/en/news/advanced-vba-macros/)</li>
+<li>improved MHT detection (PR #532)</li>
+<li>added --no-xlm option to disable Excel 4/XLM macros parsing (PR #532)</li>
+<li>fixed bug when decompressing raw chunks in VBA (issue #575)</li>
+<li>fixed bug with email package due to monkeypatch for MHT parsing (issue #602, PR #604)</li>
+<li>fixed option --relaxed (issue #596, PR #595)</li>
+<li>enabled relaxed mode by default (issues #477, #593)</li>
+<li>fixed detect_vba_macros to always return VBA code as unicode on Python 3 (issues #455, #477, #587, #593)</li>
+<li>replaced option --pcode by --show-pcode and --no-pcode, replaced optparse by argparse (PR #479)</li>
+</ul></li>
+<li>oleform: improved form parsing (PR #532)</li>
+<li>oleobj: &quot;Ole10Native&quot; is now case insensitive (issue #541)</li>
+<li>clsid: added PDF (issue #552), Microsoft Word Picture (issue #571)</li>
+<li>ppt_parser: fixed bug on Python 3 (issues #177, #607, PR #450)</li>
+</ul></li>
 <li><strong>2019-12-03 v0.55</strong>:
 <ul>
 <li>olevba:
@@ -42,39 +68,6 @@
 <li>tests that trigger antivirus alerts have been temporarily disabled (issue #215)</li>
 </ul></li>
 </ul></li>
-<li><strong>2019-05-22 v0.54.2</strong>:
-<ul>
-<li>bugfix release: fixed several issues related to encrypted documents and XLM/XLF Excel 4 macros</li>
-<li>msoffcrypto-tool is now installed by default to handle encrypted documents</li>
-<li>olevba and msodde now handle documents encrypted with common passwords such as 123, 1234, 4321, 12345, 123456, VelvetSweatShop automatically.</li>
-</ul></li>
-<li><strong>2019-04-04 v0.54</strong>:
-<ul>
-<li>olevba, msodde: added support for encrypted MS Office files</li>
-<li>olevba: added detection and extraction of XLM/XLF Excel 4 macros (thanks to plugin_biff from Didier Stevens' oledump)</li>
-<li>olevba, mraptor: added detection of VBA running Excel 4 macros</li>
-<li>olevba: detect and display special characters such as backspace</li>
-<li>olevba: colorized output showing suspicious keywords in the VBA code</li>
-<li>olevba, mraptor: full Python 3 compatibility, no separate olevba3/mraptor3 anymore</li>
-<li>olevba: improved handling of code pages and unicode</li>
-<li>olevba: fixed a false-positive in VBA macro detection</li>
-<li>rtfobj: improved OLE Package handling, improved Equation object detection</li>
-<li>oleobj: added detection of external links to objects in OpenXML</li>
-<li>replaced third party packages by PyPI dependencies</li>
-</ul></li>
-<li>2018-05-30 v0.53:
-<ul>
-<li>olevba and mraptor can now parse Word/PowerPoint 2007+ pure XML files (aka Flat OPC format)</li>
-<li>improved support for VBA forms in olevba (oleform)</li>
-<li>rtfobj now displays the CLSID of OLE objects, which is the best way to identify them. Known-bad CLSIDs such as MS Equation Editor are highlighted in red.</li>
-<li>Updated rtfobj to handle obfuscated RTF samples.</li>
-<li>rtfobj now handles the &quot;\'&quot; obfuscation trick seen in recent samples such as https://twitter.com/buffaloverflow/status/989798880295444480, by emulating the MS Word bug described in https://securelist.com/disappearing-bytes/84017/</li>
-<li>msodde: improved detection of DDE formulas in CSV files</li>
-<li>oledir now displays the tree of storage/streams, along with CLSIDs and their meaning.</li>
