diff --git a/LICENSE.md b/LICENSE.md
index 896a57a..ea3fa44 100644
--- a/LICENSE.md
+++ b/LICENSE.md
@@ -1,7 +1,7 @@
This license applies to the python-oletools package, apart from the thirdparty folder which contains third-party files
published with their own license.
-The python-oletools package is copyright (c) 2012-2019 Philippe Lagadec (http://www.decalage.info)
+The python-oletools package is copyright (c) 2012-2020 Philippe Lagadec (http://www.decalage.info)
All rights reserved.
diff --git a/MANIFEST.in b/MANIFEST.in
index b08e1e6..5487ebe 100644
--- a/MANIFEST.in
+++ b/MANIFEST.in
@@ -7,6 +7,7 @@ include oletools/README.html
include oletools/LICENSE.txt
include oletools/DocVarDump.vba
recursive-include oletools/thirdparty *.*
+prune oletools/thirdparty/oledump/old
recursive-include cheatsheet *.*
global-exclude *.pyc
diff --git a/README.md b/README.md
index b764ef6..4466c53 100644
--- a/README.md
+++ b/README.md
@@ -26,6 +26,28 @@ Note: python-oletools is not related to OLETools published by BeCubed Software.
News
----
+- **2020-09-28 v0.56**:
+ - olevba/mraptor:
+ - added detection of trigger _OnConnecting
+ - olevba:
+ - updated plugin_biff to v0.0.17 to improve Excel 4/XLM macros parsing
+ - added simple analysis of Excel 4/XLM macros in XLSM files (PR #569)
+ - added detection of template injection (PR #569)
+ - added detection of many suspicious keywords (PR #591 and #569, see https://www.certego.net/en/news/advanced-vba-macros/)
+ - improved MHT detection (PR #532)
+ - added --no-xlm option to disable Excel 4/XLM macros parsing (PR #532)
+ - fixed bug when decompressing raw chunks in VBA (issue #575)
+ - fixed bug with email package due to monkeypatch for MHT parsing (issue #602, PR #604)
+ - fixed option --relaxed (issue #596, PR #595)
+ - enabled relaxed mode by default (issues #477, #593)
+ - fixed detect_vba_macros to always return VBA code as
+ unicode on Python 3 (issues #455, #477, #587, #593)
+ - replaced option --pcode by --show-pcode and --no-pcode,
+ replaced optparse by argparse (PR #479)
+ - oleform: improved form parsing (PR #532)
+ - oleobj: "Ole10Native" is now case insensitive (issue #541)
+ - clsid: added PDF (issue #552), Microsoft Word Picture (issue #571)
+ - ppt_parser: fixed bug on Python 3 (issues #177, #607, PR #450)
- **2019-12-03 v0.55**:
- olevba:
- added support for SLK files and XLM macro extraction from SLK
@@ -39,35 +61,6 @@ News
- tests:
- test files can now be encrypted, to avoid antivirus alerts (PR #217, issue #215)
- tests that trigger antivirus alerts have been temporarily disabled (issue #215)
-- **2019-05-22 v0.54.2**:
- - bugfix release: fixed several issues related to encrypted documents
- and XLM/XLF Excel 4 macros
- - msoffcrypto-tool is now installed by default to handle encrypted documents
- - olevba and msodde now handle documents encrypted with common passwords such
- as 123, 1234, 4321, 12345, 123456, VelvetSweatShop automatically.
-- **2019-04-04 v0.54**:
- - olevba, msodde: added support for encrypted MS Office files
- - olevba: added detection and extraction of XLM/XLF Excel 4 macros (thanks to plugin_biff from Didier Stevens' oledump)
- - olevba, mraptor: added detection of VBA running Excel 4 macros
- - olevba: detect and display special characters such as backspace
- - olevba: colorized output showing suspicious keywords in the VBA code
- - olevba, mraptor: full Python 3 compatibility, no separate olevba3/mraptor3 anymore
- - olevba: improved handling of code pages and unicode
- - olevba: fixed a false-positive in VBA macro detection
- - rtfobj: improved OLE Package handling, improved Equation object detection
- - oleobj: added detection of external links to objects in OpenXML
- - replaced third party packages by PyPI dependencies
-- 2018-05-30 v0.53:
- - olevba and mraptor can now parse Word/PowerPoint 2007+ pure XML files (aka Flat OPC format)
- - improved support for VBA forms in olevba (oleform)
- - rtfobj now displays the CLSID of OLE objects, which is the best way to identify them. Known-bad CLSIDs such as MS Equation Editor are highlighted in red.
- - Updated rtfobj to handle obfuscated RTF samples.
- - rtfobj now handles the "\\'" obfuscation trick seen in recent samples such as https://twitter.com/buffaloverflow/status/989798880295444480, by emulating the MS Word bug described in https://securelist.com/disappearing-bytes/84017/
- - msodde: improved detection of DDE formulas in CSV files
- - oledir now displays the tree of storage/streams, along with CLSIDs and their meaning.
- - common.clsid contains the list of known CLSIDs, and their links to CVE vulnerabilities when relevant.
- - oleid now detects encrypted OpenXML files
- - fixed bugs in oleobj, rtfobj, oleid, olevba
See the [full changelog](https://github.com/decalage2/oletools/wiki/Changelog) for more information.
@@ -193,7 +186,7 @@ License
This license applies to the python-oletools package, apart from the thirdparty folder which contains third-party files
published with their own license.
-The python-oletools package is copyright (c) 2012-2019 Philippe Lagadec (http://www.decalage.info)
+The python-oletools package is copyright (c) 2012-2020 Philippe Lagadec (http://www.decalage.info)
All rights reserved.
diff --git a/oletools/README.html b/oletools/README.html
index cff9e81..cd4bde4 100644
--- a/oletools/README.html
+++ b/oletools/README.html
@@ -23,6 +23,32 @@
Note: python-oletools is not related to OLETools published by BeCubed Software.
News
+- 2020-09-28 v0.56:
+
+- olevba/mraptor:
+
+- added detection of trigger _OnConnecting
+
+- olevba:
+
+- updated plugin_biff to v0.0.17 to improve Excel 4/XLM macros parsing
+- added simple analysis of Excel 4/XLM macros in XLSM files (PR #569)
+- added detection of template injection (PR #569)
+- added detection of many suspicious keywords (PR #591 and #569, see https://www.certego.net/en/news/advanced-vba-macros/)
+- improved MHT detection (PR #532)
+- added --no-xlm option to disable Excel 4/XLM macros parsing (PR #532)
+- fixed bug when decompressing raw chunks in VBA (issue #575)
+- fixed bug with email package due to monkeypatch for MHT parsing (issue #602, PR #604)
+- fixed option --relaxed (issue #596, PR #595)
+- enabled relaxed mode by default (issues #477, #593)
+- fixed detect_vba_macros to always return VBA code as unicode on Python 3 (issues #455, #477, #587, #593)
+- replaced option --pcode by --show-pcode and --no-pcode, replaced optparse by argparse (PR #479)
+
+- oleform: improved form parsing (PR #532)
+- oleobj: "Ole10Native" is now case insensitive (issue #541)
+- clsid: added PDF (issue #552), Microsoft Word Picture (issue #571)
+- ppt_parser: fixed bug on Python 3 (issues #177, #607, PR #450)
+
- 2019-12-03 v0.55:
- olevba:
@@ -42,39 +68,6 @@
- tests that trigger antivirus alerts have been temporarily disabled (issue #215)
-2019-05-22 v0.54.2:
-
-- bugfix release: fixed several issues related to encrypted documents and XLM/XLF Excel 4 macros
-- msoffcrypto-tool is now installed by default to handle encrypted documents
-- olevba and msodde now handle documents encrypted with common passwords such as 123, 1234, 4321, 12345, 123456, VelvetSweatShop automatically.
-
-2019-04-04 v0.54:
-
-- olevba, msodde: added support for encrypted MS Office files
-- olevba: added detection and extraction of XLM/XLF Excel 4 macros (thanks to plugin_biff from Didier Stevens' oledump)
-- olevba, mraptor: added detection of VBA running Excel 4 macros
-- olevba: detect and display special characters such as backspace
-- olevba: colorized output showing suspicious keywords in the VBA code
-- olevba, mraptor: full Python 3 compatibility, no separate olevba3/mraptor3 anymore
-- olevba: improved handling of code pages and unicode
-- olevba: fixed a false-positive in VBA macro detection
-- rtfobj: improved OLE Package handling, improved Equation object detection
-- oleobj: added detection of external links to objects in OpenXML
-- replaced third party packages by PyPI dependencies
-
-2018-05-30 v0.53:
-
-- olevba and mraptor can now parse Word/PowerPoint 2007+ pure XML files (aka Flat OPC format)
-- improved support for VBA forms in olevba (oleform)
-- rtfobj now displays the CLSID of OLE objects, which is the best way to identify them. Known-bad CLSIDs such as MS Equation Editor are highlighted in red.
-- Updated rtfobj to handle obfuscated RTF samples.
-- rtfobj now handles the "\'" obfuscation trick seen in recent samples such as https://twitter.com/buffaloverflow/status/989798880295444480, by emulating the MS Word bug described in https://securelist.com/disappearing-bytes/84017/
-- msodde: improved detection of DDE formulas in CSV files
-- oledir now displays the tree of storage/streams, along with CLSIDs and their meaning.
-- common.clsid contains the list of known CLSIDs, and their links to CVE vulnerabilities when relevant.
-- oleid now detects encrypted OpenXML files
-- fixed bugs in oleobj, rtfobj, oleid, olevba
-
See the full changelog for more information.
@@ -97,7 +90,7 @@
olemap: to display a map of all the sectors in an OLE file.
-oletools are used by a number of projects and online malware analysis services, including ACE, Anlyz.io, AssemblyLine, CAPE, Cuckoo Sandbox, DARKSURGEON, Deepviz, dridex.malwareconfig.com, FAME, FLARE-VM, Hybrid-analysis.com, Joe Sandbox, Laika BOSS, MacroMilter, mailcow, malshare.io, malware-repo, Malware Repository Framework (MRF), olefy, PeekabooAV, pcodedmp, PyCIRCLean, REMnux, Snake, SNDBOX, Strelka, stoQ, TheHive/Cortex, TSUGURI Linux, Vba2Graph, Viper, ViperMonkey, YOMI, and probably VirusTotal. And quite a few other projects on GitHub. (Please contact me if you have or know a project using oletools)
+oletools are used by a number of projects and online malware analysis services, including ACE, Anlyz.io, AssemblyLine, CAPE, CinCan, Cuckoo Sandbox, DARKSURGEON, Deepviz, DIARIO, dridex.malwareconfig.com, EML Analyzer, FAME, FLARE-VM, Hybrid-analysis.com, IntelOwl, Joe Sandbox, Laika BOSS, MacroMilter, mailcow, malshare.io, malware-repo, Malware Repository Framework (MRF), olefy, PeekabooAV, pcodedmp, PyCIRCLean, REMnux, Snake, SNDBOX, SpuriousEmu, Strelka, stoQ, TheHive/Cortex, TSUGURI Linux, Vba2Graph, Viper, ViperMonkey, YOMI, and probably VirusTotal. And quite a few other projects on GitHub. (Please contact me if you have or know a project using oletools)
Download and Install:
The recommended way to download and install/update the latest stable release of oletools is to use pip:
@@ -120,7 +113,7 @@
The code is available in a GitHub repository. You may use it to submit enhancements using forks and pull requests.
License
This license applies to the python-oletools package, apart from the thirdparty folder which contains third-party files published with their own license.
-The python-oletools package is copyright (c) 2012-2019 Philippe Lagadec (http://www.decalage.info)
+The python-oletools package is copyright (c) 2012-2020 Philippe Lagadec (http://www.decalage.info)
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
diff --git a/oletools/README.rst b/oletools/README.rst
index f962ea6..17969c6 100644
--- a/oletools/README.rst
+++ b/oletools/README.rst
@@ -29,6 +29,39 @@ Software.
News
----
+- **2020-09-28 v0.56**:
+
+ - olevba/mraptor:
+
+ - added detection of trigger \_OnConnecting
+
+ - olevba:
+
+ - updated plugin_biff to v0.0.17 to improve Excel 4/XLM macros
+ parsing
+ - added simple analysis of Excel 4/XLM macros in XLSM files (PR
+ #569)
+ - added detection of template injection (PR #569)
+ - added detection of many suspicious keywords (PR #591 and #569,
+ see https://www.certego.net/en/news/advanced-vba-macros/)
+ - improved MHT detection (PR #532)
+ - added --no-xlm option to disable Excel 4/XLM macros parsing (PR
+ #532)
+ - fixed bug when decompressing raw chunks in VBA (issue #575)
+ - fixed bug with email package due to monkeypatch for MHT parsing
+ (issue #602, PR #604)
+ - fixed option --relaxed (issue #596, PR #595)
+ - enabled relaxed mode by default (issues #477, #593)
+ - fixed detect_vba_macros to always return VBA code as unicode on
+ Python 3 (issues #455, #477, #587, #593)
+ - replaced option --pcode by --show-pcode and --no-pcode,
+ replaced optparse by argparse (PR #479)
+
+ - oleform: improved form parsing (PR #532)
+ - oleobj: "Ole10Native" is now case insensitive (issue #541)
+ - clsid: added PDF (issue #552), Microsoft Word Picture (issue #571)
+ - ppt_parser: fixed bug on Python 3 (issues #177, #607, PR #450)
+
- **2019-12-03 v0.55**:
- olevba:
@@ -50,56 +83,6 @@ News
- tests that trigger antivirus alerts have been temporarily
disabled (issue #215)
-- **2019-05-22 v0.54.2**:
-
- - bugfix release: fixed several issues related to encrypted
- documents and XLM/XLF Excel 4 macros
- - msoffcrypto-tool is now installed by default to handle encrypted
- documents
- - olevba and msodde now handle documents encrypted with common
- passwords such as 123, 1234, 4321, 12345, 123456, VelvetSweatShop
- automatically.
-
-- **2019-04-04 v0.54**:
-
- - olevba, msodde: added support for encrypted MS Office files
- - olevba: added detection and extraction of XLM/XLF Excel 4 macros
- (thanks to plugin_biff from Didier Stevens' oledump)
- - olevba, mraptor: added detection of VBA running Excel 4 macros
- - olevba: detect and display special characters such as backspace
- - olevba: colorized output showing suspicious keywords in the VBA
- code
- - olevba, mraptor: full Python 3 compatibility, no separate
- olevba3/mraptor3 anymore
- - olevba: improved handling of code pages and unicode
- - olevba: fixed a false-positive in VBA macro detection
- - rtfobj: improved OLE Package handling, improved Equation object
- detection
- - oleobj: added detection of external links to objects in OpenXML
- - replaced third party packages by PyPI dependencies
-
-- 2018-05-30 v0.53:
-
- - olevba and mraptor can now parse Word/PowerPoint 2007+ pure XML
- files (aka Flat OPC format)
- - improved support for VBA forms in olevba (oleform)
- - rtfobj now displays the CLSID of OLE objects, which is the best
- way to identify them. Known-bad CLSIDs such as MS Equation Editor
- are highlighted in red.
- - Updated rtfobj to handle obfuscated RTF samples.
- - rtfobj now handles the "\'" obfuscation trick seen in recent
- samples such as
- https://twitter.com/buffaloverflow/status/989798880295444480, by
- emulating the MS Word bug described in
- https://securelist.com/disappearing-bytes/84017/
- - msodde: improved detection of DDE formulas in CSV files
- - oledir now displays the tree of storage/streams, along with CLSIDs
- and their meaning.
- - common.clsid contains the list of known CLSIDs, and their links to
- CVE vulnerabilities when relevant.
- - oleid now detects encrypted OpenXML files
- - fixed bugs in oleobj, rtfobj, oleid, olevba
-
See the `full
changelog `__ for
more information.
@@ -154,14 +137,18 @@ oletools are used by a number of projects and online malware analysis
services, including `ACE `__,
`Anlyz.io `__,
`AssemblyLine `__,
-`CAPE `__, `Cuckoo
+`CAPE `__,
+`CinCan `__, `Cuckoo
Sandbox `__,
`DARKSURGEON `__,
`Deepviz `__,
-`dridex.malwareconfig.com `__,
+`DIARIO `__,
+`dridex.malwareconfig.com `__, `EML
+Analyzer `__,
`FAME `__,
`FLARE-VM `__,
-`Hybrid-analysis.com `__, `Joe
+`Hybrid-analysis.com `__,
+`IntelOwl `__, `Joe
Sandbox `__, `Laika
BOSS `__,
`MacroMilter `__,
@@ -176,6 +163,7 @@ Repository Framework (MRF) `__,
`REMnux `__,
`Snake `__,
`SNDBOX `__,
+`SpuriousEmu `__,
`Strelka `__,
`stoQ `__,
`TheHive/Cortex `__,
@@ -245,7 +233,7 @@ This license applies to the python-oletools package, apart from the
thirdparty folder which contains third-party files published with their
own license.
-The python-oletools package is copyright (c) 2012-2019 Philippe Lagadec
+The python-oletools package is copyright (c) 2012-2020 Philippe Lagadec
(http://www.decalage.info)
All rights reserved.
diff --git a/oletools/doc/Home.html b/oletools/doc/Home.html
index 74e2bdc..e90c764 100644
--- a/oletools/doc/Home.html
+++ b/oletools/doc/Home.html
@@ -16,7 +16,7 @@
-
+
This is the home page of the documentation for python-oletools. The latest version can be found online, otherwise a copy is provided in the doc subfolder of the package.
python-oletools is a package of python tools to analyze Microsoft OLE2 files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging. It is based on the olefile parser. See http://www.decalage.info/python/oletools for more info.
Quick links: Home page - Download/Install - Documentation - Report Issues/Suggestions/Questions - Contact the Author - Repository - Updates on Twitter
diff --git a/oletools/doc/Home.md b/oletools/doc/Home.md
index 185db4f..f3bddd8 100644
--- a/oletools/doc/Home.md
+++ b/oletools/doc/Home.md
@@ -1,4 +1,4 @@
-python-oletools v0.55 documentation
+python-oletools v0.56 documentation
===================================
This is the home page of the documentation for python-oletools. The latest version can be found
diff --git a/oletools/doc/License.html b/oletools/doc/License.html
index 082b2de..ba2fc2c 100644
--- a/oletools/doc/License.html
+++ b/oletools/doc/License.html
@@ -18,7 +18,7 @@
This license applies to the python-oletools package, apart from the thirdparty folder which contains third-party files published with their own license.
-The python-oletools package is copyright (c) 2012-2019 Philippe Lagadec (http://www.decalage.info)
+The python-oletools package is copyright (c) 2012-2020 Philippe Lagadec (http://www.decalage.info)
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
diff --git a/oletools/doc/License.md b/oletools/doc/License.md
index 9ffaa4b..8e8d274 100644
--- a/oletools/doc/License.md
+++ b/oletools/doc/License.md
@@ -4,7 +4,7 @@ License for python-oletools
This license applies to the [python-oletools](http://www.decalage.info/python/oletools) package, apart from the
thirdparty folder which contains third-party files published with their own license.
-The python-oletools package is copyright (c) 2012-2019 Philippe Lagadec ([http://www.decalage.info](http://www.decalage.info))
+The python-oletools package is copyright (c) 2012-2020 Philippe Lagadec ([http://www.decalage.info](http://www.decalage.info))
All rights reserved.
diff --git a/oletools/mraptor.py b/oletools/mraptor.py
index daf8728..f1fac32 100644
--- a/oletools/mraptor.py
+++ b/oletools/mraptor.py
@@ -23,7 +23,7 @@ http://www.decalage.info/python/oletools
# === LICENSE ==================================================================
-# MacroRaptor is copyright (c) 2016-2019 Philippe Lagadec (http://www.decalage.info)
+# MacroRaptor is copyright (c) 2016-2020 Philippe Lagadec (http://www.decalage.info)
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without modification,
@@ -62,7 +62,7 @@ http://www.decalage.info/python/oletools
# 2019-11-06 v0.55 PL: - added SetTimer
# 2020-04-20 v0.56 PL: - added keywords RUN and CALL for XLM macros (issue #562)
-__version__ = '0.56dev12'
+__version__ = '0.56'
#------------------------------------------------------------------------------
# TODO:
diff --git a/oletools/oleobj.py b/oletools/oleobj.py
index 8ed34f2..2171d64 100644
--- a/oletools/oleobj.py
+++ b/oletools/oleobj.py
@@ -88,7 +88,7 @@ from oletools.common.io_encoding import ensure_stdout_handles_unicode
# 2018-10-30 SA: - added detection of external links (PR #317)
# 2020-03-03 v0.56 PL: - fixed bug #541, "Ole10Native" is case-insensitive
-__version__ = '0.56dev2'
+__version__ = '0.56'
# -----------------------------------------------------------------------------
# TODO:
diff --git a/oletools/olevba.py b/oletools/olevba.py
index 424f58e..392bf30 100644
--- a/oletools/olevba.py
+++ b/oletools/olevba.py
@@ -234,7 +234,7 @@ from __future__ import print_function
# 2020-09-28 PL: - added VBA_Parser.get_vba_code_all_modules (partial fix
# for issue #619)
-__version__ = '0.56dev12'
+__version__ = '0.56'
#------------------------------------------------------------------------------
# TODO: