updated readme and doc for v0.54

decalage2
1 parent d03c8683
Showing 26 changed files with 258 additions and 120 deletions
oletools/README.html
oletools/README.rst
oletools/doc/Home.html
oletools/doc/Home.md
oletools/doc/Install.html
oletools/doc/Install.md
oletools/doc/License.html
oletools/doc/License.md
oletools/doc/mraptor.html
oletools/doc/mraptor.md
oletools/doc/olebrowse.html
oletools/doc/olebrowse.md
oletools/doc/oledir.html
oletools/doc/oledir.md
oletools/doc/oleid.html
oletools/doc/oleid.md
oletools/doc/olemap.html
oletools/doc/olemap.md
oletools/doc/olemeta.html
oletools/doc/olemeta.md
@@ -17,13 +17,27 @@
 </head>
 <body>
 <h1 id="python-oletools">python-oletools</h1>
-<p><a href="https://pypi.org/project/oletools/"><img src="https://img.shields.io/pypi/v/oletools.svg" alt="PyPI" /></a> <a href="https://travis-ci.org/decalage2/oletools"><img src="https://travis-ci.org/decalage2/oletools.svg?branch=master" alt="Build Status" /></a></p>
+<p><a href="https://pypi.org/project/oletools/"><img src="https://img.shields.io/pypi/v/oletools.svg" alt="PyPI" /></a> <a href="https://travis-ci.org/decalage2/oletools"><img src="https://travis-ci.org/decalage2/oletools.svg?branch=master" alt="Build Status" /></a> <a href="https://saythanks.io/to/decalage2"><img src="https://img.shields.io/badge/Say%20Thanks-!-1EAEDB.svg" alt="Say Thanks!" /></a></p>
 <p><a href="http://www.decalage.info/python/oletools">oletools</a> is a package of python tools to analyze <a href="http://en.wikipedia.org/wiki/Compound_File_Binary_Format">Microsoft OLE2 files</a> (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging. It is based on the <a href="http://www.decalage.info/olefile">olefile</a> parser. See <a href="http://www.decalage.info/python/oletools" class="uri">http://www.decalage.info/python/oletools</a> for more info.</p>
 <p><strong>Quick links:</strong> <a href="http://www.decalage.info/python/oletools">Home page</a> - <a href="https://github.com/decalage2/oletools/wiki/Install">Download/Install</a> - <a href="https://github.com/decalage2/oletools/wiki">Documentation</a> - <a href="https://github.com/decalage2/oletools/issues">Report Issues/Suggestions/Questions</a> - <a href="http://decalage.info/contact">Contact the Author</a> - <a href="https://github.com/decalage2/oletools">Repository</a> - <a href="https://twitter.com/decalage2">Updates on Twitter</a> <a href="https://github.com/decalage2/oletools/blob/master/cheatsheet/oletools_cheatsheet.pdf">Cheatsheet</a></p>
 <p>Note: python-oletools is not related to OLETools published by BeCubed Software.</p>
 <h2 id="news">News</h2>
 <ul>
-<li><strong>2018-05-30 v0.53</strong>:
+<li><strong>2019-04-04 v0.54</strong>:
+<ul>
+<li>olevba, msodde: added support for encrypted MS Office files</li>
+<li>olevba: added detection and extraction of XLM/XLF Excel 4 macros (thanks to plugin_biff from Didier Stevens' oledump)</li>
+<li>olevba, mraptor: added detection of VBA running Excel 4 macros</li>
+<li>olevba: detect and display special characters such as backspace</li>
+<li>olevba: colorized output showing suspicious keywords in the VBA code</li>
+<li>olevba, mraptor: full Python 3 compatibility, no separate olevba3/mraptor3 anymore</li>
+<li>olevba: improved handling of code pages and unicode</li>
+<li>olevba: fixed a false-positive in VBA macro detection</li>
+<li>rtfobj: improved OLE Package handling, improved Equation object detection</li>
+<li>oleobj: added detection of external links to objects in OpenXML</li>
+<li>replaced third party packages by PyPI dependencies</li>
+</ul></li>
+<li>2018-05-30 v0.53:
 <ul>
 <li>olevba and mraptor can now parse Word/PowerPoint 2007+ pure XML files (aka Flat OPC format)</li>
 <li>improved support for VBA forms in olevba (oleform)</li>
@@ -66,7 +80,7 @@
 <li><a href="https://github.com/decalage2/oletools/wiki/olemap">olemap</a>: to display a map of all the sectors in an OLE file.</li>
 </ul>
 <h2 id="projects-using-oletools">Projects using oletools:</h2>
-<p>oletools are used by a number of projects and online malware analysis services, including <a href="http://viper.li/">Viper</a>, <a href="https://remnux.org/">REMnux</a>, <a href="https://certsocietegenerale.github.io/fame/">FAME</a>, <a href="https://www.hybrid-analysis.com/">Hybrid-analysis.com</a>, <a href="https://www.document-analyzer.net/">Joe Sandbox</a>, <a href="https://sandbox.deepviz.com/">Deepviz</a>, <a href="https://github.com/lmco/laikaboss">Laika BOSS</a>, <a href="https://github.com/cuckoosandbox/cuckoo">Cuckoo Sandbox</a>, <a href="https://sandbox.anlyz.io/">Anlyz.io</a>, <a href="https://github.com/decalage2/ViperMonkey">ViperMonkey</a>, <a href="https://github.com/bontchev/pcodedmp">pcodedmp</a>, <a href="https://dridex.malwareconfig.com">dridex.malwareconfig.com</a>, <a href="https://github.com/countercept/snake">Snake</a>, <a href="https://github.com/cryps1s/DARKSURGEON">DARKSURGEON</a>, and probably <a href="https://www.virustotal.com">VirusTotal</a>. (Please <a href="(http://decalage.info/contact)">contact me</a> if you have or know a project using oletools)</p>
+<p>oletools are used by a number of projects and online malware analysis services, including <a href="http://viper.li/">Viper</a>, <a href="https://remnux.org/">REMnux</a>, <a href="https://github.com/fireeye/flare-vm">FLARE-VM</a>, <a href="https://certsocietegenerale.github.io/fame/">FAME</a>, <a href="https://www.hybrid-analysis.com/">Hybrid-analysis.com</a>, <a href="https://www.document-analyzer.net/">Joe Sandbox</a>, <a href="https://sandbox.deepviz.com/">Deepviz</a>, <a href="https://github.com/lmco/laikaboss">Laika BOSS</a>, <a href="https://github.com/cuckoosandbox/cuckoo">Cuckoo Sandbox</a>, <a href="https://sandbox.anlyz.io/">Anlyz.io</a>, <a href="https://github.com/decalage2/ViperMonkey">ViperMonkey</a>, <a href="https://github.com/bontchev/pcodedmp">pcodedmp</a>, <a href="https://dridex.malwareconfig.com">dridex.malwareconfig.com</a>, <a href="https://github.com/countercept/snake">Snake</a>, <a href="https://github.com/cryps1s/DARKSURGEON">DARKSURGEON</a>, <a href="https://github.com/ctxis/CAPE">CAPE</a>, <a href="https://www.cse-cst.gc.ca/en/assemblyline">AssemblyLine</a>, <a href="https://malshare.io">malshare.io</a>, <a href="https://www.adlice.com/download/mrf/">Malware Repository Framework (MRF)</a>, <a href="https://github.com/Tigzy/malware-repo">malware-repo</a>, <a href="https://github.com/MalwareCantFly/Vba2Graph">Vba2Graph</a>, <a href="https://github.com/target/strelka">Strelka</a>, <a href="https://stoq.punchcyber.com/">stoQ</a>, and probably <a href="https://www.virustotal.com">VirusTotal</a>. And quite a few <a href="https://github.com/search?q=oletools&amp;type=Repositories">other projects on GitHub</a>. (Please <a href="(http://decalage.info/contact)">contact me</a> if you have or know a project using oletools)</p>
 <h2 id="download-and-install">Download and Install:</h2>
 <p>The recommended way to download and install/update the <strong>latest stable release</strong> of oletools is to use <a href="https://pip.pypa.io/en/stable/installing/">pip</a>:</p>
 <ul>
@@ -89,7 +103,7 @@
 <p>The code is available in <a href="https://github.com/decalage2/oletools">a GitHub repository</a>. You may use it to submit enhancements using forks and pull requests.</p>
 <h2 id="license">License</h2>
 <p>This license applies to the python-oletools package, apart from the thirdparty folder which contains third-party files published with their own license.</p>
-<p>The python-oletools package is copyright (c) 2012-2018 Philippe Lagadec (http://www.decalage.info)</p>
+<p>The python-oletools package is copyright (c) 2012-2019 Philippe Lagadec (http://www.decalage.info)</p>
 <p>All rights reserved.</p>
 <p>Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:</p>
 <ul>
 python-oletools
 ===============
  
-|PyPI| |Build Status|
+|PyPI| |Build Status| |Say Thanks!|
  
 `oletools <http://www.decalage.info/python/oletools>`__ is a package of
 python tools to analyze `Microsoft OLE2
@@ -29,7 +29,25 @@ Software.
 News
 ----
  
--  **2018-05-30 v0.53**:
+-  **2019-04-04 v0.54**:
+
+   -  olevba, msodde: added support for encrypted MS Office files
+   -  olevba: added detection and extraction of XLM/XLF Excel 4 macros
+      (thanks to plugin_biff from Didier Stevens' oledump)
+   -  olevba, mraptor: added detection of VBA running Excel 4 macros
+   -  olevba: detect and display special characters such as backspace
+   -  olevba: colorized output showing suspicious keywords in the VBA
+      code
+   -  olevba, mraptor: full Python 3 compatibility, no separate
+      olevba3/mraptor3 anymore
+   -  olevba: improved handling of code pages and unicode
+   -  olevba: fixed a false-positive in VBA macro detection
+   -  rtfobj: improved OLE Package handling, improved Equation object
+      detection
+   -  oleobj: added detection of external links to objects in OpenXML
+   -  replaced third party packages by PyPI dependencies
+
+-  2018-05-30 v0.53:
  
    -  olevba and mraptor can now parse Word/PowerPoint 2007+ pure XML
       files (aka Flat OPC format)
@@ -115,6 +133,7 @@ Projects using oletools:
 oletools are used by a number of projects and online malware analysis
 services, including `Viper <http://viper.li/>`__,
 `REMnux <https://remnux.org/>`__,
+`FLARE-VM <https://github.com/fireeye/flare-vm>`__,
 `FAME <https://certsocietegenerale.github.io/fame/>`__,
 `Hybrid-analysis.com <https://www.hybrid-analysis.com/>`__, `Joe
 Sandbox <https://www.document-analyzer.net/>`__,
@@ -126,10 +145,20 @@ Sandbox &lt;https://github.com/cuckoosandbox/cuckoo&gt;`__,
 `pcodedmp <https://github.com/bontchev/pcodedmp>`__,
 `dridex.malwareconfig.com <https://dridex.malwareconfig.com>`__,
 `Snake <https://github.com/countercept/snake>`__,
-`DARKSURGEON <https://github.com/cryps1s/DARKSURGEON>`__, and probably
-`VirusTotal <https://www.virustotal.com>`__. (Please `contact
-me <(http://decalage.info/contact)>`__ if you have or know a project
-using oletools)
+`DARKSURGEON <https://github.com/cryps1s/DARKSURGEON>`__,
+`CAPE <https://github.com/ctxis/CAPE>`__,
+`AssemblyLine <https://www.cse-cst.gc.ca/en/assemblyline>`__,
+`malshare.io <https://malshare.io>`__, `Malware Repository Framework
+(MRF) <https://www.adlice.com/download/mrf/>`__,
+`malware-repo <https://github.com/Tigzy/malware-repo>`__,
+`Vba2Graph <https://github.com/MalwareCantFly/Vba2Graph>`__,
+`Strelka <https://github.com/target/strelka>`__,
+`stoQ <https://stoq.punchcyber.com/>`__, and probably
+`VirusTotal <https://www.virustotal.com>`__. And quite a few `other
+projects on
+GitHub <https://github.com/search?q=oletools&type=Repositories>`__.
+(Please `contact me <(http://decalage.info/contact)>`__ if you have or
+know a project using oletools)
  
 Download and Install:
 ---------------------
@@ -186,7 +215,7 @@ This license applies to the python-oletools package, apart from the
 thirdparty folder which contains third-party files published with their
 own license.
  
-The python-oletools package is copyright (c) 2012-2018 Philippe Lagadec
+The python-oletools package is copyright (c) 2012-2019 Philippe Lagadec
 (http://www.decalage.info)
  
 All rights reserved.
@@ -243,3 +272,5 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
    :target: https://pypi.org/project/oletools/
 .. |Build Status| image:: https://travis-ci.org/decalage2/oletools.svg?branch=master
    :target: https://travis-ci.org/decalage2/oletools
+.. |Say Thanks!| image:: https://img.shields.io/badge/Say%20Thanks-!-1EAEDB.svg
+   :target: https://saythanks.io/to/decalage2
@@ -16,7 +16,7 @@
   <![endif]-->
 </head>
 <body>
-<h1 id="python-oletools-v0.53-documentation">python-oletools v0.53 documentation</h1>
+<h1 id="python-oletools-v0.54-documentation">python-oletools v0.54 documentation</h1>
 <p>This is the home page of the documentation for python-oletools. The latest version can be found <a href="https://github.com/decalage2/oletools/wiki">online</a>, otherwise a copy is provided in the doc subfolder of the package.</p>
 <p><a href="http://www.decalage.info/python/oletools">python-oletools</a> is a package of python tools to analyze <a href="http://en.wikipedia.org/wiki/Compound_File_Binary_Format">Microsoft OLE2 files</a> (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging. It is based on the <a href="http://www.decalage.info/olefile">olefile</a> parser. See <a href="http://www.decalage.info/python/oletools" class="uri">http://www.decalage.info/python/oletools</a> for more info.</p>
 <p><strong>Quick links:</strong> <a href="http://www.decalage.info/python/oletools">Home page</a> - <a href="https://github.com/decalage2/oletools/wiki/Install">Download/Install</a> - <a href="https://github.com/decalage2/oletools/wiki">Documentation</a> - <a href="https://github.com/decalage2/oletools/issues">Report Issues/Suggestions/Questions</a> - <a href="http://decalage.info/contact">Contact the Author</a> - <a href="https://github.com/decalage2/oletools">Repository</a> - <a href="https://twitter.com/decalage2">Updates on Twitter</a></p>
-python-oletools v0.53 documentation
+python-oletools v0.54 documentation
 ===================================
  
 This is the home page of the documentation for python-oletools. The latest version can be found 
@@ -16,28 +16,43 @@
   <![endif]-->
 </head>
 <body>
-<h1 id="how-to-download-and-install-python-oletools">How to Download and Install python-oletools</h1>
+<h1 id="how-to-download-and-install-oletools">How to Download and Install oletools</h1>
 <h2 id="pre-requisites">Pre-requisites</h2>
-<p>The recommended Python version to run oletools is <strong>Python 2.7</strong>. Python 2.6 is also supported, but as it is not tested as often as 2.7, some features might not work as expected.</p>
-<p>Since oletools v0.50, thanks to contributions by <span class="citation" data-cites="Sebdraven">[@Sebdraven]</span>(https://twitter.com/Sebdraven), most tools can also run with <strong>Python 3.x</strong>. As this is quite new, please <a href="(https://github.com/decalage2/oletools/issues)">report any issue</a> you may encounter.</p>
+<p>The recommended Python version to run oletools is the latest <strong>Python 3.x</strong> (3.7 for now). Python 2.7 is still supported, but as it will become end of life in 2020 (see https://pythonclock.org/), it is highly recommended to switch to Python 3 now.</p>
 <h2 id="recommended-way-to-downloadinstallupdate-oletools-pip">Recommended way to Download+Install/Update oletools: pip</h2>
 <p>Pip is included with Python since version 2.7.9 and 3.4. If it is not installed on your system, either upgrade Python or see https://pip.pypa.io/en/stable/installing/</p>
 <h3 id="linux-mac-osx-unix">Linux, Mac OSX, Unix</h3>
 <p>To download and install/update the latest release version of oletools, run the following command in a shell:</p>
 <pre class="text"><code>sudo -H pip install -U oletools</code></pre>
+<p>Replace <code>pip</code> by <code>pip3</code> or <code>pip2</code> to install on a specific Python version.</p>
+<p><strong>New in v0.54:</strong> To enable the decryption of encrypted documents, you also need to install the msoffcrypto-tool package:</p>
+<pre class="text"><code>sudo -H pip install -U msoffcrypto-tool</code></pre>
 <p><strong>Important</strong>: Since version 0.50, pip will automatically create convenient command-line scripts in /usr/local/bin to run all the oletools from any directory.</p>
 <h3 id="windows">Windows</h3>
 <p>To download and install/update the latest release version of oletools, run the following command in a cmd window:</p>
 <pre class="text"><code>pip install -U oletools</code></pre>
+<p>Replace <code>pip</code> by <code>pip3</code> or <code>pip2</code> to install on a specific Python version.</p>
+<p><strong>Note</strong>: with Python 3, you may need to open a cmd window with Administrator privileges in order to run pip and install for all users. If that is not possible, you may also install only for the current user by adding the <code>--user</code> option:</p>
+<pre class="text"><code>pip3 install -U --user oletools</code></pre>
+<p><strong>New in v0.54:</strong> To enable the decryption of encrypted documents, you also need to install the msoffcrypto-tool package:</p>
+<pre class="text"><code>pip install -U msoffcrypto-tool</code></pre>
 <p><strong>Important</strong>: Since version 0.50, pip will automatically create convenient command-line scripts to run all the oletools from any directory: olevba, mraptor, oleid, rtfobj, etc.</p>
 <h2 id="how-to-install-the-latest-development-version">How to install the latest development version</h2>
 <p>If you want to benefit from the latest improvements in the development version, you may also use pip:</p>
 <h3 id="linux-mac-osx-unix-1">Linux, Mac OSX, Unix</h3>
 <pre class="text"><code>sudo -H pip install -U https://github.com/decalage2/oletools/archive/master.zip</code></pre>
+<p>Replace <code>pip</code> by <code>pip3</code> or <code>pip2</code> to install on a specific Python version.</p>
+<p><strong>New in v0.54:</strong> To enable the decryption of encrypted documents, you also need to install the msoffcrypto-tool package:</p>
+<pre class="text"><code>sudo -H pip install -U msoffcrypto-tool</code></pre>
 <h3 id="windows-1">Windows</h3>
 <pre class="text"><code>pip install -U https://github.com/decalage2/oletools/archive/master.zip</code></pre>
+<p>Replace <code>pip</code> by <code>pip3</code> or <code>pip2</code> to install on a specific Python version.</p>
+<p><strong>Note</strong>: with Python 3, you may need to open a cmd window with Administrator privileges in order to run pip and install for all users. If that is not possible, you may also install only for the current user by adding the <code>--user</code> option:</p>
+<pre class="text"><code>pip3 install -U --user https://github.com/decalage2/oletools/archive/master.zip</code></pre>
+<p><strong>New in v0.54:</strong> To enable the decryption of encrypted documents, you also need to install the msoffcrypto-tool package:</p>
+<pre class="text"><code>pip install -U msoffcrypto-tool</code></pre>
 <h2 id="how-to-install-offline---computer-without-internet-access">How to install offline - Computer without Internet access</h2>
-<p>First, download the oletools archive on a computer with Internet access: * Latest stable version: from https://github.com/decalage2/oletools/releases * Development version: https://github.com/decalage2/oletools/archive/master.zip</p>
+<p>First, download the oletools archive on a computer with Internet access: * Latest stable version: from https://pypi.org/project/oletools/ or https://github.com/decalage2/oletools/releases * Development version: https://github.com/decalage2/oletools/archive/master.zip</p>
 <p>Copy the archive file to the target computer.</p>
 <p>On Linux, Mac OSX, Unix, run the following command using the filename of the archive that you downloaded:</p>
 <pre class="text"><code>sudo -H pip install -U oletools.zip</code></pre>
-How to Download and Install python-oletools
-===========================================
+How to Download and Install oletools
+====================================
  
 Pre-requisites
 --------------
  
-The recommended Python version to run oletools is **Python 2.7**.
-Python 2.6 is also supported, but as it is not tested as often as 2.7, some features
-might not work as expected.
-
-Since oletools v0.50, thanks to contributions by [@Sebdraven](https://twitter.com/Sebdraven),
-most tools can also run with **Python 3.x**. As this is quite new, please
-[report any issue]((https://github.com/decalage2/oletools/issues)) you may encounter.
-
-
+The recommended Python version to run oletools is the latest **Python 3.x** (3.7 for now). 
+Python 2.7 is still supported, but as it will become end of life in 2020 (see https://pythonclock.org/), it is highly
+recommended to switch to Python 3 now.
  
 Recommended way to Download+Install/Update oletools: pip
 --------------------------------------------------------
@@ -29,6 +23,14 @@ run the following command in a shell:
 sudo -H pip install -U oletools
 ```
  
+Replace `pip` by `pip3` or `pip2` to install on a specific Python version.
+
+**New in v0.54:** To enable the decryption of encrypted documents, you also need to install the msoffcrypto-tool package:
+```text
+sudo -H pip install -U msoffcrypto-tool
+```
+
+
 **Important**: Since version 0.50, pip will automatically create convenient command-line scripts
 in /usr/local/bin to run all the oletools from any directory.
  
@@ -41,6 +43,21 @@ run the following command in a cmd window:
 pip install -U oletools
 ```
  
+Replace `pip` by `pip3` or `pip2` to install on a specific Python version.
+
+**Note**: with Python 3, you may need to open a cmd window with Administrator privileges in order to run pip 
+and install for all users. If that is not possible, you may also install only for the current user 
+by adding the `--user` option:
+
+```text
+pip3 install -U --user oletools
+```
+
+**New in v0.54:** To enable the decryption of encrypted documents, you also need to install the msoffcrypto-tool package:
+```text
+pip install -U msoffcrypto-tool
+```
+
 **Important**: Since version 0.50, pip will automatically create convenient command-line scripts
 to run all the oletools from any directory: olevba, mraptor, oleid, rtfobj, etc.
  
@@ -57,17 +74,40 @@ you may also use pip:
 sudo -H pip install -U https://github.com/decalage2/oletools/archive/master.zip
 ```
  
+Replace `pip` by `pip3` or `pip2` to install on a specific Python version.
+
+**New in v0.54:** To enable the decryption of encrypted documents, you also need to install the msoffcrypto-tool package:
+```text
+sudo -H pip install -U msoffcrypto-tool
+```
+
 ### Windows
  
 ```text
 pip install -U https://github.com/decalage2/oletools/archive/master.zip
 ```
  
+Replace `pip` by `pip3` or `pip2` to install on a specific Python version.
+
+**Note**: with Python 3, you may need to open a cmd window with Administrator privileges in order to run pip 
+and install for all users. If that is not possible, you may also install only for the current user 
+by adding the `--user` option:
+
+```text
+pip3 install -U --user https://github.com/decalage2/oletools/archive/master.zip
+```
+
+**New in v0.54:** To enable the decryption of encrypted documents, you also need to install the msoffcrypto-tool package:
+```text
+pip install -U msoffcrypto-tool
+```
+
+
 How to install offline - Computer without Internet access
 ---------------------------------------------------------
  
 First, download the oletools archive on a computer with Internet access:
-* Latest stable version: from https://github.com/decalage2/oletools/releases
+* Latest stable version: from https://pypi.org/project/oletools/ or https://github.com/decalage2/oletools/releases
 * Development version: https://github.com/decalage2/oletools/archive/master.zip
  
 Copy the archive file to the target computer.
@@ -18,7 +18,7 @@
 <body>
 <h1 id="license-for-python-oletools">License for python-oletools</h1>
 <p>This license applies to the <a href="http://www.decalage.info/python/oletools">python-oletools</a> package, apart from the thirdparty folder which contains third-party files published with their own license.</p>
-<p>The python-oletools package is copyright (c) 2012-2018 Philippe Lagadec (<a href="http://www.decalage.info" class="uri">http://www.decalage.info</a>)</p>
+<p>The python-oletools package is copyright (c) 2012-2019 Philippe Lagadec (<a href="http://www.decalage.info" class="uri">http://www.decalage.info</a>)</p>
 <p>All rights reserved.</p>
 <p>Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:</p>
 <ul>
@@ -4,7 +4,7 @@ License for python-oletools
 This license applies to the [python-oletools](http://www.decalage.info/python/oletools) package, apart from the 
 thirdparty folder which contains third-party files published with their own license.
  
-The python-oletools package is copyright (c) 2012-2018 Philippe Lagadec ([http://www.decalage.info](http://www.decalage.info))
+The python-oletools package is copyright (c) 2012-2019 Philippe Lagadec ([http://www.decalage.info](http://www.decalage.info))
  
 All rights reserved.
  
@@ -24,7 +24,7 @@
 <p>mraptor can be used either as a command-line tool, or as a python module from your own applications.</p>
 <p>It is part of the <a href="http://www.decalage.info/python/oletools">python-oletools</a> package.</p>
 <h2 id="usage">Usage</h2>
-<pre class="text"><code>Usage: mraptor.py [options] &lt;filename&gt; [filename2 ...]
+<pre class="text"><code>Usage: mraptor [options] &lt;filename&gt; [filename2 ...]
  
 Options:
   -h, --help            show this help message and exit
@@ -49,15 +49,15 @@ An exit code is returned based on the analysis result:
  - 20: SUSPICIOUS</code></pre>
 <h3 id="examples">Examples</h3>
 <p>Scan a single file:</p>
-<pre class="text"><code>mraptor.py file.doc</code></pre>
+<pre class="text"><code>mraptor file.doc</code></pre>
 <p>Scan a single file, stored in a Zip archive with password “infected”:</p>
-<pre class="text"><code>mraptor.py malicious_file.xls.zip -z infected</code></pre>
+<pre class="text"><code>mraptor malicious_file.xls.zip -z infected</code></pre>
 <p>Scan a collection of files stored in a folder:</p>
-<pre class="text"><code>mraptor.py &quot;MalwareZoo/VBA/*&quot;</code></pre>
+<pre class="text"><code>mraptor &quot;MalwareZoo/VBA/*&quot;</code></pre>
 <p><strong>Important</strong>: on Linux/MacOSX, always add double quotes around a file name when you use wildcards such as <code>*</code> and <code>?</code>. Otherwise, the shell may replace the argument with the actual list of files matching the wildcards before starting the script.</p>
 <p><img src="mraptor1.png" /></p>
 <h2 id="python-3-support---mraptor3">Python 3 support - mraptor3</h2>
-<p>As of v0.50, mraptor has been ported to Python 3 thanks to <span class="citation" data-cites="sebdraven">@sebdraven</span>. However, the differences between Python 2 and 3 are significant and for now there is a separate version of mraptor named mraptor3 to be used with Python 3.</p>
+<p>Since v0.54, mraptor is fully compatible with both Python 2 and 3. There is no need to use mraptor3 anymore, however it is still present for backward compatibility.</p>
 <hr />
 <h2 id="how-to-use-mraptor-in-python-applications">How to use mraptor in Python applications</h2>
 <p>TODO</p>
@@ -24,7 +24,7 @@ It is part of the [python-oletools](http://www.decalage.info/python/oletools) pa
 ## Usage
  
 ```text
-Usage: mraptor.py [options] <filename> [filename2 ...]
+Usage: mraptor [options] <filename> [filename2 ...]
  
 Options:
   -h, --help            show this help message and exit
@@ -54,19 +54,19 @@ An exit code is returned based on the analysis result:
 Scan a single file:
  
 ```text
-mraptor.py file.doc
+mraptor file.doc
 ```
  
 Scan a single file, stored in a Zip archive with password "infected":
  
 ```text
-mraptor.py malicious_file.xls.zip -z infected
+mraptor malicious_file.xls.zip -z infected
 ```
  
 Scan a collection of files stored in a folder:
  
 ```text
-mraptor.py "MalwareZoo/VBA/*"
+mraptor "MalwareZoo/VBA/*"
 ```
  
 **Important**: on Linux/MacOSX, always add double quotes around a file name when you use
@@ -77,10 +77,8 @@ list of files matching the wildcards before starting the script.
  
 ## Python 3 support - mraptor3
  
-As of v0.50, mraptor has been ported to Python 3 thanks to @sebdraven.
-However, the differences between Python 2 and 3 are significant and for now
-there is a separate version of mraptor named mraptor3 to be used with
-Python 3.
+Since v0.54, mraptor is fully compatible with both Python 2 and 3.
+There is no need to use mraptor3 anymore, however it is still present for backward compatibility.
  
  
 --------------------------------------------------------------------------
@@ -26,7 +26,7 @@
 <p>And for Python 3:</p>
 <pre><code>sudo apt-get install python3-tk</code></pre>
 <h2 id="usage">Usage</h2>
-<pre><code>olebrowse.py [file]</code></pre>
+<pre><code>olebrowse [file]</code></pre>
 <p>If you provide a file it will be opened, else a dialog will allow you to browse folders to open a file. Then if it is a valid OLE file, the list of data streams will be displayed. You can select a stream, and then either view its content in a builtin hexadecimal viewer, or save it to a file for further analysis.</p>
 <h2 id="screenshots">Screenshots</h2>
 <p>Main menu, showing all streams in the OLE file:</p>
@@ -30,9 +30,9 @@ sudo apt-get install python3-tk
  
 Usage
 -----
-
-	olebrowse.py [file]
-
+```
+olebrowse [file]
+```
 If you provide a file it will be opened, else a dialog will allow you to browse
 folders to open a file. Then if it is a valid OLE file, the list of data streams
 will be displayed. You can select a stream, and then either view its content
@@ -21,10 +21,21 @@
 <p>It can be used either as a command-line tool, or as a python module from your own applications.</p>
 <p>It is part of the <a href="http://www.decalage.info/python/oletools">python-oletools</a> package.</p>
 <h2 id="usage">Usage</h2>
-<pre class="text"><code>Usage: oledir.py &lt;filename&gt;</code></pre>
+<pre class="text"><code>Usage: oledir [options] &lt;filename&gt; [filename2 ...]
+
+Options:
+  -h, --help            show this help message and exit
+  -r                    find files recursively in subdirectories.
+  -z ZIP_PASSWORD, --zip=ZIP_PASSWORD
+                        if the file is a zip archive, open all files from it,
+                        using the provided password (requires Python 2.6+)
+  -f ZIP_FNAME, --zipfname=ZIP_FNAME
+                        if the file is a zip archive, file(s) to be opened
+                        within the zip. Wildcards * and ? are supported.
+                        (default:*)</code></pre>
 <h3 id="examples">Examples</h3>
 <p>Scan a single file:</p>
-<pre class="text"><code>oledir.py file.doc</code></pre>
+<pre class="text"><code>oledir file.doc</code></pre>
 <p><img src="oledir.png" /></p>
 <hr />
 <h2 id="how-to-use-oledir-in-python-applications">How to use oledir in Python applications</h2>
@@ -11,7 +11,18 @@ It is part of the [python-oletools](http://www.decalage.info/python/oletools) pa
 ## Usage
  
 ```text
-Usage: oledir.py <filename>
+Usage: oledir [options] <filename> [filename2 ...]
+
+Options:
+  -h, --help            show this help message and exit
+  -r                    find files recursively in subdirectories.
+  -z ZIP_PASSWORD, --zip=ZIP_PASSWORD
+                        if the file is a zip archive, open all files from it,
+                        using the provided password (requires Python 2.6+)
+  -f ZIP_FNAME, --zipfname=ZIP_FNAME
+                        if the file is a zip archive, file(s) to be opened
+                        within the zip. Wildcards * and ? are supported.
+                        (default:*)
 ```
  
 ### Examples
@@ -19,7 +30,7 @@ Usage: oledir.py &lt;filename&gt;
 Scan a single file:
  
 ```text
-oledir.py file.doc
+oledir file.doc
 ```
  
 ![](oledir.png)
@@ -107,10 +107,10 @@ code span.wa { color: #60a0b0; font-weight: bold; font-style: italic; } /* Warni
 <li>CSV output</li>
 </ul>
 <h2 id="usage">Usage</h2>
-<pre class="text"><code>oleid.py &lt;file&gt;</code></pre>
+<pre class="text"><code>oleid &lt;file&gt;</code></pre>
 <h3 id="example">Example</h3>
 <p>Analyzing a Word document containing a Flash object and VBA macros:</p>
-<pre class="text"><code>C:\oletools&gt;oleid.py word_flash_vba.doc
+<pre class="text"><code>C:\oletools&gt;oleid word_flash_vba.doc
  
 Filename: word_flash_vba.doc
 +-------------------------------+-----------------------+
@@ -32,7 +32,7 @@ Planned improvements:
 ## Usage
  
 ```text
-oleid.py <file>
+oleid <file>
 ```
  
 ### Example 
@@ -40,7 +40,7 @@ oleid.py &lt;file&gt;
 Analyzing a Word document containing a Flash object and VBA macros:
  
 ```text
-C:\oletools>oleid.py word_flash_vba.doc
+C:\oletools>oleid word_flash_vba.doc
  
 Filename: word_flash_vba.doc
 +-------------------------------+-----------------------+
@@ -21,10 +21,10 @@
 <p>It can be used either as a command-line tool, or as a python module from your own applications.</p>
 <p>It is part of the <a href="http://www.decalage.info/python/oletools">python-oletools</a> package.</p>
 <h2 id="usage">Usage</h2>
-<pre class="text"><code>Usage: olemap.py &lt;filename&gt;</code></pre>
+<pre class="text"><code>Usage: olemap &lt;filename&gt;</code></pre>
 <h3 id="examples">Examples</h3>
 <p>Scan a single file:</p>
-<pre class="text"><code>olemap.py file.doc</code></pre>
+<pre class="text"><code>olemap file.doc</code></pre>
 <p><img src="olemap1.png" /></p>
 <p><img src="olemap2.png" /></p>
 <hr />
@@ -10,7 +10,7 @@ It is part of the [python-oletools](http://www.decalage.info/python/oletools) pa
 ## Usage
  
 ```text
-Usage: olemap.py <filename>
+Usage: olemap <filename>
 ```
  
 ### Examples
@@ -18,7 +18,7 @@ Usage: olemap.py &lt;filename&gt;
 Scan a single file:
  
 ```text
-olemap.py file.doc
+olemap file.doc
 ```
  
 ![](olemap1.png)
@@ -20,7 +20,7 @@
 <p>olemeta is a script to parse OLE files such as MS Office documents (e.g. Word, Excel), to extract all standard properties present in the OLE file.</p>
 <p>It is part of the <a href="http://www.decalage.info/python/oletools">python-oletools</a> package.</p>
 <h2 id="usage">Usage</h2>
-<pre class="text"><code>olemeta.py &lt;file&gt;</code></pre>
+<pre class="text"><code>olemeta &lt;file&gt;</code></pre>
 <h3 id="example">Example</h3>
 <p><img src="olemeta1.png" /></p>
 <h2 id="how-to-use-olemeta-in-python-applications">How to use olemeta in Python applications</h2>
@@ -9,7 +9,7 @@ It is part of the [python-oletools](http://www.decalage.info/python/oletools) pa
 ## Usage
  
 ```text
-olemeta.py <file>
+olemeta <file>
 ```
  
 ### Example
@@ -20,10 +20,10 @@
 <p>oletimes is a script to parse OLE files such as MS Office documents (e.g. Word, Excel), to extract creation and modification times of all streams and storages in the OLE file.</p>
 <p>It is part of the <a href="http://www.decalage.info/python/oletools">python-oletools</a> package.</p>
 <h2 id="usage">Usage</h2>
-<pre class="text"><code>oletimes.py &lt;file&gt;</code></pre>
+<pre class="text"><code>oletimes &lt;file&gt;</code></pre>
 <h3 id="example">Example</h3>
 <p>Checking the malware sample <a href="https://malwr.com/analysis/M2I4YWRhM2IwY2QwNDljN2E3ZWFjYTg3ODk4NmZhYmE/">DIAN_caso-5415.doc</a>:</p>
-<pre class="text"><code>&gt;oletimes.py DIAN_caso-5415.doc
+<pre class="text"><code>&gt;oletimes DIAN_caso-5415.doc
  
 +----------------------------+---------------------+---------------------+
 | Stream/Storage name        | Modification Time   | Creation Time       |
@@ -10,7 +10,7 @@ It is part of the [python-oletools](http://www.decalage.info/python/oletools) pa
 ## Usage
  
 ```text
-oletimes.py <file>
+oletimes <file>
 ```
  
 ### Example
@@ -18,7 +18,7 @@ oletimes.py &lt;file&gt;
 Checking the malware sample [DIAN_caso-5415.doc](https://malwr.com/analysis/M2I4YWRhM2IwY2QwNDljN2E3ZWFjYTg3ODk4NmZhYmE/):
  
 ```text
->oletimes.py DIAN_caso-5415.doc
+>oletimes DIAN_caso-5415.doc
  
 +----------------------------+---------------------+---------------------+
 | Stream/Storage name        | Modification Time   | Creation Time       |
@@ -127,56 +127,65 @@ code span.wa { color: #60a0b0; font-weight: bold; font-style: italic; } /* Warni
 <li>olevba scans the macro source code and the deobfuscated strings to find suspicious keywords, auto-executable macros and potential IOCs (URLs, IP addresses, e-mail addresses, executable filenames, etc).</li>
 </ol>
 <h2 id="usage">Usage</h2>
-<pre class="text"><code>Usage: olevba.py [options] &lt;filename&gt; [filename2 ...]
-    
+<pre class="text"><code>Usage: olevba [options] &lt;filename&gt; [filename2 ...]
+
 Options:
   -h, --help            show this help message and exit
   -r                    find files recursively in subdirectories.
   -z ZIP_PASSWORD, --zip=ZIP_PASSWORD
                         if the file is a zip archive, open all files from it,
-                        using the provided password (requires Python 2.6+)
+                        using the provided password.
+  -p PASSWORD, --password=PASSWORD
+                        if encrypted office files are encountered, try
+                        decryption with this password. May be repeated.
   -f ZIP_FNAME, --zipfname=ZIP_FNAME
                         if the file is a zip archive, file(s) to be opened
                         within the zip. Wildcards * and ? are supported.
                         (default:*)
-  -t, --triage          triage mode, display results as a summary table
-                        (default for multiple files)
-  -d, --detailed        detailed mode, display full results (default for
-                        single file)
   -a, --analysis        display only analysis results, not the macro source
                         code
   -c, --code            display only VBA source code, do not analyze it
-  -i INPUT, --input=INPUT
-                        input file containing VBA source code to be analyzed
-                        (no parsing)
   --decode              display all the obfuscated strings with their decoded
                         content (Hex, Base64, StrReverse, Dridex, VBA).
   --attr                display the attribute lines at the beginning of VBA
                         source code
   --reveal              display the macro source code after replacing all the
-                        obfuscated strings by their decoded content.</code></pre>
+                        obfuscated strings by their decoded content.
+  -l LOGLEVEL, --loglevel=LOGLEVEL
+                        logging level debug/info/warning/error/critical
+                        (default=warning)
+  --deobf               Attempt to deobfuscate VBA expressions (slow)
+  --relaxed             Do not raise errors if opening of substream fails
+
+  Output mode (mutually exclusive):
+    -t, --triage        triage mode, display results as a summary table
+                        (default for multiple files)
+    -d, --detailed      detailed mode, display full results (default for
+                        single file)
+    -j, --json          json mode, detailed in json format (never default)</code></pre>
+<p><strong>New in v0.54:</strong> the -p option can now be used to decrypt encrypted documents using the provided password(s).</p>
 <h3 id="examples">Examples</h3>
 <p>Scan a single file:</p>
-<pre class="text"><code>olevba.py file.doc</code></pre>
+<pre class="text"><code>olevba file.doc</code></pre>
 <p>Scan a single file, stored in a Zip archive with password “infected”:</p>
-<pre class="text"><code>olevba.py malicious_file.xls.zip -z infected</code></pre>
+<pre class="text"><code>olevba malicious_file.xls.zip -z infected</code></pre>
 <p>Scan a single file, showing all obfuscated strings decoded:</p>
-<pre class="text"><code>olevba.py file.doc --decode</code></pre>
+<pre class="text"><code>olevba file.doc --decode</code></pre>
 <p>Scan a single file, showing the macro source code with VBA strings deobfuscated:</p>
-<pre class="text"><code>olevba.py file.doc --reveal</code></pre>
+<pre class="text"><code>olevba file.doc --reveal</code></pre>
 <p>Scan VBA source code extracted into a text file:</p>
-<pre class="text"><code>olevba.py source_code.vba</code></pre>
+<pre class="text"><code>olevba source_code.vba</code></pre>
 <p>Scan a collection of files stored in a folder:</p>
-<pre class="text"><code>olevba.py &quot;MalwareZoo/VBA/*&quot;</code></pre>
+<pre class="text"><code>olevba &quot;MalwareZoo/VBA/*&quot;</code></pre>
 <p>NOTE: On Linux, MacOSX and other Unix variants, it is required to add double quotes around wildcards. Otherwise, they will be expanded by the shell instead of olevba.</p>
 <p>Scan all .doc and .xls files, recursively in all subfolders:</p>
-<pre class="text"><code>olevba.py &quot;MalwareZoo/VBA/*.doc&quot; &quot;MalwareZoo/VBA/*.xls&quot; -r</code></pre>
+<pre class="text"><code>olevba &quot;MalwareZoo/VBA/*.doc&quot; &quot;MalwareZoo/VBA/*.xls&quot; -r</code></pre>
 <p>Scan all .doc files within all .zip files with password, recursively:</p>
-<pre class="text"><code>olevba.py &quot;MalwareZoo/VBA/*.zip&quot; -r -z infected -f &quot;*.doc&quot;</code></pre>
+<pre class="text"><code>olevba &quot;MalwareZoo/VBA/*.zip&quot; -r -z infected -f &quot;*.doc&quot;</code></pre>
 <h3 id="detailed-analysis-mode-default-for-single-file">Detailed analysis mode (default for single file)</h3>
 <p>When a single file is scanned, or when using the option -d, all details of the analysis are displayed.</p>
 <p>For example, checking the malware sample <a href="https://malwr.com/analysis/M2I4YWRhM2IwY2QwNDljN2E3ZWFjYTg3ODk4NmZhYmE/">DIAN_caso-5415.doc</a>:</p>
-<pre class="text"><code>&gt;olevba.py c:\MalwareZoo\VBA\DIAN_caso-5415.doc.zip -z infected
+<pre class="text"><code>&gt;olevba c:\MalwareZoo\VBA\DIAN_caso-5415.doc.zip -z infected
 ===============================================================================
 FILE: DIAN_caso-5415.doc.malware in c:\MalwareZoo\VBA\DIAN_caso-5415.doc.zip
 Type: OLE
@@ -246,7 +255,7 @@ ANALYSIS:
 <li><strong>V</strong>: VBA string expressions (potential obfuscation)</li>
 </ul>
 <p>Here is an example:</p>
-<pre class="text"><code>c:\&gt;olevba.py \MalwareZoo\VBA\samples\*
+<pre class="text"><code>c:\&gt;olevba \MalwareZoo\VBA\samples\*
 Flags       Filename
 ----------- -----------------------------------------------------------------
 OLE:MASI--- \MalwareZoo\VBA\samples\DIAN_caso-5415.doc.malware
@@ -266,7 +275,7 @@ OpX:MASI--- \MalwareZoo\VBA\samples\RottenKitten.xlsb.malware
 OLE:MASI-B- \MalwareZoo\VBA\samples\ROVNIX.doc.malware
 OLE:MA----- \MalwareZoo\VBA\samples\Word within Word macro auto.doc</code></pre>
 <h2 id="python-3-support---olevba3">Python 3 support - olevba3</h2>
-<p>As of v0.50, olevba has been ported to Python 3 thanks to <span class="citation" data-cites="sebdraven">@sebdraven</span>. However, the differences between Python 2 and 3 are significant and for now there is a separate version of olevba named olevba3 to be used with Python 3.</p>
+<p>Since v0.54, olevba is fully compatible with both Python 2 and 3. There is no need to use olevba3 anymore, however it is still present for backward compatibility.</p>
 <hr />
 <h2 id="how-to-use-olevba-in-python-applications">How to use olevba in Python applications</h2>
 <p>olevba may be used to open a MS Office file, detect if it contains VBA macros, extract and analyze the VBA source code from your own python applications.</p>
@@ -67,85 +67,95 @@ and potential IOCs (URLs, IP addresses, e-mail addresses, executable filenames, 
 ## Usage
  
 ```text
-Usage: olevba.py [options] <filename> [filename2 ...]
-    
+Usage: olevba [options] <filename> [filename2 ...]
+
 Options:
   -h, --help            show this help message and exit
   -r                    find files recursively in subdirectories.
   -z ZIP_PASSWORD, --zip=ZIP_PASSWORD
                         if the file is a zip archive, open all files from it,
-                        using the provided password (requires Python 2.6+)
+                        using the provided password.
+  -p PASSWORD, --password=PASSWORD
+                        if encrypted office files are encountered, try
+                        decryption with this password. May be repeated.
   -f ZIP_FNAME, --zipfname=ZIP_FNAME
                         if the file is a zip archive, file(s) to be opened
                         within the zip. Wildcards * and ? are supported.
                         (default:*)
-  -t, --triage          triage mode, display results as a summary table
-                        (default for multiple files)
-  -d, --detailed        detailed mode, display full results (default for
-                        single file)
   -a, --analysis        display only analysis results, not the macro source
                         code
   -c, --code            display only VBA source code, do not analyze it
-  -i INPUT, --input=INPUT
-                        input file containing VBA source code to be analyzed
-                        (no parsing)
   --decode              display all the obfuscated strings with their decoded
                         content (Hex, Base64, StrReverse, Dridex, VBA).
   --attr                display the attribute lines at the beginning of VBA
                         source code
   --reveal              display the macro source code after replacing all the
                         obfuscated strings by their decoded content.
+  -l LOGLEVEL, --loglevel=LOGLEVEL
+                        logging level debug/info/warning/error/critical
+                        (default=warning)
+  --deobf               Attempt to deobfuscate VBA expressions (slow)
+  --relaxed             Do not raise errors if opening of substream fails
+
+  Output mode (mutually exclusive):
+    -t, --triage        triage mode, display results as a summary table
+                        (default for multiple files)
+    -d, --detailed      detailed mode, display full results (default for
+                        single file)
+    -j, --json          json mode, detailed in json format (never default)
 ```
  
+**New in v0.54:** the -p option can now be used to decrypt encrypted documents using the provided password(s).
+
 ### Examples
  
 Scan a single file:
  
 ```text
-olevba.py file.doc
+olevba file.doc
 ```
  
 Scan a single file, stored in a Zip archive with password "infected":
  
 ```text
-olevba.py malicious_file.xls.zip -z infected
+olevba malicious_file.xls.zip -z infected
 ```
  
 Scan a single file, showing all obfuscated strings decoded:
  
 ```text
-olevba.py file.doc --decode
+olevba file.doc --decode
 ```
  
 Scan a single file, showing the macro source code with VBA strings deobfuscated:
  
 ```text
-olevba.py file.doc --reveal
+olevba file.doc --reveal
 ```
  
 Scan VBA source code extracted into a text file:
  
 ```text
-olevba.py source_code.vba
+olevba source_code.vba
 ```
  
 Scan a collection of files stored in a folder:
  
 ```text
-olevba.py "MalwareZoo/VBA/*"
+olevba "MalwareZoo/VBA/*"
 ```
 NOTE: On Linux, MacOSX and other Unix variants, it is required to add double quotes around wildcards. Otherwise, they will be expanded by the shell instead of olevba.
  
 Scan all .doc and .xls files, recursively in all subfolders:
  
 ```text
-olevba.py "MalwareZoo/VBA/*.doc" "MalwareZoo/VBA/*.xls" -r
+olevba "MalwareZoo/VBA/*.doc" "MalwareZoo/VBA/*.xls" -r
 ```
  
 Scan all .doc files within all .zip files with password, recursively:
  
 ```text
-olevba.py "MalwareZoo/VBA/*.zip" -r -z infected -f "*.doc"
+olevba "MalwareZoo/VBA/*.zip" -r -z infected -f "*.doc"
 ```
  
  
@@ -156,7 +166,7 @@ When a single file is scanned, or when using the option -d, all details of the a
 For example, checking the malware sample [DIAN_caso-5415.doc](https://malwr.com/analysis/M2I4YWRhM2IwY2QwNDljN2E3ZWFjYTg3ODk4NmZhYmE/):
  
 ```text
->olevba.py c:\MalwareZoo\VBA\DIAN_caso-5415.doc.zip -z infected
+>olevba c:\MalwareZoo\VBA\DIAN_caso-5415.doc.zip -z infected
 ===============================================================================
 FILE: DIAN_caso-5415.doc.malware in c:\MalwareZoo\VBA\DIAN_caso-5415.doc.zip
 Type: OLE
@@ -233,7 +243,7 @@ The following flags show the results of the analysis:
 Here is an example:
  
 ```text
-c:\>olevba.py \MalwareZoo\VBA\samples\*
+c:\>olevba \MalwareZoo\VBA\samples\*
 Flags       Filename
 ----------- -----------------------------------------------------------------
 OLE:MASI--- \MalwareZoo\VBA\samples\DIAN_caso-5415.doc.malware
@@ -256,10 +266,9 @@ OLE:MA----- \MalwareZoo\VBA\samples\Word within Word macro auto.doc
  
 ## Python 3 support - olevba3
  
-As of v0.50, olevba has been ported to Python 3 thanks to @sebdraven.
-However, the differences between Python 2 and 3 are significant and for now
-there is a separate version of olevba named olevba3 to be used with
-Python 3.
+Since v0.54, olevba is fully compatible with both Python 2 and 3.
+There is no need to use olevba3 anymore, however it is still present for backward compatibility.
+
  
 --------------------------------------------------------------------------
  
@@ -24,7 +24,7 @@
 <p>It can also extract Flash objects from RTF documents, by parsing embedded objects encoded in hexadecimal format (-f option).</p>
 <p>For this, simply add the -o option to work on OLE streams rather than raw files, or the -f option to work on RTF files.</p>
 <h2 id="usage">Usage</h2>
-<pre class="text"><code>Usage: pyxswf.py [options] &lt;file.bad&gt;
+<pre class="text"><code>Usage: pyxswf [options] &lt;file.bad&gt;
  
 Options:
   -o, --ole             Parse an OLE file (e.g. Word, Excel) to look for SWF
@@ -46,18 +46,18 @@ Options:
                         contain SWFs. Must provide path in quotes
   -c, --compress        Compresses the SWF using Zlib</code></pre>
 <h3 id="example-1---detecting-and-extracting-a-swf-file-from-a-word-document-on-windows">Example 1 - detecting and extracting a SWF file from a Word document on Windows:</h3>
-<pre class="text"><code>C:\oletools&gt;pyxswf.py -o word_flash.doc
+<pre class="text"><code>C:\oletools&gt;pyxswf -o word_flash.doc
 OLE stream: &#39;Contents&#39;
 [SUMMARY] 1 SWF(s) in MD5:993664cc86f60d52d671b6610813cfd1:Contents
         [ADDR] SWF 1 at 0x8  - FWS Header
  
-C:\oletools&gt;pyxswf.py -xo word_flash.doc
+C:\oletools&gt;pyxswf -xo word_flash.doc
 OLE stream: &#39;Contents&#39;
 [SUMMARY] 1 SWF(s) in MD5:993664cc86f60d52d671b6610813cfd1:Contents
         [ADDR] SWF 1 at 0x8  - FWS Header
                 [FILE] Carved SWF MD5: 2498e9c0701dc0e461ab4358f9102bc5.swf</code></pre>
 <h3 id="example-2---detecting-and-extracting-a-swf-file-from-a-rtf-document-on-windows">Example 2 - detecting and extracting a SWF file from a RTF document on Windows:</h3>
-<pre class="text"><code>C:\oletools&gt;pyxswf.py -xf &quot;rtf_flash.rtf&quot;
+<pre class="text"><code>C:\oletools&gt;pyxswf -xf &quot;rtf_flash.rtf&quot;
 RTF embedded object size 1498557 at index 000036DD
 [SUMMARY] 1 SWF(s) in MD5:46a110548007e04f4043785ac4184558:RTF_embedded_object_0
 00036DD
@@ -21,7 +21,7 @@ For this, simply add the -o option to work on OLE streams rather than raw files,
 ## Usage
  
 ```text
-Usage: pyxswf.py [options] <file.bad>
+Usage: pyxswf [options] <file.bad>
  
 Options:
   -o, --ole             Parse an OLE file (e.g. Word, Excel) to look for SWF
@@ -47,12 +47,12 @@ Options:
 ### Example 1 - detecting and extracting a SWF file from a Word document on Windows:
  
 ```text
-C:\oletools>pyxswf.py -o word_flash.doc
+C:\oletools>pyxswf -o word_flash.doc
 OLE stream: 'Contents'
 [SUMMARY] 1 SWF(s) in MD5:993664cc86f60d52d671b6610813cfd1:Contents
         [ADDR] SWF 1 at 0x8  - FWS Header
  
-C:\oletools>pyxswf.py -xo word_flash.doc
+C:\oletools>pyxswf -xo word_flash.doc
 OLE stream: 'Contents'
 [SUMMARY] 1 SWF(s) in MD5:993664cc86f60d52d671b6610813cfd1:Contents
         [ADDR] SWF 1 at 0x8  - FWS Header
@@ -62,7 +62,7 @@ OLE stream: &#39;Contents&#39;
 ### Example 2 - detecting and extracting a SWF file from a RTF document on Windows:
  
 ```text
-C:\oletools>pyxswf.py -xf "rtf_flash.rtf"
+C:\oletools>pyxswf -xf "rtf_flash.rtf"
 RTF embedded object size 1498557 at index 000036DD
 [SUMMARY] 1 SWF(s) in MD5:46a110548007e04f4043785ac4184558:RTF_embedded_object_0
 00036DD