-<li>common.clsid contains the list of known CLSIDs, and their links to CVE vulnerabilities when relevant.</li>
-<li>oleid now detects encrypted OpenXML files</li>
-<li>fixed bugs in oleobj, rtfobj, oleid, olevba</li>
-</ul></li>
 </ul>
 <p>See the <a href="https://github.com/decalage2/oletools/wiki/Changelog">full changelog</a> for more information.</p>
 <h2 id="tools">Tools:</h2>
@@ -97,7 +90,7 @@
 <li><a href="https://github.com/decalage2/oletools/wiki/olemap">olemap</a>: to display a map of all the sectors in an OLE file.</li>
 </ul>
 <h2 id="projects-using-oletools">Projects using oletools:</h2>
-<p>oletools are used by a number of projects and online malware analysis services, including <a href="https://github.com/IntegralDefense/ACE">ACE</a>, <a href="https://sandbox.anlyz.io/">Anlyz.io</a>, <a href="https://www.cse-cst.gc.ca/en/assemblyline">AssemblyLine</a>, <a href="https://github.com/ctxis/CAPE">CAPE</a>, <a href="https://github.com/cuckoosandbox/cuckoo">Cuckoo Sandbox</a>, <a href="https://github.com/cryps1s/DARKSURGEON">DARKSURGEON</a>, <a href="https://sandbox.deepviz.com/">Deepviz</a>, <a href="https://dridex.malwareconfig.com">dridex.malwareconfig.com</a>, <a href="https://certsocietegenerale.github.io/fame/">FAME</a>, <a href="https://github.com/fireeye/flare-vm">FLARE-VM</a>, <a href="https://www.hybrid-analysis.com/">Hybrid-analysis.com</a>, <a href="https://www.document-analyzer.net/">Joe Sandbox</a>, <a href="https://github.com/lmco/laikaboss">Laika BOSS</a>, <a href="https://github.com/sbidy/MacroMilter">MacroMilter</a>, <a href="https://mailcow.email/">mailcow</a>, <a href="https://malshare.io">malshare.io</a>, <a href="https://github.com/Tigzy/malware-repo">malware-repo</a>, <a href="https://www.adlice.com/download/mrf/">Malware Repository Framework (MRF)</a>, <a href="https://github.com/HeinleinSupport/olefy">olefy</a>, <a href="https://github.com/scVENUS/PeekabooAV">PeekabooAV</a>, <a href="https://github.com/bontchev/pcodedmp">pcodedmp</a>, <a href="https://github.com/CIRCL/PyCIRCLean">PyCIRCLean</a>, <a href="https://remnux.org/">REMnux</a>, <a href="https://github.com/countercept/snake">Snake</a>, <a href="https://app.sndbox.com">SNDBOX</a>, <a href="https://github.com/target/strelka">Strelka</a>, <a href="https://stoq.punchcyber.com/">stoQ</a>, <a href="https://github.com/TheHive-Project/Cortex-Analyzers">TheHive/Cortex</a>, <a href="https://tsurugi-linux.org/">TSUGURI Linux</a>, <a href="https://github.com/MalwareCantFly/Vba2Graph">Vba2Graph</a>, <a href="http://viper.li/">Viper</a>, <a href="https://github.com/decalage2/ViperMonkey">ViperMonkey</a>, <a href="https://yomi.yoroi.company">YOMI</a>, and probably <a href="https://www.virustotal.com">VirusTotal</a>. And quite a few <a href="https://github.com/search?q=oletools&amp;type=Repositories">other projects on GitHub</a>. (Please <a href="(http://decalage.info/contact)">contact me</a> if you have or know a project using oletools)</p>
+<p>oletools are used by a number of projects and online malware analysis services, including <a href="https://github.com/IntegralDefense/ACE">ACE</a>, <a href="https://sandbox.anlyz.io/">Anlyz.io</a>, <a href="https://www.cse-cst.gc.ca/en/assemblyline">AssemblyLine</a>, <a href="https://github.com/ctxis/CAPE">CAPE</a>, <a href="https://cincan.io">CinCan</a>, <a href="https://github.com/cuckoosandbox/cuckoo">Cuckoo Sandbox</a>, <a href="https://github.com/cryps1s/DARKSURGEON">DARKSURGEON</a>, <a href="https://sandbox.deepviz.com/">Deepviz</a>, <a href="https://diario.elevenpaths.com/">DIARIO</a>, <a href="https://dridex.malwareconfig.com">dridex.malwareconfig.com</a>, <a href="https://github.com/ninoseki/eml_analyzer">EML Analyzer</a>, <a href="https://certsocietegenerale.github.io/fame/">FAME</a>, <a href="https://github.com/fireeye/flare-vm">FLARE-VM</a>, <a href="https://www.hybrid-analysis.com/">Hybrid-analysis.com</a>, <a href="https://github.com/certego/IntelOwl">IntelOwl</a>, <a href="https://www.document-analyzer.net/">Joe Sandbox</a>, <a href="https://github.com/lmco/laikaboss">Laika BOSS</a>, <a href="https://github.com/sbidy/MacroMilter">MacroMilter</a>, <a href="https://mailcow.email/">mailcow</a>, <a href="https://malshare.io">malshare.io</a>, <a href="https://github.com/Tigzy/malware-repo">malware-repo</a>, <a href="https://www.adlice.com/download/mrf/">Malware Repository Framework (MRF)</a>, <a href="https://github.com/HeinleinSupport/olefy">olefy</a>, <a href="https://github.com/scVENUS/PeekabooAV">PeekabooAV</a>, <a href="https://github.com/bontchev/pcodedmp">pcodedmp</a>, <a href="https://github.com/CIRCL/PyCIRCLean">PyCIRCLean</a>, <a href="https://remnux.org/">REMnux</a>, <a href="https://github.com/countercept/snake">Snake</a>, <a href="https://app.sndbox.com">SNDBOX</a>, <a href="https://github.com/ldbo/SpuriousEmu">SpuriousEmu</a>, <a href="https://github.com/target/strelka">Strelka</a>, <a href="https://stoq.punchcyber.com/">stoQ</a>, <a href="https://github.com/TheHive-Project/Cortex-Analyzers">TheHive/Cortex</a>, <a href="https://tsurugi-linux.org/">TSUGURI Linux</a>, <a href="https://github.com/MalwareCantFly/Vba2Graph">Vba2Graph</a>, <a href="http://viper.li/">Viper</a>, <a href="https://github.com/decalage2/ViperMonkey">ViperMonkey</a>, <a href="https://yomi.yoroi.company">YOMI</a>, and probably <a href="https://www.virustotal.com">VirusTotal</a>. And quite a few <a href="https://github.com/search?q=oletools&amp;type=Repositories">other projects on GitHub</a>. (Please <a href="(http://decalage.info/contact)">contact me</a> if you have or know a project using oletools)</p>
 <h2 id="download-and-install">Download and Install:</h2>
 <p>The recommended way to download and install/update the <strong>latest stable release</strong> of oletools is to use <a href="https://pip.pypa.io/en/stable/installing/">pip</a>:</p>
 <ul>
@@ -120,7 +113,7 @@
 <p>The code is available in <a href="https://github.com/decalage2/oletools">a GitHub repository</a>. You may use it to submit enhancements using forks and pull requests.</p>
 <h2 id="license">License</h2>
 <p>This license applies to the python-oletools package, apart from the thirdparty folder which contains third-party files published with their own license.</p>
-<p>The python-oletools package is copyright (c) 2012-2019 Philippe Lagadec (http://www.decalage.info)</p>
+<p>The python-oletools package is copyright (c) 2012-2020 Philippe Lagadec (http://www.decalage.info)</p>
 <p>All rights reserved.</p>
 <p>Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:</p>
 <ul>
@@ -29,6 +29,39 @@ Software.
 News
 ----
  
+-  **2020-09-28 v0.56**:
+
+   -  olevba/mraptor:
+
+      -  added detection of trigger \_OnConnecting
+
+   -  olevba:
+
+      -  updated plugin_biff to v0.0.17 to improve Excel 4/XLM macros
+         parsing
+      -  added simple analysis of Excel 4/XLM macros in XLSM files (PR
+         #569)
+      -  added detection of template injection (PR #569)
+      -  added detection of many suspicious keywords (PR #591 and #569,
+         see https://www.certego.net/en/news/advanced-vba-macros/)
+      -  improved MHT detection (PR #532)
+      -  added --no-xlm option to disable Excel 4/XLM macros parsing (PR
+         #532)
+      -  fixed bug when decompressing raw chunks in VBA (issue #575)
+      -  fixed bug with email package due to monkeypatch for MHT parsing
+         (issue #602, PR #604)
+      -  fixed option --relaxed (issue #596, PR #595)
+      -  enabled relaxed mode by default (issues #477, #593)
+      -  fixed detect_vba_macros to always return VBA code as unicode on
+         Python 3 (issues #455, #477, #587, #593)
+      -  replaced option --pcode by --show-pcode and --no-pcode,
+         replaced optparse by argparse (PR #479)
+
+   -  oleform: improved form parsing (PR #532)
+   -  oleobj: "Ole10Native" is now case insensitive (issue #541)
+   -  clsid: added PDF (issue #552), Microsoft Word Picture (issue #571)
+   -  ppt_parser: fixed bug on Python 3 (issues #177, #607, PR #450)
+
 -  **2019-12-03 v0.55**:
  
    -  olevba:
@@ -50,56 +83,6 @@ News
       -  tests that trigger antivirus alerts have been temporarily
          disabled (issue #215)
  
--  **2019-05-22 v0.54.2**:
-
-   -  bugfix release: fixed several issues related to encrypted
-      documents and XLM/XLF Excel 4 macros
-   -  msoffcrypto-tool is now installed by default to handle encrypted
-      documents
-   -  olevba and msodde now handle documents encrypted with common
-      passwords such as 123, 1234, 4321, 12345, 123456, VelvetSweatShop
-      automatically.
-
--  **2019-04-04 v0.54**:
-
-   -  olevba, msodde: added support for encrypted MS Office files
-   -  olevba: added detection and extraction of XLM/XLF Excel 4 macros
-      (thanks to plugin_biff from Didier Stevens' oledump)
-   -  olevba, mraptor: added detection of VBA running Excel 4 macros
-   -  olevba: detect and display special characters such as backspace
-   -  olevba: colorized output showing suspicious keywords in the VBA
-      code
-   -  olevba, mraptor: full Python 3 compatibility, no separate
-      olevba3/mraptor3 anymore
-   -  olevba: improved handling of code pages and unicode
-   -  olevba: fixed a false-positive in VBA macro detection
-   -  rtfobj: improved OLE Package handling, improved Equation object
-      detection
-   -  oleobj: added detection of external links to objects in OpenXML
-   -  replaced third party packages by PyPI dependencies
-
--  2018-05-30 v0.53:
-
-   -  olevba and mraptor can now parse Word/PowerPoint 2007+ pure XML
-      files (aka Flat OPC format)
-   -  improved support for VBA forms in olevba (oleform)
-   -  rtfobj now displays the CLSID of OLE objects, which is the best
-      way to identify them. Known-bad CLSIDs such as MS Equation Editor
-      are highlighted in red.
-   -  Updated rtfobj to handle obfuscated RTF samples.
-   -  rtfobj now handles the "\'" obfuscation trick seen in recent
-      samples such as
-      https://twitter.com/buffaloverflow/status/989798880295444480, by
-      emulating the MS Word bug described in
-      https://securelist.com/disappearing-bytes/84017/
-   -  msodde: improved detection of DDE formulas in CSV files
-   -  oledir now displays the tree of storage/streams, along with CLSIDs
-      and their meaning.
-   -  common.clsid contains the list of known CLSIDs, and their links to
-      CVE vulnerabilities when relevant.
-   -  oleid now detects encrypted OpenXML files
-   -  fixed bugs in oleobj, rtfobj, oleid, olevba
-
 See the `full
 changelog <https://github.com/decalage2/oletools/wiki/Changelog>`__ for
 more information.
@@ -154,14 +137,18 @@ oletools are used by a number of projects and online malware analysis
 services, including `ACE <https://github.com/IntegralDefense/ACE>`__,
 `Anlyz.io <https://sandbox.anlyz.io/>`__,
 `AssemblyLine <https://www.cse-cst.gc.ca/en/assemblyline>`__,
-`CAPE <https://github.com/ctxis/CAPE>`__, `Cuckoo
+`CAPE <https://github.com/ctxis/CAPE>`__,
+`CinCan <https://cincan.io>`__, `Cuckoo
 Sandbox <https://github.com/cuckoosandbox/cuckoo>`__,
 `DARKSURGEON <https://github.com/cryps1s/DARKSURGEON>`__,
 `Deepviz <https://sandbox.deepviz.com/>`__,
-`dridex.malwareconfig.com <https://dridex.malwareconfig.com>`__,
+`DIARIO <https://diario.elevenpaths.com/>`__,
+`dridex.malwareconfig.com <https://dridex.malwareconfig.com>`__, `EML
+Analyzer <https://github.com/ninoseki/eml_analyzer>`__,
 `FAME <https://certsocietegenerale.github.io/fame/>`__,
 `FLARE-VM <https://github.com/fireeye/flare-vm>`__,
-`Hybrid-analysis.com <https://www.hybrid-analysis.com/>`__, `Joe
+`Hybrid-analysis.com <https://www.hybrid-analysis.com/>`__,
+`IntelOwl <https://github.com/certego/IntelOwl>`__, `Joe
 Sandbox <https://www.document-analyzer.net/>`__, `Laika
 BOSS <https://github.com/lmco/laikaboss>`__,
 `MacroMilter <https://github.com/sbidy/MacroMilter>`__,
@@ -176,6 +163,7 @@ Repository Framework (MRF) &lt;https://www.adlice.com/download/mrf/&gt;`__,
 `REMnux <https://remnux.org/>`__,
 `Snake <https://github.com/countercept/snake>`__,
 `SNDBOX <https://app.sndbox.com>`__,
+`SpuriousEmu <https://github.com/ldbo/SpuriousEmu>`__,
 `Strelka <https://github.com/target/strelka>`__,
 `stoQ <https://stoq.punchcyber.com/>`__,
 `TheHive/Cortex <https://github.com/TheHive-Project/Cortex-Analyzers>`__,
@@ -245,7 +233,7 @@ This license applies to the python-oletools package, apart from the
 thirdparty folder which contains third-party files published with their
 own license.
  
-The python-oletools package is copyright (c) 2012-2019 Philippe Lagadec
+The python-oletools package is copyright (c) 2012-2020 Philippe Lagadec
 (http://www.decalage.info)
  
 All rights reserved.
@@ -16,7 +16,7 @@
   <![endif]-->
 </head>
 <body>
-<h1 id="python-oletools-v0.55-documentation">python-oletools v0.55 documentation</h1>
+<h1 id="python-oletools-v0.56-documentation">python-oletools v0.56 documentation</h1>
 <p>This is the home page of the documentation for python-oletools. The latest version can be found <a href="https://github.com/decalage2/oletools/wiki">online</a>, otherwise a copy is provided in the doc subfolder of the package.</p>
 <p><a href="http://www.decalage.info/python/oletools">python-oletools</a> is a package of python tools to analyze <a href="http://en.wikipedia.org/wiki/Compound_File_Binary_Format">Microsoft OLE2 files</a> (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging. It is based on the <a href="http://www.decalage.info/olefile">olefile</a> parser. See <a href="http://www.decalage.info/python/oletools" class="uri">http://www.decalage.info/python/oletools</a> for more info.</p>
 <p><strong>Quick links:</strong> <a href="http://www.decalage.info/python/oletools">Home page</a> - <a href="https://github.com/decalage2/oletools/wiki/Install">Download/Install</a> - <a href="https://github.com/decalage2/oletools/wiki">Documentation</a> - <a href="https://github.com/decalage2/oletools/issues">Report Issues/Suggestions/Questions</a> - <a href="http://decalage.info/contact">Contact the Author</a> - <a href="https://github.com/decalage2/oletools">Repository</a> - <a href="https://twitter.com/decalage2">Updates on Twitter</a></p>
-python-oletools v0.55 documentation
+python-oletools v0.56 documentation
 ===================================
  
 This is the home page of the documentation for python-oletools. The latest version can be found 
@@ -18,7 +18,7 @@
 <body>
 <h1 id="license-for-python-oletools">License for python-oletools</h1>
 <p>This license applies to the <a href="http://www.decalage.info/python/oletools">python-oletools</a> package, apart from the thirdparty folder which contains third-party files published with their own license.</p>
-<p>The python-oletools package is copyright (c) 2012-2019 Philippe Lagadec (<a href="http://www.decalage.info" class="uri">http://www.decalage.info</a>)</p>
+<p>The python-oletools package is copyright (c) 2012-2020 Philippe Lagadec (<a href="http://www.decalage.info" class="uri">http://www.decalage.info</a>)</p>
 <p>All rights reserved.</p>
 <p>Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:</p>
 <ul>
@@ -4,7 +4,7 @@ License for python-oletools
 This license applies to the [python-oletools](http://www.decalage.info/python/oletools) package, apart from the 
 thirdparty folder which contains third-party files published with their own license.
  
-The python-oletools package is copyright (c) 2012-2019 Philippe Lagadec ([http://www.decalage.info](http://www.decalage.info))
+The python-oletools package is copyright (c) 2012-2020 Philippe Lagadec ([http://www.decalage.info](http://www.decalage.info))
  
 All rights reserved.
  
@@ -23,7 +23,7 @@ http://www.decalage.info/python/oletools
  
 # === LICENSE ==================================================================
  
-# MacroRaptor is copyright (c) 2016-2019 Philippe Lagadec (http://www.decalage.info)
+# MacroRaptor is copyright (c) 2016-2020 Philippe Lagadec (http://www.decalage.info)
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without modification,
@@ -62,7 +62,7 @@ http://www.decalage.info/python/oletools
 # 2019-11-06 v0.55 PL: - added SetTimer
 # 2020-04-20 v0.56 PL: - added keywords RUN and CALL for XLM macros (issue #562)
  
-__version__ = '0.56dev12'
+__version__ = '0.56'
  
 #------------------------------------------------------------------------------
 # TODO:
@@ -88,7 +88,7 @@ from oletools.common.io_encoding import ensure_stdout_handles_unicode
 # 2018-10-30       SA: - added detection of external links (PR #317)
 # 2020-03-03 v0.56 PL: - fixed bug #541, "Ole10Native" is case-insensitive
  
-__version__ = '0.56dev2'
+__version__ = '0.56'
  
 # -----------------------------------------------------------------------------
 # TODO:
@@ -234,7 +234,7 @@ from __future__ import print_function
 # 2020-09-28       PL: - added VBA_Parser.get_vba_code_all_modules (partial fix
 #                        for issue #619)
  
-__version__ = '0.56dev12'
+__version__ = '0.56'
  
 #------------------------------------------------------------------------------
 # TODO: