updated doc for oletools 0.44

Philippe Lagadec
1 parent e707b49e
Showing 24 changed files with 1321 additions and 1609 deletions
README.md
oletools/README.html
oletools/doc/Contribute.html
oletools/doc/Contribute.md
oletools/doc/Home.html
oletools/doc/Home.md
oletools/doc/Install.html
oletools/doc/Install.md
oletools/doc/License.html
oletools/doc/License.md
oletools/doc/olebrowse.html
oletools/doc/olebrowse.md
oletools/doc/oleid.html
oletools/doc/oleid.md
oletools/doc/olemeta.html
oletools/doc/olemeta.md
oletools/doc/oletimes.html
oletools/doc/oletimes.md
oletools/doc/olevba.html
oletools/doc/olevba.md
-python-oletools
-===============
-
-[python-oletools](http://www.decalage.info/python/oletools) is a package of python tools to analyze 
-[Microsoft OLE2 files](http://en.wikipedia.org/wiki/Compound_File_Binary_Format) 
-(also called Structured Storage, Compound File Binary Format or Compound Document File Format), 
-such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging. 
-It is based on the [olefile](http://www.decalage.info/olefile) parser. 
-See [http://www.decalage.info/python/oletools](http://www.decalage.info/python/oletools) for more info.  
-
-**Quick links:** 
-[Home page](http://www.decalage.info/python/oletools) - 
-[Download/Install](https://bitbucket.org/decalage/oletools/wiki/Install) - 
-[Documentation](https://bitbucket.org/decalage/oletools/wiki) - 
-[Report Issues/Suggestions/Questions](https://bitbucket.org/decalage/oletools/issues?status=new&status=open) - 
-[Contact the Author](http://decalage.info/contact) - 
-[Repository](https://bitbucket.org/decalage/oletools) - 
-[Updates on Twitter](https://twitter.com/decalage2)
-
-Note: python-oletools is not related to OLETools published by BeCubed Software.
-
-News
-----
-
-- **2016-03-11 v0.44**: improved [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba)
-to extract and analyse strings from VBA Forms.
-- 2016-03-04 v0.43: added new tool MacroRaptor (mraptor) to detect malicious macros, bugfix
-and slight improvements in [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba).
-- 2016-02-07 v0.42: added two new tools oledir and olemap, better handling of malformed
-files and several bugfixes in [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba),
-improved display for [olemeta](https://bitbucket.org/decalage/oletools/wiki/olemeta).
-- 2015-09-22 v0.41: added new --reveal option to [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba),
-to show the macro code with VBA strings deobfuscated.
-- 2015-09-17 v0.40: Improved macro deobfuscation in [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba),
-to decode Hex and Base64 within VBA expressions. Display printable deobfuscated strings by 
-default. Improved the VBA_Parser API. Improved performance. 
-Fixed [issue #23](https://bitbucket.org/decalage/oletools/issue/23) with sys.stderr.
-- 2015-06-19 v0.12: [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba) can now deobfuscate VBA 
-expressions with any combination of Chr, Asc, Val, StrReverse, Environ, +, &, using a VBA parser built with
-[pyparsing](http://pyparsing.wikispaces.com). New options to display only the analysis results or only the macros source code. 
-The analysis is now done on all the VBA modules at once.
-- 2015-05-29 v0.11: Improved parsing of MHTML and ActiveMime/MSO files in 
-[olevba](https://bitbucket.org/decalage/oletools/wiki/olevba), added several suspicious keywords to VBA scanner
-(thanks to @ozhermit and Davy Douhine for the suggestions) 
-- 2015-05-06 v0.10: [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba) now supports Word MHTML files
-with macros, aka "Single File Web Page" (.mht) - see [issue #10](https://bitbucket.org/decalage/oletools/issue/10) for more info
-- 2015-03-23 v0.09: [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba) now supports Word 2003 XML files,
-added anti-sandboxing/VM detection
-- 2015-02-08 v0.08: [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba) can now decode strings 
-obfuscated with Hex/StrReverse/Base64/Dridex and extract IOCs. Added new triage mode, support for non-western
-codepages with olefile 0.42, improved API and display, several bugfixes.
-- 2015-01-05 v0.07: improved [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba) to detect suspicious 
-keywords and IOCs in VBA macros, can now scan several files and open password-protected zip archives, added a Python API,
-upgraded OleFileIO_PL to olefile v0.41
-- 2014-08-28 v0.06: added [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba), a new tool to extract VBA Macro 
-source code from MS Office documents (97-2003 and 2007+). Improved [documentation](https://bitbucket.org/decalage/oletools/wiki)
-- 2013-07-24 v0.05: added new tools [olemeta](https://bitbucket.org/decalage/oletools/wiki/olemeta) and 
-[oletimes](https://bitbucket.org/decalage/oletools/wiki/oletimes)
-- 2013-04-18 v0.04: fixed bug in rtfobj, added documentation for [rtfobj](https://bitbucket.org/decalage/oletools/wiki/rtfobj)
-- 2012-11-09 v0.03: Improved [pyxswf](https://bitbucket.org/decalage/oletools/wiki/pyxswf) to extract Flash objects from RTF
-- 2012-10-29 v0.02: Added [oleid](https://bitbucket.org/decalage/oletools/wiki/oleid)
-- 2012-10-09 v0.01: Initial version of [olebrowse](https://bitbucket.org/decalage/oletools/wiki/olebrowse) and pyxswf
-- see changelog in source code for more info.
-
-
-Tools in python-oletools:
--------------------------
-
-- [olebrowse](https://bitbucket.org/decalage/oletools/wiki/olebrowse): A simple GUI to browse OLE files (e.g. MS Word, Excel, Powerpoint documents), to
-  view and extract individual data streams.
-- [oleid](https://bitbucket.org/decalage/oletools/wiki/oleid): to analyze OLE files to detect specific characteristics usually found in malicious files.
-- [olemeta](https://bitbucket.org/decalage/oletools/wiki/olemeta): to extract all standard properties (metadata) from OLE files.
-- [oletimes](https://bitbucket.org/decalage/oletools/wiki/oletimes): to extract creation and modification timestamps of all streams and storages.
-- [oledir](https://bitbucket.org/decalage/oletools/wiki/oledir): to display all the directory entries of an OLE file, including free and orphaned entries.
-- [olemap](https://bitbucket.org/decalage/oletools/wiki/olemap): to display a map of all the sectors in an OLE file.
-- [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba): to extract and analyze VBA Macro source code from MS Office documents (OLE and OpenXML).
-- [MacroRaptor](https://bitbucket.org/decalage/oletools/wiki/mraptor): to detect malicious VBA Macros
-- [pyxswf](https://bitbucket.org/decalage/oletools/wiki/pyxswf): to detect, extract and analyze Flash objects (SWF) that may
-  be embedded in files such as MS Office documents (e.g. Word, Excel) and RTF,
-  which is especially useful for malware analysis.
-- [oleobj](https://bitbucket.org/decalage/oletools/wiki/oleobj): to extract embedded objects from OLE files.
-- [rtfobj](https://bitbucket.org/decalage/oletools/wiki/rtfobj): to extract embedded objects from RTF files.
-- and a few others (coming soon)
-
-Download and Install:
----------------------
-
-To use python-oletools from the command line as analysis tools, you may simply 
-[download the zip archive](https://bitbucket.org/decalage/oletools/downloads) 
-and extract the files in the directory of your choice.
-
-To get the latest development version, click on "Download repository" on the 
-[downloads page](https://bitbucket.org/decalage/oletools/downloads), or use mercurial to clone the repository.
-
-If you plan to use python-oletools with other Python applications or your own scripts, then the simplest solution is to 
-use "**pip install oletools**" or "**easy_install oletools**" to download and install in one go. Otherwise you may 
-download/extract the zip archive and run "**setup.py install**". 
-
-**Important: to update oletools** if it is already installed, you must run **"pip install -U oletools"**, otherwise pip
-will not update it.
-
-Documentation:
---------------
-
-The latest version of the documentation can be found [online](https://bitbucket.org/decalage/oletools/wiki), otherwise 
-a copy is provided in the doc subfolder of the package.
-
-
-How to Suggest Improvements, Report Issues or Contribute:
----------------------------------------------------------
-
-This is a personal open-source project, developed on my spare time. Any contribution, suggestion, feedback or bug 
-report is welcome.
-
-To suggest improvements, report a bug or any issue, please use the 
-[issue reporting page](https://bitbucket.org/decalage/olefileio_pl/issues?status=new&status=open), providing all the 
-information and files to reproduce the problem. 
-
-You may also [contact the author](http://decalage.info/contact) directly to provide feedback.
-
-The code is available in [a Mercurial repository on Bitbucket](https://bitbucket.org/decalage/oletools). You may use it 
-to submit enhancements using forks and pull requests.
-
-License
--------
-
-This license applies to the python-oletools package, apart from the thirdparty folder which contains third-party files 
-published with their own license.
-
-The python-oletools package is copyright (c) 2012-2016 Philippe Lagadec (http://www.decalage.info)
-
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without modification,
-are permitted provided that the following conditions are met:
-
- * Redistributions of source code must retain the above copyright notice, this
-   list of conditions and the following disclaimer.
- * Redistributions in binary form must reproduce the above copyright notice,
-   this list of conditions and the following disclaimer in the documentation
-   and/or other materials provided with the distribution.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
-ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
-WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
-FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-
-----------
-
-olevba contains modified source code from the officeparser project, published
-under the following MIT License (MIT):
-
-officeparser is copyright (c) 2014 John William Davison
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+python-oletools
+===============
+
+[python-oletools](http://www.decalage.info/python/oletools) is a package of python tools to analyze 
+[Microsoft OLE2 files](http://en.wikipedia.org/wiki/Compound_File_Binary_Format) 
+(also called Structured Storage, Compound File Binary Format or Compound Document File Format), 
+such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging. 
+It is based on the [olefile](http://www.decalage.info/olefile) parser. 
+See [http://www.decalage.info/python/oletools](http://www.decalage.info/python/oletools) for more info.  
+
+**Quick links:** 
+[Home page](http://www.decalage.info/python/oletools) - 
+[Download/Install](https://bitbucket.org/decalage/oletools/wiki/Install) - 
+[Documentation](https://bitbucket.org/decalage/oletools/wiki) - 
+[Report Issues/Suggestions/Questions](https://bitbucket.org/decalage/oletools/issues?status=new&status=open) - 
+[Contact the Author](http://decalage.info/contact) - 
+[Repository](https://bitbucket.org/decalage/oletools) - 
+[Updates on Twitter](https://twitter.com/decalage2)
+
+Note: python-oletools is not related to OLETools published by BeCubed Software.
+
+News
+----
+
+- **2016-03-11 v0.44**: improved [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba)
+to extract and analyse strings from VBA Forms.
+- 2016-03-04 v0.43: added new tool MacroRaptor (mraptor) to detect malicious macros, bugfix
+and slight improvements in [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba).
+- 2016-02-07 v0.42: added two new tools oledir and olemap, better handling of malformed
+files and several bugfixes in [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba),
+improved display for [olemeta](https://bitbucket.org/decalage/oletools/wiki/olemeta).
+- 2015-09-22 v0.41: added new --reveal option to [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba),
+to show the macro code with VBA strings deobfuscated.
+- 2015-09-17 v0.40: Improved macro deobfuscation in [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba),
+to decode Hex and Base64 within VBA expressions. Display printable deobfuscated strings by 
+default. Improved the VBA_Parser API. Improved performance. 
+Fixed [issue #23](https://bitbucket.org/decalage/oletools/issue/23) with sys.stderr.
+- 2015-06-19 v0.12: [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba) can now deobfuscate VBA 
+expressions with any combination of Chr, Asc, Val, StrReverse, Environ, +, &, using a VBA parser built with
+[pyparsing](http://pyparsing.wikispaces.com). New options to display only the analysis results or only the macros source code. 
+The analysis is now done on all the VBA modules at once.
+- 2015-05-29 v0.11: Improved parsing of MHTML and ActiveMime/MSO files in 
+[olevba](https://bitbucket.org/decalage/oletools/wiki/olevba), added several suspicious keywords to VBA scanner
+(thanks to @ozhermit and Davy Douhine for the suggestions) 
+- 2015-05-06 v0.10: [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba) now supports Word MHTML files
+with macros, aka "Single File Web Page" (.mht) - see [issue #10](https://bitbucket.org/decalage/oletools/issue/10) for more info
+- 2015-03-23 v0.09: [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba) now supports Word 2003 XML files,
+added anti-sandboxing/VM detection
+- 2015-02-08 v0.08: [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba) can now decode strings 
+obfuscated with Hex/StrReverse/Base64/Dridex and extract IOCs. Added new triage mode, support for non-western
+codepages with olefile 0.42, improved API and display, several bugfixes.
+- 2015-01-05 v0.07: improved [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba) to detect suspicious 
+keywords and IOCs in VBA macros, can now scan several files and open password-protected zip archives, added a Python API,
+upgraded OleFileIO_PL to olefile v0.41
+- 2014-08-28 v0.06: added [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba), a new tool to extract VBA Macro 
+source code from MS Office documents (97-2003 and 2007+). Improved [documentation](https://bitbucket.org/decalage/oletools/wiki)
+- 2013-07-24 v0.05: added new tools [olemeta](https://bitbucket.org/decalage/oletools/wiki/olemeta) and 
+[oletimes](https://bitbucket.org/decalage/oletools/wiki/oletimes)
+- 2013-04-18 v0.04: fixed bug in rtfobj, added documentation for [rtfobj](https://bitbucket.org/decalage/oletools/wiki/rtfobj)
+- 2012-11-09 v0.03: Improved [pyxswf](https://bitbucket.org/decalage/oletools/wiki/pyxswf) to extract Flash objects from RTF
+- 2012-10-29 v0.02: Added [oleid](https://bitbucket.org/decalage/oletools/wiki/oleid)
+- 2012-10-09 v0.01: Initial version of [olebrowse](https://bitbucket.org/decalage/oletools/wiki/olebrowse) and pyxswf
+- see changelog in source code for more info.
+
+
+Tools in python-oletools:
+-------------------------
+
+- [olebrowse](https://bitbucket.org/decalage/oletools/wiki/olebrowse): A simple GUI to browse OLE files (e.g. MS Word, Excel, Powerpoint documents), to
+  view and extract individual data streams.
+- [oleid](https://bitbucket.org/decalage/oletools/wiki/oleid): to analyze OLE files to detect specific characteristics usually found in malicious files.
+- [olemeta](https://bitbucket.org/decalage/oletools/wiki/olemeta): to extract all standard properties (metadata) from OLE files.
+- [oletimes](https://bitbucket.org/decalage/oletools/wiki/oletimes): to extract creation and modification timestamps of all streams and storages.
+- [oledir](https://bitbucket.org/decalage/oletools/wiki/oledir): to display all the directory entries of an OLE file, including free and orphaned entries.
+- [olemap](https://bitbucket.org/decalage/oletools/wiki/olemap): to display a map of all the sectors in an OLE file.
+- [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba): to extract and analyze VBA Macro source code from MS Office documents (OLE and OpenXML).
+- [MacroRaptor](https://bitbucket.org/decalage/oletools/wiki/mraptor): to detect malicious VBA Macros
+- [pyxswf](https://bitbucket.org/decalage/oletools/wiki/pyxswf): to detect, extract and analyze Flash objects (SWF) that may
+  be embedded in files such as MS Office documents (e.g. Word, Excel) and RTF,
+  which is especially useful for malware analysis.
+- [oleobj](https://bitbucket.org/decalage/oletools/wiki/oleobj): to extract embedded objects from OLE files.
+- [rtfobj](https://bitbucket.org/decalage/oletools/wiki/rtfobj): to extract embedded objects from RTF files.
+- and a few others (coming soon)
+
+Download and Install:
+---------------------
+
+To use python-oletools from the command line as analysis tools, you may simply 
+[download the zip archive](https://bitbucket.org/decalage/oletools/downloads) 
+and extract the files in the directory of your choice.
+
+To get the latest development version, click on "Download repository" on the 
+[downloads page](https://bitbucket.org/decalage/oletools/downloads), or use mercurial to clone the repository.
+
+If you plan to use python-oletools with other Python applications or your own scripts, then the simplest solution is to 
+use "**pip install oletools**" or "**easy_install oletools**" to download and install in one go. Otherwise you may 
+download/extract the zip archive and run "**setup.py install**". 
+
+**Important: to update oletools** if it is already installed, you must run **"pip install -U oletools"**, otherwise pip
+will not update it.
+
+Documentation:
+--------------
+
+The latest version of the documentation can be found [online](https://bitbucket.org/decalage/oletools/wiki), otherwise 
+a copy is provided in the doc subfolder of the package.
+
+
+How to Suggest Improvements, Report Issues or Contribute:
+---------------------------------------------------------
+
+This is a personal open-source project, developed on my spare time. Any contribution, suggestion, feedback or bug 
+report is welcome.
+
+To suggest improvements, report a bug or any issue, please use the 
+[issue reporting page](https://bitbucket.org/decalage/olefileio_pl/issues?status=new&status=open), providing all the 
+information and files to reproduce the problem. 
+
+You may also [contact the author](http://decalage.info/contact) directly to provide feedback.
+
+The code is available in [a Mercurial repository on Bitbucket](https://bitbucket.org/decalage/oletools). You may use it 
+to submit enhancements using forks and pull requests.
+
+License
+-------
+
+This license applies to the python-oletools package, apart from the thirdparty folder which contains third-party files 
+published with their own license.
+
+The python-oletools package is copyright (c) 2012-2016 Philippe Lagadec (http://www.decalage.info)
+
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification,
+are permitted provided that the following conditions are met:
+
+ * Redistributions of source code must retain the above copyright notice, this
+   list of conditions and the following disclaimer.
+ * Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+
+----------
+
+olevba contains modified source code from the officeparser project, published
+under the following MIT License (MIT):
+
+officeparser is copyright (c) 2014 John William Davison
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+  <meta http-equiv="Content-Style-Type" content="text/css" />
+  <meta name="generator" content="pandoc" />
+  <title></title>
+  <style type="text/css">code{white-space: pre;}</style>
+</head>
+<body>
 <h1 id="python-oletools">python-oletools</h1>
 <p><a href="http://www.decalage.info/python/oletools">python-oletools</a> is a package of python tools to analyze <a href="http://en.wikipedia.org/wiki/Compound_File_Binary_Format">Microsoft OLE2 files</a> (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging. It is based on the <a href="http://www.decalage.info/olefile">olefile</a> parser. See <a href="http://www.decalage.info/python/oletools">http://www.decalage.info/python/oletools</a> for more info.</p>
 <p><strong>Quick links:</strong> <a href="http://www.decalage.info/python/oletools">Home page</a> - <a href="https://bitbucket.org/decalage/oletools/wiki/Install">Download/Install</a> - <a href="https://bitbucket.org/decalage/oletools/wiki">Documentation</a> - <a href="https://bitbucket.org/decalage/oletools/issues?status=new&amp;status=open">Report Issues/Suggestions/Questions</a> - <a href="http://decalage.info/contact">Contact the Author</a> - <a href="https://bitbucket.org/decalage/oletools">Repository</a> - <a href="https://twitter.com/decalage2">Updates on Twitter</a></p>
@@ -66,3 +76,5 @@
 <p>Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the &quot;Software&quot;), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:</p>
 <p>The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.</p>
 <p>THE SOFTWARE IS PROVIDED &quot;AS IS&quot;, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.</p>
+</body>
+</html>
-<p>How to Suggest Improvements, Report Issues or Contribute</p>
-<p>========================================================</p>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+  <meta http-equiv="Content-Style-Type" content="text/css" />
+  <meta name="generator" content="pandoc" />
+  <title></title>
+  <style type="text/css">code{white-space: pre;}</style>
+</head>
+<body>
+<h1 id="how-to-suggest-improvements-report-issues-or-contribute">How to Suggest Improvements, Report Issues or Contribute</h1>
 <p>This is a personal open-source project, developed on my spare time. Any contribution, suggestion, feedback or bug report is welcome.</p>
-<p>To <strong>suggest improvements, report a bug or any issue</strong>, please use the <a href="https://bitbucket.org/decalage/oletools/issues?status=new&amp;status=open">issue reporting page</a>,</p>
-<p>providing all the information and files to reproduce the problem.</p>
+<p>To <strong>suggest improvements, report a bug or any issue</strong>, please use the <a href="https://bitbucket.org/decalage/oletools/issues?status=new&amp;status=open">issue reporting page</a>, providing all the information and files to reproduce the problem.</p>
 <p>You may also <a href="http://decalage.info/contact">contact the author</a> directly to <strong>provide feedback</strong>.</p>
-<p>The code is available in <a href="https://bitbucket.org/decalage/oletools">a Mercurial repository on Bitbucket</a>.</p>
-<p>You may use it to <strong>submit enhancements</strong> using forks and pull requests.</p>
-<hr />
-<p>python-oletools documentation</p>
+<p>The code is available in <a href="https://bitbucket.org/decalage/oletools">a Mercurial repository on Bitbucket</a>. You may use it to <strong>submit enhancements</strong> using forks and pull requests.</p>
 <hr />
+<h2 id="python-oletools-documentation">python-oletools documentation</h2>
 <ul>
-<li><p><a href="Home.html">Home</a></p></li>
-<li><p><a href="License.html">License</a></p></li>
-<li><p><a href="Install.html">Install</a></p></li>
-<li><p><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</p></li>
-<li><p>Tools:</p>
+<li><a href="Home.html">Home</a></li>
+<li><a href="License.html">License</a></li>
+<li><a href="Install.html">Install</a></li>
+<li><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</li>
+<li>Tools:
 <ul>
-<li><p><a href="olebrowse.html">olebrowse</a></p></li>
-<li><p><a href="oleid.html">oleid</a></p></li>
-<li><p><a href="olemeta.html">olemeta</a></p></li>
-<li><p><a href="oletimes.html">oletimes</a></p></li>
-<li><p><a href="olevba.html">olevba</a></p></li>
-<li><p><a href="pyxswf.html">pyxswf</a></p></li>
-<li><p><a href="rtfobj.html">rtfobj</a></p></li>
+<li><a href="olebrowse.html">olebrowse</a></li>
+<li><a href="oleid.html">oleid</a></li>
+<li><a href="olemeta.html">olemeta</a></li>
+<li><a href="oletimes.html">oletimes</a></li>
+<li><a href="oledir.html">oledir</a></li>
+<li><a href="olemap.html">olemap</a></li>
+<li><a href="olevba.html">olevba</a></li>
+<li><a href="mraptor.html">mraptor</a></li>
+<li><a href="pyxswf.html">pyxswf</a></li>
+<li><a href="oleobj.html">oleobj</a></li>
+<li><a href="rtfobj.html">rtfobj</a></li>
 </ul></li>
 </ul>
+</body>
+</html>
@@ -25,6 +25,10 @@ python-oletools documentation
 	- [[oleid]]
 	- [[olemeta]]
 	- [[oletimes]]
+	- [[oledir]]
+	- [[olemap]]
 	- [[olevba]]
+	- [[mraptor]]
 	- [[pyxswf]]
-	- [[rtfobj]] 
 \ No newline at end of file
+	- [[oleobj]]
+	- [[rtfobj]]
-<p>python-oletools v0.41 documentation</p>
-<p>===================================</p>
-<p>This is the home page of the documentation for python-oletools. The latest version can be found</p>
-<p><a href="https://bitbucket.org/decalage/oletools/wiki">online</a>, otherwise a copy is provided in the doc subfolder of the package.</p>
-<p><a href="http://www.decalage.info/python/oletools">python-oletools</a> is a package of python tools to analyze</p>
-<p><a href="http://en.wikipedia.org/wiki/Compound_File_Binary_Format">Microsoft OLE2 files</a></p>
-<p>(also called Structured Storage, Compound File Binary Format or Compound Document File Format),</p>
-<p>such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging.</p>
-<p>It is based on the <a href="http://www.decalage.info/olefile">olefile</a> parser.</p>
-<p>See <a href="http://www.decalage.info/python/oletools">http://www.decalage.info/python/oletools</a> for more info.</p>
-<p><strong>Quick links:</strong> <a href="http://www.decalage.info/python/oletools">Home page</a> -</p>
-<p><a href="https://bitbucket.org/decalage/oletools/wiki/Install">Download/Install</a> -</p>
-<p><a href="https://bitbucket.org/decalage/oletools/wiki">Documentation</a> -</p>
-<p><a href="https://bitbucket.org/decalage/oletools/issues?status=new&amp;status=open">Report Issues/Suggestions/Questions</a> -</p>
-<p><a href="http://decalage.info/contact">Contact the author</a> -</p>
-<p><a href="https://bitbucket.org/decalage/oletools">Repository</a> -</p>
-<p><a href="https://twitter.com/decalage2">Updates on Twitter</a></p>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+  <meta http-equiv="Content-Style-Type" content="text/css" />
+  <meta name="generator" content="pandoc" />
+  <title></title>
+  <style type="text/css">code{white-space: pre;}</style>
+</head>
+<body>
+<h1 id="python-oletools-v0.44-documentation">python-oletools v0.44 documentation</h1>
+<p>This is the home page of the documentation for python-oletools. The latest version can be found <a href="https://bitbucket.org/decalage/oletools/wiki">online</a>, otherwise a copy is provided in the doc subfolder of the package.</p>
+<p><a href="http://www.decalage.info/python/oletools">python-oletools</a> is a package of python tools to analyze <a href="http://en.wikipedia.org/wiki/Compound_File_Binary_Format">Microsoft OLE2 files</a> (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging. It is based on the <a href="http://www.decalage.info/olefile">olefile</a> parser. See <a href="http://www.decalage.info/python/oletools">http://www.decalage.info/python/oletools</a> for more info.</p>
+<p><strong>Quick links:</strong> <a href="http://www.decalage.info/python/oletools">Home page</a> - <a href="https://bitbucket.org/decalage/oletools/wiki/Install">Download/Install</a> - <a href="https://bitbucket.org/decalage/oletools/wiki">Documentation</a> - <a href="https://bitbucket.org/decalage/oletools/issues?status=new&amp;status=open">Report Issues/Suggestions/Questions</a> - <a href="http://decalage.info/contact">Contact the author</a> - <a href="https://bitbucket.org/decalage/oletools">Repository</a> - <a href="https://twitter.com/decalage2">Updates on Twitter</a></p>
 <p>Note: python-oletools is not related to OLETools published by BeCubed Software.</p>
-<p>Tools in python-oletools:</p>
-<hr />
-<ul>
-<li><strong><a href="olebrowse.html">olebrowse</a></strong>: A simple GUI to browse OLE files (e.g. MS Word, Excel, Powerpoint documents), to</li>
-</ul>
-<p>view and extract individual data streams.</p>
+<h2 id="tools-in-python-oletools">Tools in python-oletools:</h2>
 <ul>
-<li><p><strong><a href="oleid.html">oleid</a></strong>: a tool to analyze OLE files to detect specific characteristics usually found in malicious files.</p></li>
-<li><p><strong><a href="olemeta.html">olemeta</a></strong>: a tool to extract all standard properties (metadata) from OLE files.</p></li>
-<li><p><strong><a href="oletimes.html">oletimes</a></strong>: a tool to extract creation and modification timestamps of all streams and storages.</p></li>
-<li><p><strong><a href="olevba.html">olevba</a></strong>: a tool to extract and analyze VBA Macro source code from MS Office documents (OLE and OpenXML).</p></li>
-<li><p><strong><a href="pyxswf.html">pyxswf</a></strong>: a tool to detect, extract and analyze Flash objects (SWF) that may</p></li>
+<li><strong><a href="olebrowse.html">olebrowse</a></strong>: A simple GUI to browse OLE files (e.g. MS Word, Excel, Powerpoint documents), to view and extract individual data streams.</li>
+<li><strong><a href="oleid.html">oleid</a></strong>: to analyze OLE files to detect specific characteristics usually found in malicious files.</li>
+<li><strong><a href="olemeta.html">olemeta</a></strong>: to extract all standard properties (metadata) from OLE files.</li>
+<li><strong><a href="oletimes.html">oletimes</a></strong>: to extract creation and modification timestamps of all streams and storages.</li>
+<li><strong><a href="oledir.html">oledir</a></strong>: to display all the directory entries of an OLE file, including free and orphaned entries.</li>
+<li><strong><a href="olemap.html">olemap</a></strong>: to display a map of all the sectors in an OLE file.</li>
+<li><strong><a href="olevba.html">olevba</a></strong>: to extract and analyze VBA Macro source code from MS Office documents (OLE and OpenXML).</li>
+<li><strong><a href="mraptor.html">mraptor</a></strong>: to detect malicious VBA Macros</li>
+<li><strong><a href="pyxswf.html">pyxswf</a></strong>: to detect, extract and analyze Flash objects (SWF) that may be embedded in files such as MS Office documents (e.g. Word, Excel) and RTF, which is especially useful for malware analysis.</li>
+<li><strong><a href="oleobj.html">oleobj</a></strong>: to extract embedded objects from OLE files.</li>
+<li><strong><a href="rtfobj.html">rtfobj</a></strong>: to extract embedded objects from RTF files.</li>
+<li>and a few others (coming soon)</li>
 </ul>
-<p>be embedded in files such as MS Office documents (e.g. Word, Excel) and RTF,</p>
-<p>which is especially useful for malware analysis.</p>
-<ul>
-<li><p><strong><a href="rtfobj.html">rtfobj</a></strong>: a tool and python module to extract embedded objects from RTF files.</p></li>
-<li><p>and a few others (coming soon)</p></li>
-</ul>
-<hr />
-<p>python-oletools documentation</p>
 <hr />
+<h2 id="python-oletools-documentation">python-oletools documentation</h2>
 <ul>
-<li><p><a href="Home.html">Home</a></p></li>
-<li><p><a href="License.html">License</a></p></li>
-<li><p><a href="Install.html">Install</a></p></li>
-<li><p><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</p></li>
-<li><p>Tools:</p>
+<li><a href="Home.html">Home</a></li>
+<li><a href="License.html">License</a></li>
+<li><a href="Install.html">Install</a></li>
+<li><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</li>
+<li>Tools:
 <ul>
-<li><p><a href="olebrowse.html">olebrowse</a></p></li>
-<li><p><a href="oleid.html">oleid</a></p></li>
-<li><p><a href="olemeta.html">olemeta</a></p></li>
-<li><p><a href="oletimes.html">oletimes</a></p></li>
-<li><p><a href="olevba.html">olevba</a></p></li>
-<li><p><a href="pyxswf.html">pyxswf</a></p></li>
-<li><p><a href="rtfobj.html">rtfobj</a></p></li>
+<li><a href="olebrowse.html">olebrowse</a></li>
+<li><a href="oleid.html">oleid</a></li>
+<li><a href="olemeta.html">olemeta</a></li>
+<li><a href="oletimes.html">oletimes</a></li>
+<li><a href="oledir.html">oledir</a></li>
+<li><a href="olemap.html">olemap</a></li>
+<li><a href="olevba.html">olevba</a></li>
+<li><a href="mraptor.html">mraptor</a></li>
+<li><a href="pyxswf.html">pyxswf</a></li>
+<li><a href="oleobj.html">oleobj</a></li>
+<li><a href="rtfobj.html">rtfobj</a></li>
 </ul></li>
 </ul>
+</body>
+</html>
-python-oletools v0.41 documentation
-===================================
-
-This is the home page of the documentation for python-oletools. The latest version can be found 
-[online](https://bitbucket.org/decalage/oletools/wiki), otherwise a copy is provided in the doc subfolder of the package.
-
-[python-oletools](http://www.decalage.info/python/oletools) is a package of python tools to analyze 
-[Microsoft OLE2 files](http://en.wikipedia.org/wiki/Compound_File_Binary_Format)
-(also called Structured Storage, Compound File Binary Format or Compound Document File Format), 
-such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging. 
-It is based on the [olefile](http://www.decalage.info/olefile) parser. 
-See [http://www.decalage.info/python/oletools](http://www.decalage.info/python/oletools) for more info.  
-
-**Quick links:** [Home page](http://www.decalage.info/python/oletools) - 
-[Download/Install](https://bitbucket.org/decalage/oletools/wiki/Install) - 
-[Documentation](https://bitbucket.org/decalage/oletools/wiki) - 
-[Report Issues/Suggestions/Questions](https://bitbucket.org/decalage/oletools/issues?status=new&status=open) - 
-[Contact the author](http://decalage.info/contact) - 
-[Repository](https://bitbucket.org/decalage/oletools) - 
-[Updates on Twitter](https://twitter.com/decalage2)
-
-Note: python-oletools is not related to OLETools published by BeCubed Software.
-
-Tools in python-oletools:
--------------------------
-
-- **[[olebrowse]]**: A simple GUI to browse OLE files (e.g. MS Word, Excel, Powerpoint documents), to
-  view and extract individual data streams.
-- **[[oleid]]**: a tool to analyze OLE files to detect specific characteristics usually found in malicious files.
-- **[[olemeta]]**: a tool to extract all standard properties (metadata) from OLE files.
-- **[[oletimes]]**: a tool to extract creation and modification timestamps of all streams and storages.
-- **[[olevba]]**: a tool to extract and analyze VBA Macro source code from MS Office documents (OLE and OpenXML).
-- **[[pyxswf]]**: a tool to detect, extract and analyze Flash objects (SWF) that may
-  be embedded in files such as MS Office documents (e.g. Word, Excel) and RTF,
-  which is especially useful for malware analysis.
-- **[[rtfobj]]**: a tool and python module to extract embedded objects from RTF files.
-- and a few others (coming soon)
-
---------------------------------------------------------------------------
-
-python-oletools documentation
------------------------------
-
-- [[Home]]
-- [[License]]
-- [[Install]]
-- [[Contribute]], Suggest Improvements or Report Issues
-- Tools:
-	- [[olebrowse]]
-	- [[oleid]]
-	- [[olemeta]]
-	- [[oletimes]]
-	- [[olevba]]
-	- [[pyxswf]]
-	- [[rtfobj]] 
 \ No newline at end of file
+python-oletools v0.44 documentation
+===================================
+
+This is the home page of the documentation for python-oletools. The latest version can be found 
+[online](https://bitbucket.org/decalage/oletools/wiki), otherwise a copy is provided in the doc subfolder of the package.
+
+[python-oletools](http://www.decalage.info/python/oletools) is a package of python tools to analyze 
+[Microsoft OLE2 files](http://en.wikipedia.org/wiki/Compound_File_Binary_Format)
+(also called Structured Storage, Compound File Binary Format or Compound Document File Format), 
+such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging. 
+It is based on the [olefile](http://www.decalage.info/olefile) parser. 
+See [http://www.decalage.info/python/oletools](http://www.decalage.info/python/oletools) for more info.  
+
+**Quick links:** [Home page](http://www.decalage.info/python/oletools) - 
+[Download/Install](https://bitbucket.org/decalage/oletools/wiki/Install) - 
+[Documentation](https://bitbucket.org/decalage/oletools/wiki) - 
+[Report Issues/Suggestions/Questions](https://bitbucket.org/decalage/oletools/issues?status=new&status=open) - 
+[Contact the author](http://decalage.info/contact) - 
+[Repository](https://bitbucket.org/decalage/oletools) - 
+[Updates on Twitter](https://twitter.com/decalage2)
+
+Note: python-oletools is not related to OLETools published by BeCubed Software.
+
+Tools in python-oletools:
+-------------------------
+
+- **[[olebrowse]]**: A simple GUI to browse OLE files (e.g. MS Word, Excel, Powerpoint documents), to
+  view and extract individual data streams.
+- **[[oleid]]**: to analyze OLE files to detect specific characteristics usually found in malicious files.
+- **[[olemeta]]**: to extract all standard properties (metadata) from OLE files.
+- **[[oletimes]]**: to extract creation and modification timestamps of all streams and storages.
+- **[[oledir]]**: to display all the directory entries of an OLE file, including free and orphaned entries.
+- **[[olemap]]**: to display a map of all the sectors in an OLE file.
+- **[[olevba]]**: to extract and analyze VBA Macro source code from MS Office documents (OLE and OpenXML).
+- **[[mraptor]]**: to detect malicious VBA Macros
+- **[[pyxswf]]**: to detect, extract and analyze Flash objects (SWF) that may
+  be embedded in files such as MS Office documents (e.g. Word, Excel) and RTF,
+  which is especially useful for malware analysis.
+- **[[oleobj]]**: to extract embedded objects from OLE files.
+- **[[rtfobj]]**: to extract embedded objects from RTF files.
+- and a few others (coming soon)
+
+--------------------------------------------------------------------------
+
+python-oletools documentation
+-----------------------------
+
+- [[Home]]
+- [[License]]
+- [[Install]]
+- [[Contribute]], Suggest Improvements or Report Issues
+- Tools:
+	- [[olebrowse]]
+	- [[oleid]]
+	- [[olemeta]]
+	- [[oletimes]]
+	- [[oledir]]
+	- [[olemap]]
+	- [[olevba]]
+	- [[mraptor]]
+	- [[pyxswf]]
+	- [[oleobj]]
+	- [[rtfobj]]
-<p>How to Download and Install python-oletools</p>
-<p>===========================================</p>
-<p>Pre-requisites</p>
-<hr />
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+  <meta http-equiv="Content-Style-Type" content="text/css" />
+  <meta name="generator" content="pandoc" />
+  <title></title>
+  <style type="text/css">code{white-space: pre;}</style>
+</head>
+<body>
+<h1 id="how-to-download-and-install-python-oletools">How to Download and Install python-oletools</h1>
+<h2 id="pre-requisites">Pre-requisites</h2>
 <p>For now, python-oletools require <strong>Python 2.x</strong>, if possible 2.7 or 2.6 to enable all features.</p>
 <p>They are not compatible with Python 3.x yet. (Please contact me if that is a strong requirement)</p>
-<p>To use oletools as command-line tools</p>
-<hr />
-<p>To use python-oletools from the command line as analysis tools, you may simply</p>
-<p><a href="https://bitbucket.org/decalage/oletools/downloads">download the zip archive</a></p>
-<p>and extract the files into the directory of your choice. Pick the latest release version, or click on</p>
-<p><strong>&quot;Download Repository&quot;</strong> to get the latest development version with the most recent features.</p>
-<p>Another possibility is to use a Mercurial client (hg) to clone the repository into a folder. You can then update it easily</p>
-<p>in the future.</p>
+<h2 id="to-use-oletools-as-command-line-tools">To use oletools as command-line tools</h2>
+<p>To use python-oletools from the command line as analysis tools, you may simply <a href="https://bitbucket.org/decalage/oletools/downloads">download the zip archive</a> and extract the files into the directory of your choice. Pick the latest release version, or click on <strong>&quot;Download Repository&quot;</strong> to get the latest development version with the most recent features.</p>
+<p>Another possibility is to use a Mercurial client (hg) to clone the repository into a folder. You can then update it easily in the future.</p>
 <h3 id="windows">Windows</h3>
 <p>You may add the oletools directory to your PATH environment variable to access the tools from anywhere.</p>
 <h3 id="linux-mac-osx-unix">Linux, Mac OSX, Unix</h3>
-<p>It is very convenient to create symbolic links to each tool in one of the bin directories in order to run them as shell</p>
-<p>commands from anywhere. For example, here is how to create an executable link &quot;olevba&quot; in /usr/local/bin pointing to</p>
-<p>olevba.py, assuming oletools was unzipped into /opt/oletools:</p>
+<p>It is very convenient to create symbolic links to each tool in one of the bin directories in order to run them as shell commands from anywhere. For example, here is how to create an executable link &quot;olevba&quot; in /usr/local/bin pointing to olevba.py, assuming oletools was unzipped into /opt/oletools:</p>
 <pre><code>chmod +x /opt/oletools/oletools/olevba.py
-
 ln -s /opt/oletools/oletools/olevba.py /usr/local/bin/olevba</code></pre>
 <p>Then the olevba command can be used from any directory:</p>
 <pre><code>user@remnux:~/MalwareZoo/VBA$ olevba dridex427.xls |less</code></pre>
-<p>For python applications</p>
-<hr />
-<p>If you plan to use python-oletools with other Python applications or your own scripts, the simplest solution is to use</p>
-<p><strong>&quot;pip install oletools&quot;</strong> or <strong>&quot;easy_install oletools&quot;</strong> to download and install the package in one go. Pip is included</p>
-<p>with Python since version 2.7.9.</p>
-<p><strong>Important: to update oletools</strong> if it is already installed, you must run <strong>&quot;pip install -U oletools&quot;</strong>, otherwise pip</p>
-<p>will not update it.</p>
-<p>Alternatively if you prefer the old school way, you may download the</p>
-<p><a href="https://bitbucket.org/decalage/oletools/downloads">zip archive</a>, extract it into</p>
-<p>a temporary directory and run <strong>&quot;python setup.py install&quot;</strong>.</p>
-<hr />
-<p>python-oletools documentation</p>
+<h2 id="for-python-applications">For python applications</h2>
+<p>If you plan to use python-oletools with other Python applications or your own scripts, the simplest solution is to use <strong>&quot;pip install oletools&quot;</strong> or <strong>&quot;easy_install oletools&quot;</strong> to download and install the package in one go. Pip is included with Python since version 2.7.9.</p>
+<p><strong>Important: to update oletools</strong> if it is already installed, you must run <strong>&quot;pip install -U oletools&quot;</strong>, otherwise pip will not update it.</p>
+<p>Alternatively if you prefer the old school way, you may download the <a href="https://bitbucket.org/decalage/oletools/downloads">zip archive</a>, extract it into a temporary directory and run <strong>&quot;python setup.py install&quot;</strong>.</p>
 <hr />
+<h2 id="python-oletools-documentation">python-oletools documentation</h2>
 <ul>
-<li><p><a href="Home.html">Home</a></p></li>
-<li><p><a href="License.html">License</a></p></li>
-<li><p><a href="Install.html">Install</a></p></li>
-<li><p><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</p></li>
-<li><p>Tools:</p>
+<li><a href="Home.html">Home</a></li>
+<li><a href="License.html">License</a></li>
+<li><a href="Install.html">Install</a></li>
+<li><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</li>
+<li>Tools:
 <ul>
-<li><p><a href="olebrowse.html">olebrowse</a></p></li>
-<li><p><a href="oleid.html">oleid</a></p></li>
-<li><p><a href="olemeta.html">olemeta</a></p></li>
-<li><p><a href="oletimes.html">oletimes</a></p></li>
-<li><p><a href="olevba.html">olevba</a></p></li>
-<li><p><a href="pyxswf.html">pyxswf</a></p></li>
-<li><p><a href="rtfobj.html">rtfobj</a></p></li>
+<li><a href="olebrowse.html">olebrowse</a></li>
+<li><a href="oleid.html">oleid</a></li>
+<li><a href="olemeta.html">olemeta</a></li>
+<li><a href="oletimes.html">oletimes</a></li>
+<li><a href="oledir.html">oledir</a></li>
+<li><a href="olemap.html">olemap</a></li>
+<li><a href="olevba.html">olevba</a></li>
+<li><a href="mraptor.html">mraptor</a></li>
+<li><a href="pyxswf.html">pyxswf</a></li>
+<li><a href="oleobj.html">oleobj</a></li>
+<li><a href="rtfobj.html">rtfobj</a></li>
 </ul></li>
 </ul>
+</body>
+</html>
@@ -68,6 +68,10 @@ python-oletools documentation
 	- [[oleid]]
 	- [[olemeta]]
 	- [[oletimes]]
+	- [[oledir]]
+	- [[olemap]]
 	- [[olevba]]
+	- [[mraptor]]
 	- [[pyxswf]]
-	- [[rtfobj]] 
 \ No newline at end of file
+	- [[oleobj]]
+	- [[rtfobj]]
-<p>License for python-oletools</p>
-<p>===========================</p>
-<p>This license applies to the <a href="http://www.decalage.info/python/oletools">python-oletools</a> package, apart from the</p>
-<p>thirdparty folder which contains third-party files published with their own license.</p>
-<p>The python-oletools package is copyright (c) 2012-2015 Philippe Lagadec (<a href="http://www.decalage.info">http://www.decalage.info</a>)</p>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+  <meta http-equiv="Content-Style-Type" content="text/css" />
+  <meta name="generator" content="pandoc" />
+  <title></title>
+  <style type="text/css">code{white-space: pre;}</style>
+</head>
+<body>
+<h1 id="license-for-python-oletools">License for python-oletools</h1>
+<p>This license applies to the <a href="http://www.decalage.info/python/oletools">python-oletools</a> package, apart from the thirdparty folder which contains third-party files published with their own license.</p>
+<p>The python-oletools package is copyright (c) 2012-2016 Philippe Lagadec (<a href="http://www.decalage.info">http://www.decalage.info</a>)</p>
 <p>All rights reserved.</p>
-<p>Redistribution and use in source and binary forms, with or without modification,</p>
-<p>are permitted provided that the following conditions are met:</p>
+<p>Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:</p>
 <ul>
-<li>Redistributions of source code must retain the above copyright notice, this</li>
+<li>Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.</li>
+<li>Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.</li>
 </ul>
-<p>list of conditions and the following disclaimer.</p>
-<ul>
-<li>Redistributions in binary form must reproduce the above copyright notice,</li>
-</ul>
-<p>this list of conditions and the following disclaimer in the documentation</p>
-<p>and/or other materials provided with the distribution.</p>
-<p>THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS &quot;AS IS&quot; AND</p>
-<p>ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED</p>
-<p>WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE</p>
-<p>DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE</p>
-<p>FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL</p>
-<p>DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR</p>
-<p>SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER</p>
-<p>CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,</p>
-<p>OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE</p>
-<p>OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.</p>
-<hr />
-<p>License for officeparser</p>
-<hr />
-<p>olevba contains modified source code from the <a href="https://github.com/unixfreak0037/officeparser">officeparser</a> project, published</p>
-<p>under the following MIT License (MIT):</p>
+<p>THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS &quot;AS IS&quot; AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.</p>
+<table>
+<tbody>
+<tr class="odd">
+<td align="left">License for officeparser</td>
+</tr>
+</tbody>
+</table>
+<p>olevba contains modified source code from the <a href="https://github.com/unixfreak0037/officeparser">officeparser</a> project, published under the following MIT License (MIT):</p>
 <p>officeparser is copyright (c) 2014 John William Davison</p>
-<p>Permission is hereby granted, free of charge, to any person obtaining a copy</p>
-<p>of this software and associated documentation files (the &quot;Software&quot;), to deal</p>
-<p>in the Software without restriction, including without limitation the rights</p>
-<p>to use, copy, modify, merge, publish, distribute, sublicense, and/or sell</p>
-<p>copies of the Software, and to permit persons to whom the Software is</p>
-<p>furnished to do so, subject to the following conditions:</p>
-<p>The above copyright notice and this permission notice shall be included in all</p>
-<p>copies or substantial portions of the Software.</p>
-<p>THE SOFTWARE IS PROVIDED &quot;AS IS&quot;, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR</p>
-<p>IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,</p>
-<p>FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE</p>
-<p>AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER</p>
-<p>LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,</p>
-<p>OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE</p>
-<p>SOFTWARE.</p>
-<hr />
-<p>python-oletools documentation</p>
+<p>Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the &quot;Software&quot;), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:</p>
+<p>The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.</p>
+<p>THE SOFTWARE IS PROVIDED &quot;AS IS&quot;, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.</p>
 <hr />
+<h2 id="python-oletools-documentation">python-oletools documentation</h2>
 <ul>
-<li><p><a href="Home.html">Home</a></p></li>
-<li><p><a href="License.html">License</a></p></li>
-<li><p><a href="Install.html">Install</a></p></li>
-<li><p><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</p></li>
-<li><p>Tools:</p>
+<li><a href="Home.html">Home</a></li>
+<li><a href="License.html">License</a></li>
+<li><a href="Install.html">Install</a></li>
+<li><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</li>
+<li>Tools:
 <ul>
-<li><p><a href="olebrowse.html">olebrowse</a></p></li>
-<li><p><a href="oleid.html">oleid</a></p></li>
-<li><p><a href="olemeta.html">olemeta</a></p></li>
-<li><p><a href="oletimes.html">oletimes</a></p></li>
-<li><p><a href="olevba.html">olevba</a></p></li>
-<li><p><a href="pyxswf.html">pyxswf</a></p></li>
-<li><p><a href="rtfobj.html">rtfobj</a></p></li>
+<li><a href="olebrowse.html">olebrowse</a></li>
+<li><a href="oleid.html">oleid</a></li>
+<li><a href="olemeta.html">olemeta</a></li>
+<li><a href="oletimes.html">oletimes</a></li>
+<li><a href="oledir.html">oledir</a></li>
+<li><a href="olemap.html">olemap</a></li>
+<li><a href="olevba.html">olevba</a></li>
+<li><a href="mraptor.html">mraptor</a></li>
+<li><a href="pyxswf.html">pyxswf</a></li>
+<li><a href="oleobj.html">oleobj</a></li>
+<li><a href="rtfobj.html">rtfobj</a></li>
 </ul></li>
 </ul>
+</body>
+</html>
@@ -4,7 +4,7 @@ License for python-oletools
 This license applies to the [python-oletools](http://www.decalage.info/python/oletools) package, apart from the 
 thirdparty folder which contains third-party files published with their own license.
  
-The python-oletools package is copyright (c) 2012-2015 Philippe Lagadec ([http://www.decalage.info](http://www.decalage.info))
+The python-oletools package is copyright (c) 2012-2016 Philippe Lagadec ([http://www.decalage.info](http://www.decalage.info))
  
 All rights reserved.
  
@@ -70,6 +70,10 @@ python-oletools documentation
 	- [[oleid]]
 	- [[olemeta]]
 	- [[oletimes]]
+	- [[oledir]]
+	- [[olemap]]
 	- [[olevba]]
+	- [[mraptor]]
 	- [[pyxswf]]
-	- [[rtfobj]] 
 \ No newline at end of file
+	- [[oleobj]]
+	- [[rtfobj]]
-<p>olebrowse</p>
-<p>=========</p>
-<p>olebrowse is a simple GUI to browse OLE files (e.g. MS Word, Excel, Powerpoint documents), to</p>
-<p>view and extract individual data streams.</p>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+  <meta http-equiv="Content-Style-Type" content="text/css" />
+  <meta name="generator" content="pandoc" />
+  <title></title>
+  <style type="text/css">code{white-space: pre;}</style>
+</head>
+<body>
+<h1 id="olebrowse">olebrowse</h1>
+<p>olebrowse is a simple GUI to browse OLE files (e.g. MS Word, Excel, Powerpoint documents), to view and extract individual data streams.</p>
 <p>It is part of the <a href="http://www.decalage.info/python/oletools">python-oletools</a> package.</p>
-<p>Usage</p>
-<hr />
+<h2 id="usage">Usage</h2>
 <pre><code>olebrowse.py [file]</code></pre>
 <p>If you provide a file it will be opened, else a dialog will allow you to browse folders to open a file. Then if it is a valid OLE file, the list of data streams will be displayed. You can select a stream, and then either view its content in a builtin hexadecimal viewer, or save it to a file for further analysis.</p>
-<p>Screenshots</p>
-<hr />
+<h2 id="screenshots">Screenshots</h2>
 <p>Main menu, showing all streams in the OLE file:</p>
 <div class="figure">
 <img src="olebrowse1_menu.png" />
@@ -22,21 +28,26 @@
 <img src="olebrowse3_hexview.png" />
 </div>
 <hr />
-<p>python-oletools documentation</p>
-<hr />
+<h2 id="python-oletools-documentation">python-oletools documentation</h2>
 <ul>
-<li><p><a href="Home.html">Home</a></p></li>
-<li><p><a href="License.html">License</a></p></li>
-<li><p><a href="Install.html">Install</a></p></li>
-<li><p><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</p></li>
-<li><p>Tools:</p>
+<li><a href="Home.html">Home</a></li>
+<li><a href="License.html">License</a></li>
+<li><a href="Install.html">Install</a></li>
+<li><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</li>
+<li>Tools:
 <ul>
-<li><p><a href="olebrowse.html">olebrowse</a></p></li>
-<li><p><a href="oleid.html">oleid</a></p></li>
-<li><p><a href="olemeta.html">olemeta</a></p></li>
-<li><p><a href="oletimes.html">oletimes</a></p></li>
-<li><p><a href="olevba.html">olevba</a></p></li>
-<li><p><a href="pyxswf.html">pyxswf</a></p></li>
-<li><p><a href="rtfobj.html">rtfobj</a></p></li>
+<li><a href="olebrowse.html">olebrowse</a></li>
+<li><a href="oleid.html">oleid</a></li>
+<li><a href="olemeta.html">olemeta</a></li>
+<li><a href="oletimes.html">oletimes</a></li>
+<li><a href="oledir.html">oledir</a></li>
+<li><a href="olemap.html">olemap</a></li>
+<li><a href="olevba.html">olevba</a></li>
+<li><a href="mraptor.html">mraptor</a></li>
+<li><a href="pyxswf.html">pyxswf</a></li>
+<li><a href="oleobj.html">oleobj</a></li>
+<li><a href="rtfobj.html">rtfobj</a></li>
 </ul></li>
 </ul>
+</body>
+</html>
@@ -42,6 +42,10 @@ python-oletools documentation
 	- [[oleid]]
 	- [[olemeta]]
 	- [[oletimes]]
+	- [[oledir]]
+	- [[olemap]]
 	- [[olevba]]
+	- [[mraptor]]
 	- [[pyxswf]]
-	- [[rtfobj]] 
 \ No newline at end of file
+	- [[oleobj]]
+	- [[rtfobj]]
-<p>oleid</p>
-<p>=====</p>
-<p>oleid is a script to analyze OLE files such as MS Office documents (e.g. Word,</p>
-<p>Excel), to detect specific characteristics usually found in malicious files (e.g. malware).</p>
-<p>For example it can detect VBA macros and embedded Flash objects.</p>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+  <meta http-equiv="Content-Style-Type" content="text/css" />
+  <meta name="generator" content="pandoc" />
+  <title></title>
+  <style type="text/css">code{white-space: pre;}</style>
+</head>
+<body>
+<h1 id="oleid">oleid</h1>
+<p>oleid is a script to analyze OLE files such as MS Office documents (e.g. Word, Excel), to detect specific characteristics usually found in malicious files (e.g. malware). For example it can detect VBA macros and embedded Flash objects.</p>
 <p>It is part of the <a href="http://www.decalage.info/python/oletools">python-oletools</a> package.</p>
 <h2 id="main-features">Main Features</h2>
 <ul>
-<li><p>Detect OLE file type from its internal structure (e.g. MS Word, Excel, PowerPoint, ...)</p></li>
-<li><p>Detect VBA Macros</p></li>
-<li><p>Detect embedded Flash objects</p></li>
-<li><p>Detect embedded OLE objects</p></li>
-<li><p>Detect MS Office encryption</p></li>
-<li><p>Can be used as a command-line tool</p></li>
-<li><p>Python API to integrate it in your applications</p></li>
+<li>Detect OLE file type from its internal structure (e.g. MS Word, Excel, PowerPoint, ...)</li>
+<li>Detect VBA Macros</li>
+<li>Detect embedded Flash objects</li>
+<li>Detect embedded OLE objects</li>
+<li>Detect MS Office encryption</li>
+<li>Can be used as a command-line tool</li>
+<li>Python API to integrate it in your applications</li>
 </ul>
 <p>Planned improvements:</p>
 <ul>
-<li><p>Extract the most important metadata fields</p></li>
-<li><p>Support for OpenXML files and embedded OLE files</p></li>
-<li><p>Generic VBA macros detection</p></li>
-<li><p>Detect auto-executable VBA macros</p></li>
-<li><p>Extended OLE file types detection</p></li>
-<li><p>Detect unusual OLE structures (fragmentation, unused sectors, etc)</p></li>
-<li><p>Options to scan multiple files</p></li>
-<li><p>Options to scan files from encrypted zip archives</p></li>
-<li><p>CSV output</p></li>
+<li>Extract the most important metadata fields</li>
+<li>Support for OpenXML files and embedded OLE files</li>
+<li>Generic VBA macros detection</li>
+<li>Detect auto-executable VBA macros</li>
+<li>Extended OLE file types detection</li>
+<li>Detect unusual OLE structures (fragmentation, unused sectors, etc)</li>
+<li>Options to scan multiple files</li>
+<li>Options to scan files from encrypted zip archives</li>
+<li>CSV output</li>
 </ul>
 <h2 id="usage">Usage</h2>
 <pre><code>oleid.py &lt;file&gt;</code></pre>
@@ -32,83 +39,65 @@
 <p>Analyzing a Word document containing a Flash object and VBA macros:</p>
 <pre><code>C:\oletools&gt;oleid.py word_flash_vba.doc
  
-
-
 Filename: word_flash_vba.doc
-
 +-------------------------------+-----------------------+
-
 | Indicator                     | Value                 |
-
 +-------------------------------+-----------------------+
-
 | OLE format                    | True                  |
-
 | Has SummaryInformation stream | True                  |
-
 | Application name              | Microsoft Office Word |
-
 | Encrypted                     | False                 |
-
 | Word Document                 | True                  |
-
 | VBA Macros                    | True                  |
-
 | Excel Workbook                | False                 |
-
 | PowerPoint Presentation       | False                 |
-
 | Visio Drawing                 | False                 |
-
 | ObjectPool                    | True                  |
-
 | Flash objects                 | 1                     |
-
 +-------------------------------+-----------------------+</code></pre>
 <h2 id="how-to-use-oleid-in-your-python-applications">How to use oleid in your Python applications</h2>
 <p>First, import oletools.oleid, and create an <strong>OleID</strong> object to scan a file:</p>
 <pre><code>import oletools.oleid
  
-
-
 oid = oletools.oleid.OleID(filename)</code></pre>
 <p>Note: filename can be a filename, a file-like object, or a bytes string containing the file to be analyzed.</p>
 <p>Second, call the <strong>check()</strong> method. It returns a list of <strong>Indicator</strong> objects.</p>
 <p>Each Indicator object has the following attributes:</p>
 <ul>
-<li><p><strong>id</strong>: str, identifier for the indicator</p></li>
-<li><p><strong>name</strong>: str, name to display the indicator</p></li>
-<li><p><strong>description</strong>: str, long description of the indicator</p></li>
-<li><p><strong>type</strong>: class of the indicator (e.g. bool, str, int)</p></li>
-<li><p><strong>value</strong>: value of the indicator</p></li>
+<li><strong>id</strong>: str, identifier for the indicator</li>
+<li><strong>name</strong>: str, name to display the indicator</li>
+<li><strong>description</strong>: str, long description of the indicator</li>
+<li><strong>type</strong>: class of the indicator (e.g. bool, str, int)</li>
+<li><strong>value</strong>: value of the indicator</li>
 </ul>
 <p>For example, the following code displays all the indicators:</p>
 <pre><code>indicators = oid.check()
-
 for i in indicators:
-
     print &#39;Indicator id=%s name=&quot;%s&quot; type=%s value=%s&#39; % (i.id, i.name, i.type, repr(i.value))
-
     print &#39;description:&#39;, i.description
-
     print &#39;&#39;</code></pre>
 <p>See the source code of oleid.py for more details.</p>
 <hr />
-<p>python-oletools documentation</p>
-<hr />
+<h2 id="python-oletools-documentation">python-oletools documentation</h2>
 <ul>
-<li><p><a href="Home.html">Home</a></p></li>
-<li><p><a href="License.html">License</a></p></li>
-<li><p><a href="Install.html">Install</a></p></li>
-<li><p><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</p></li>
-<li><p>Tools:</p>
+<li><a href="Home.html">Home</a></li>
+<li><a href="License.html">License</a></li>
+<li><a href="Install.html">Install</a></li>
+<li><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</li>
+<li>Tools:
 <ul>
-<li><p><a href="olebrowse.html">olebrowse</a></p></li>
-<li><p><a href="oleid.html">oleid</a></p></li>
-<li><p><a href="olemeta.html">olemeta</a></p></li>
-<li><p><a href="oletimes.html">oletimes</a></p></li>
-<li><p><a href="olevba.html">olevba</a></p></li>
-<li><p><a href="pyxswf.html">pyxswf</a></p></li>
-<li><p><a href="rtfobj.html">rtfobj</a></p></li>
+<li><a href="olebrowse.html">olebrowse</a></li>
+<li><a href="oleid.html">oleid</a></li>
+<li><a href="olemeta.html">olemeta</a></li>
+<li><a href="oletimes.html">oletimes</a></li>
+<li><a href="oledir.html">oledir</a></li>
+<li><a href="olemap.html">olemap</a></li>
+<li><a href="olevba.html">olevba</a></li>
+<li><a href="mraptor.html">mraptor</a></li>
+<li><a href="pyxswf.html">pyxswf</a></li>
+<li><a href="oleobj.html">oleobj</a></li>
+<li><a href="rtfobj.html">rtfobj</a></li>
 </ul></li>
 </ul>
+</body>
+</html>
@@ -104,6 +104,10 @@ python-oletools documentation
 	- [[oleid]]
 	- [[olemeta]]
 	- [[oletimes]]
+	- [[oledir]]
+	- [[olemap]]
 	- [[olevba]]
+	- [[mraptor]]
 	- [[pyxswf]]
-	- [[rtfobj]] 
 \ No newline at end of file
+	- [[oleobj]]
+	- [[rtfobj]]
-<p>olemeta</p>
-<p>=======</p>
-<p>olemeta is a script to parse OLE files such as MS Office documents (e.g. Word,</p>
-<p>Excel), to extract all standard properties present in the OLE file.</p>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+  <meta http-equiv="Content-Style-Type" content="text/css" />
+  <meta name="generator" content="pandoc" />
+  <title></title>
+  <style type="text/css">code{white-space: pre;}</style>
+</head>
+<body>
+<h1 id="olemeta">olemeta</h1>
+<p>olemeta is a script to parse OLE files such as MS Office documents (e.g. Word, Excel), to extract all standard properties present in the OLE file.</p>
 <p>It is part of the <a href="http://www.decalage.info/python/oletools">python-oletools</a> package.</p>
 <h2 id="usage">Usage</h2>
 <pre><code>olemeta.py &lt;file&gt;</code></pre>
 <h3 id="example">Example</h3>
-<p>Checking the malware sample <a href="https://malwr.com/analysis/M2I4YWRhM2IwY2QwNDljN2E3ZWFjYTg3ODk4NmZhYmE/">DIAN_caso-5415.doc</a>:</p>
-<pre><code>&gt;olemeta.py DIAN_caso-5415.doc
-
-
-
-Properties from SummaryInformation stream:
-
-- codepage: 1252
-
-- title: &#39;Gu\xeda MIPYME para ser emisor electr\xf3nico&#39;
-
-- subject: &#39;&#39;
-
-- author: &#39;OFEyDV&#39;
-
-- keywords: &#39;&#39;
-
-- comments: &#39;&#39;
-
-- template: &#39;Normal.dotm&#39;
-
-- last_saved_by: &#39;clein&#39;
-
-- revision_number: &#39;13&#39;
-
-- total_edit_time: 4800L
-
-- last_printed: datetime.datetime(2006, 6, 7, 14, 4)
-
-- create_time: datetime.datetime(2009, 3, 30, 14, 18)
-
-- last_saved_time: datetime.datetime(2014, 5, 14, 12, 45)
-
-- num_pages: 7
-
-- num_words: 269
-
-- num_chars: 1485
-
-- thumbnail: None
-
-- creating_application: &#39;Microsoft Office Word&#39;
-
-- security: 0
-
-
-
-Properties from DocumentSummaryInformation stream:
-
-- codepage_doc: 1252
-
-- category: None
-
-- presentation_target: None
-
-- bytes: None
-
-- lines: 12
-
-- paragraphs: 3
-
-- slides: None
-
-- notes: None
-
-- hidden_slides: None
-
-- mm_clips: None
-
-- scale_crop: False
-
-- heading_pairs: None
-
-- titles_of_parts: None
-
-- manager: None
-
-- company: &#39;Servicio de Impuestos Internos&#39;
-
-- links_dirty: False
-
-- chars_with_spaces: 1751
-
-- unused: None
-
-- shared_doc: False
-
-- link_base: None
-
-- hlinks: None
-
-- hlinks_changed: False
-
-- version: 786432
-
-- dig_sig: None
-
-- content_type: None
-
-- content_status: None
-
-- language: None
-
-- doc_version: None</code></pre>
+<div class="figure">
+<img src="olemeta1.png" />
+</div>
 <h2 id="how-to-use-olemeta-in-python-applications">How to use olemeta in Python applications</h2>
 <p>TODO</p>
 <hr />
-<p>python-oletools documentation</p>
-<hr />
+<h2 id="python-oletools-documentation">python-oletools documentation</h2>
 <ul>
-<li><p><a href="Home.html">Home</a></p></li>
-<li><p><a href="License.html">License</a></p></li>
-<li><p><a href="Install.html">Install</a></p></li>
-<li><p><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</p></li>
-<li><p>Tools:</p>
+<li><a href="Home.html">Home</a></li>
+<li><a href="License.html">License</a></li>
+<li><a href="Install.html">Install</a></li>
+<li><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</li>
+<li>Tools:
 <ul>
-<li><p><a href="olebrowse.html">olebrowse</a></p></li>
-<li><p><a href="oleid.html">oleid</a></p></li>
-<li><p><a href="olemeta.html">olemeta</a></p></li>
-<li><p><a href="oletimes.html">oletimes</a></p></li>
-<li><p><a href="olevba.html">olevba</a></p></li>
-<li><p><a href="pyxswf.html">pyxswf</a></p></li>
-<li><p><a href="rtfobj.html">rtfobj</a></p></li>
+<li><a href="olebrowse.html">olebrowse</a></li>
+<li><a href="oleid.html">oleid</a></li>
+<li><a href="olemeta.html">olemeta</a></li>
+<li><a href="oletimes.html">oletimes</a></li>
+<li><a href="oledir.html">oledir</a></li>
+<li><a href="olemap.html">olemap</a></li>
+<li><a href="olevba.html">olevba</a></li>
+<li><a href="mraptor.html">mraptor</a></li>
+<li><a href="pyxswf.html">pyxswf</a></li>
+<li><a href="oleobj.html">oleobj</a></li>
+<li><a href="rtfobj.html">rtfobj</a></li>
 </ul></li>
 </ul>
+</body>
+</html>
@@ -13,61 +13,7 @@ It is part of the [python-oletools](http://www.decalage.info/python/oletools) pa
  
 ### Example
  
-Checking the malware sample [DIAN_caso-5415.doc](https://malwr.com/analysis/M2I4YWRhM2IwY2QwNDljN2E3ZWFjYTg3ODk4NmZhYmE/):
-
-	:::text
-	>olemeta.py DIAN_caso-5415.doc
-	
-	Properties from SummaryInformation stream:
-	- codepage: 1252
-	- title: 'Gu\xeda MIPYME para ser emisor electr\xf3nico'
-	- subject: ''
-	- author: 'OFEyDV'
-	- keywords: ''
-	- comments: ''
-	- template: 'Normal.dotm'
-	- last_saved_by: 'clein'
-	- revision_number: '13'
-	- total_edit_time: 4800L
-	- last_printed: datetime.datetime(2006, 6, 7, 14, 4)
-	- create_time: datetime.datetime(2009, 3, 30, 14, 18)
-	- last_saved_time: datetime.datetime(2014, 5, 14, 12, 45)
-	- num_pages: 7
-	- num_words: 269
-	- num_chars: 1485
-	- thumbnail: None
-	- creating_application: 'Microsoft Office Word'
-	- security: 0
-	 
-	Properties from DocumentSummaryInformation stream:
-	- codepage_doc: 1252
-	- category: None
-	- presentation_target: None
-	- bytes: None
-	- lines: 12
-	- paragraphs: 3
-	- slides: None
-	- notes: None
-	- hidden_slides: None
-	- mm_clips: None
-	- scale_crop: False
-	- heading_pairs: None
-	- titles_of_parts: None
-	- manager: None
-	- company: 'Servicio de Impuestos Internos'
-	- links_dirty: False
-	- chars_with_spaces: 1751
-	- unused: None
-	- shared_doc: False
-	- link_base: None
-	- hlinks: None
-	- hlinks_changed: False
-	- version: 786432
-	- dig_sig: None
-	- content_type: None
-	- content_status: None
-	- language: None
-	- doc_version: None
+![](olemeta1.png)
  
 ## How to use olemeta in Python applications	
  
@@ -87,6 +33,10 @@ python-oletools documentation
 	- [[oleid]]
 	- [[olemeta]]
 	- [[oletimes]]
+	- [[oledir]]
+	- [[olemap]]
 	- [[olevba]]
+	- [[mraptor]]
 	- [[pyxswf]]
-	- [[rtfobj]] 
 \ No newline at end of file
+	- [[oleobj]]
+	- [[rtfobj]]
-<p>oletimes</p>
-<p>========</p>
-<p>oletimes is a script to parse OLE files such as MS Office documents (e.g. Word,</p>
-<p>Excel), to extract creation and modification times of all streams and storages</p>
-<p>in the OLE file.</p>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+  <meta http-equiv="Content-Style-Type" content="text/css" />
+  <meta name="generator" content="pandoc" />
+  <title></title>
+  <style type="text/css">code{white-space: pre;}</style>
+</head>
+<body>
+<h1 id="oletimes">oletimes</h1>
+<p>oletimes is a script to parse OLE files such as MS Office documents (e.g. Word, Excel), to extract creation and modification times of all streams and storages in the OLE file.</p>
 <p>It is part of the <a href="http://www.decalage.info/python/oletools">python-oletools</a> package.</p>
 <h2 id="usage">Usage</h2>
 <pre><code>oletimes.py &lt;file&gt;</code></pre>
@@ -10,71 +17,52 @@
 <p>Checking the malware sample <a href="https://malwr.com/analysis/M2I4YWRhM2IwY2QwNDljN2E3ZWFjYTg3ODk4NmZhYmE/">DIAN_caso-5415.doc</a>:</p>
 <pre><code>&gt;oletimes.py DIAN_caso-5415.doc
  
-
-
 +----------------------------+---------------------+---------------------+
-
 | Stream/Storage name        | Modification Time   | Creation Time       |
-
 +----------------------------+---------------------+---------------------+
-
 | Root                       | 2014-05-14 12:45:24 | None                |
-
 | &#39;\x01CompObj&#39;              | None                | None                |
-
 | &#39;\x05DocumentSummaryInform | None                | None                |
-
 | ation&#39;                     |                     |                     |
-
 | &#39;\x05SummaryInformation&#39;   | None                | None                |
-
 | &#39;1Table&#39;                   | None                | None                |
-
 | &#39;Data&#39;                     | None                | None                |
-
 | &#39;Macros&#39;                   | 2014-05-14 12:45:24 | 2014-05-14 12:45:24 |
-
 | &#39;Macros/PROJECT&#39;           | None                | None                |
-
 | &#39;Macros/PROJECTwm&#39;         | None                | None                |
-
 | &#39;Macros/VBA&#39;               | 2014-05-14 12:45:24 | 2014-05-14 12:45:24 |
-
 | &#39;Macros/VBA/ThisDocument&#39;  | None                | None                |
-
 | &#39;Macros/VBA/_VBA_PROJECT&#39;  | None                | None                |
-
 | &#39;Macros/VBA/__SRP_0&#39;       | None                | None                |
-
 | &#39;Macros/VBA/__SRP_1&#39;       | None                | None                |
-
 | &#39;Macros/VBA/__SRP_2&#39;       | None                | None                |
-
 | &#39;Macros/VBA/__SRP_3&#39;       | None                | None                |
-
 | &#39;Macros/VBA/dir&#39;           | None                | None                |
-
 | &#39;WordDocument&#39;             | None                | None                |
-
 +----------------------------+---------------------+---------------------+</code></pre>
 <h2 id="how-to-use-oletimes-in-python-applications">How to use oletimes in Python applications</h2>
 <p>TODO</p>
 <hr />
-<p>python-oletools documentation</p>
-<hr />
+<h2 id="python-oletools-documentation">python-oletools documentation</h2>
 <ul>
-<li><p><a href="Home.html">Home</a></p></li>
-<li><p><a href="License.html">License</a></p></li>
-<li><p><a href="Install.html">Install</a></p></li>
-<li><p><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</p></li>
-<li><p>Tools:</p>
+<li><a href="Home.html">Home</a></li>
+<li><a href="License.html">License</a></li>
+<li><a href="Install.html">Install</a></li>
+<li><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</li>
+<li>Tools:
 <ul>
-<li><p><a href="olebrowse.html">olebrowse</a></p></li>
-<li><p><a href="oleid.html">oleid</a></p></li>
-<li><p><a href="olemeta.html">olemeta</a></p></li>
-<li><p><a href="oletimes.html">oletimes</a></p></li>
-<li><p><a href="olevba.html">olevba</a></p></li>
-<li><p><a href="pyxswf.html">pyxswf</a></p></li>
-<li><p><a href="rtfobj.html">rtfobj</a></p></li>
+<li><a href="olebrowse.html">olebrowse</a></li>
+<li><a href="oleid.html">oleid</a></li>
+<li><a href="olemeta.html">olemeta</a></li>
+<li><a href="oletimes.html">oletimes</a></li>
+<li><a href="oledir.html">oledir</a></li>
+<li><a href="olemap.html">olemap</a></li>
+<li><a href="olevba.html">olevba</a></li>
+<li><a href="mraptor.html">mraptor</a></li>
+<li><a href="pyxswf.html">pyxswf</a></li>
+<li><a href="oleobj.html">oleobj</a></li>
+<li><a href="rtfobj.html">rtfobj</a></li>
 </ul></li>
 </ul>
+</body>
+</html>
@@ -61,6 +61,10 @@ python-oletools documentation
 	- [[oleid]]
 	- [[olemeta]]
 	- [[oletimes]]
+	- [[oledir]]
+	- [[olemap]]
 	- [[olevba]]
+	- [[mraptor]]
 	- [[pyxswf]]
-	- [[rtfobj]] 
 \ No newline at end of file
+	- [[oleobj]]
+	- [[rtfobj]]
-<p>olevba</p>
-<p>======</p>
-<p>olevba is a script to parse OLE and OpenXML files such as MS Office documents</p>
-<p>(e.g. Word, Excel), to <strong>detect VBA Macros</strong>, extract their <strong>source code</strong> in clear text,</p>
-<p>and detect security-related patterns such as <strong>auto-executable macros</strong>, **suspicious</p>
-<p>VBA keywords** used by malware, anti-sandboxing and anti-virtualization techniques,</p>
-<p>and potential <strong>IOCs</strong> (IP addresses, URLs, executable filenames, etc).</p>
-<p>It also detects and decodes several common **obfuscation methods including Hex encoding,</p>
-<p>StrReverse, Base64, Dridex, VBA expressions**, and extracts IOCs from decoded strings.</p>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+  <meta http-equiv="Content-Style-Type" content="text/css" />
+  <meta name="generator" content="pandoc" />
+  <title></title>
+  <style type="text/css">code{white-space: pre;}</style>
+</head>
+<body>
+<h1 id="olevba">olevba</h1>
+<p>olevba is a script to parse OLE and OpenXML files such as MS Office documents (e.g. Word, Excel), to <strong>detect VBA Macros</strong>, extract their <strong>source code</strong> in clear text, and detect security-related patterns such as <strong>auto-executable macros</strong>, <strong>suspicious VBA keywords</strong> used by malware, anti-sandboxing and anti-virtualization techniques, and potential <strong>IOCs</strong> (IP addresses, URLs, executable filenames, etc). It also detects and decodes several common <strong>obfuscation methods including Hex encoding, StrReverse, Base64, Dridex, VBA expressions</strong>, and extracts IOCs from decoded strings.</p>
 <p>It can be used either as a command-line tool, or as a python module from your own applications.</p>
 <p>It is part of the <a href="http://www.decalage.info/python/oletools">python-oletools</a> package.</p>
-<p>olevba is based on source code from <a href="https://github.com/unixfreak0037/officeparser">officeparser</a></p>
-<p>by John William Davison, with significant modifications.</p>
+<p>olevba is based on source code from <a href="https://github.com/unixfreak0037/officeparser">officeparser</a> by John William Davison, with significant modifications.</p>
 <h2 id="supported-formats">Supported formats</h2>
 <ul>
-<li><p>Word 97-2003 (.doc, .dot)</p></li>
-<li><p>Word 2007+ (.docm, .dotm)</p></li>
-<li><p>Word 2003 XML (.xml)</p></li>
-<li><p>Word/Excel MHTML, aka Single File Web Page (.mht)</p></li>
-<li><p>Excel 97-2003 (.xls)</p></li>
-<li><p>Excel 2007+ (.xlsm, .xlsb)</p></li>
-<li><p>PowerPoint 2007+ (.pptm, .ppsm)</p></li>
-<li><p>Text file containing VBA or VBScript source code</p></li>
-<li><p>Password-protected Zip archive containing any of the above</p></li>
+<li>Word 97-2003 (.doc, .dot)</li>
+<li>Word 2007+ (.docm, .dotm)</li>
+<li>Word 2003 XML (.xml)</li>
+<li>Word/Excel MHTML, aka Single File Web Page (.mht)</li>
+<li>Excel 97-2003 (.xls)</li>
+<li>Excel 2007+ (.xlsm, .xlsb)</li>
+<li>PowerPoint 2007+ (.pptm, .ppsm)</li>
+<li>Text file containing VBA or VBScript source code</li>
+<li>Password-protected Zip archive containing any of the above</li>
 </ul>
 <h2 id="main-features">Main Features</h2>
 <ul>
-<li><p>Detect VBA macros in MS Office 97-2003 and 2007+ files, XML, MHT</p></li>
-<li><p>Extract VBA macro source code</p></li>
-<li><p>Detect auto-executable macros</p></li>
-<li><p>Detect suspicious VBA keywords often used by malware</p></li>
-<li><p>Detect anti-sandboxing and anti-virtualization techniques</p></li>
-<li><p>Detect and decodes strings obfuscated with Hex/Base64/StrReverse/Dridex</p></li>
-<li><p>Deobfuscates VBA expressions with any combination of Chr, Asc, Val, StrReverse, Environ, +, &amp;, using a VBA parser built with</p></li>
+<li>Detect VBA macros in MS Office 97-2003 and 2007+ files, XML, MHT</li>
+<li>Extract VBA macro source code</li>
+<li>Detect auto-executable macros</li>
+<li>Detect suspicious VBA keywords often used by malware</li>
+<li>Detect anti-sandboxing and anti-virtualization techniques</li>
+<li>Detect and decodes strings obfuscated with Hex/Base64/StrReverse/Dridex</li>
+<li>Deobfuscates VBA expressions with any combination of Chr, Asc, Val, StrReverse, Environ, +, &amp;, using a VBA parser built with <a href="http://pyparsing.wikispaces.com">pyparsing</a>, including custom Hex and Base64 encodings</li>
+<li>Extract IOCs/patterns of interest such as IP addresses, URLs, e-mail addresses and executable file names</li>
+<li>Scan multiple files and sample collections (wildcards, recursive)</li>
+<li>Triage mode for a summary view of multiple files</li>
+<li>Scan malware samples in password-protected Zip archives</li>
+<li>Python API to use olevba from your applications</li>
 </ul>
-<p><a href="http://pyparsing.wikispaces.com">pyparsing</a>, including custom Hex and Base64 encodings</p>
-<ul>
-<li><p>Extract IOCs/patterns of interest such as IP addresses, URLs, e-mail addresses and executable file names</p></li>
-<li><p>Scan multiple files and sample collections (wildcards, recursive)</p></li>
-<li><p>Triage mode for a summary view of multiple files</p></li>
-<li><p>Scan malware samples in password-protected Zip archives</p></li>
-<li><p>Python API to use olevba from your applications</p></li>
-</ul>
-<p>MS Office files encrypted with a password are also supported, because VBA macro code is never</p>
-<p>encrypted, only the content of the document.</p>
+<p>MS Office files encrypted with a password are also supported, because VBA macro code is never encrypted, only the content of the document.</p>
 <h2 id="about-vba-macros">About VBA Macros</h2>
-<p>See <a href="http://www.decalage.info/en/vba_tools">this article</a> for more information and technical details about VBA Macros</p>
-<p>and how they are stored in MS Office documents.</p>
+<p>See <a href="http://www.decalage.info/en/vba_tools">this article</a> for more information and technical details about VBA Macros and how they are stored in MS Office documents.</p>
 <h2 id="how-it-works">How it works</h2>
 <ol style="list-style-type: decimal">
-<li><p>olevba checks the file type: If it is an OLE file (i.e MS Office 97-2003), it is parsed right away.</p></li>
-<li><p>If it is a zip file (i.e. MS Office 2007+), XML or MHTML, olevba looks for all OLE files stored in it (e.g. vbaProject.bin, editdata.mso), and opens them.</p></li>
-<li><p>olevba identifies all the VBA projects stored in the OLE structure.</p></li>
-<li><p>Each VBA project is parsed to find the corresponding OLE streams containing macro code.</p></li>
-<li><p>In each of these OLE streams, the VBA macro source code is extracted and decompressed (RLE compression).</p></li>
-<li><p>olevba looks for specific strings obfuscated with various algorithms (Hex, Base64, StrReverse, Dridex, VBA expressions).</p></li>
-<li><p>olevba scans the macro source code and the deobfuscated strings to find suspicious keywords, auto-executable macros</p></li>
+<li>olevba checks the file type: If it is an OLE file (i.e MS Office 97-2003), it is parsed right away.</li>
+<li>If it is a zip file (i.e. MS Office 2007+), XML or MHTML, olevba looks for all OLE files stored in it (e.g. vbaProject.bin, editdata.mso), and opens them.</li>
+<li>olevba identifies all the VBA projects stored in the OLE structure.</li>
+<li>Each VBA project is parsed to find the corresponding OLE streams containing macro code.</li>
+<li>In each of these OLE streams, the VBA macro source code is extracted and decompressed (RLE compression).</li>
+<li>olevba looks for specific strings obfuscated with various algorithms (Hex, Base64, StrReverse, Dridex, VBA expressions).</li>
+<li>olevba scans the macro source code and the deobfuscated strings to find suspicious keywords, auto-executable macros and potential IOCs (URLs, IP addresses, e-mail addresses, executable filenames, etc).</li>
 </ol>
-<p>and potential IOCs (URLs, IP addresses, e-mail addresses, executable filenames, etc).</p>
 <h2 id="usage">Usage</h2>
 <pre><code>Usage: olevba.py [options] &lt;filename&gt; [filename2 ...]
  
-
-
 Options:
-
   -h, --help            show this help message and exit
-
   -r                    find files recursively in subdirectories.
-
   -z ZIP_PASSWORD, --zip=ZIP_PASSWORD
-
                         if the file is a zip archive, open all files from it,
-
                         using the provided password (requires Python 2.6+)
-
   -f ZIP_FNAME, --zipfname=ZIP_FNAME
-
                         if the file is a zip archive, file(s) to be opened
-
                         within the zip. Wildcards * and ? are supported.
-
                         (default:*)
-
   -t, --triage          triage mode, display results as a summary table
-
                         (default for multiple files)
-
   -d, --detailed        detailed mode, display full results (default for
-
                         single file)
-
   -a, --analysis        display only analysis results, not the macro source
-
                         code
-
   -c, --code            display only VBA source code, do not analyze it
-
   -i INPUT, --input=INPUT
-
                         input file containing VBA source code to be analyzed
-
                         (no parsing)
-
   --decode              display all the obfuscated strings with their decoded
-
                         content (Hex, Base64, StrReverse, Dridex, VBA).
-
   --attr                display the attribute lines at the beginning of VBA
-
                         source code
-
   --reveal              display the macro source code after replacing all the
-
                         obfuscated strings by their decoded content.</code></pre>
 <h3 id="examples">Examples</h3>
 <p>Scan a single file:</p>
@@ -134,399 +103,251 @@ Options:
 <p>When a single file is scanned, or when using the option -d, all details of the analysis are displayed.</p>
 <p>For example, checking the malware sample <a href="https://malwr.com/analysis/M2I4YWRhM2IwY2QwNDljN2E3ZWFjYTg3ODk4NmZhYmE/">DIAN_caso-5415.doc</a>:</p>
 <pre><code>&gt;olevba.py c:\MalwareZoo\VBA\DIAN_caso-5415.doc.zip -z infected
-
 ===============================================================================
-
 FILE: DIAN_caso-5415.doc.malware in c:\MalwareZoo\VBA\DIAN_caso-5415.doc.zip
-
 Type: OLE
-
 -------------------------------------------------------------------------------
-
 VBA MACRO ThisDocument.cls
-
 in file: DIAN_caso-5415.doc.malware - OLE stream: Macros/VBA/ThisDocument
-
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
 Option Explicit
-
 Private Declare Function URLDownloadToFileA Lib &quot;urlmon&quot; (ByVal FVQGKS As Long,_
-
 ByVal WSGSGY As String, ByVal IFRRFV As String, ByVal NCVOLV As Long, _
-
 ByVal HQTLDG As Long) As Long
-
 Sub AutoOpen()
-
     Auto_Open
-
 End Sub
-
 Sub Auto_Open()
-
 SNVJYQ
-
 End Sub
-
 Public Sub SNVJYQ()
-
     [Malicious Code...]
-
 End Sub
-
 Function OGEXYR(XSTAHU As String, PHHWIV As String) As Boolean
-
     [Malicious Code...]
-
     Application.DisplayAlerts = False
-
     Application.Quit
-
 End Function
-
 Sub Workbook_Open()
-
     Auto_Open
-
 End Sub
  
-
-
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
 ANALYSIS:
-
 +------------+----------------------+-----------------------------------------+
-
 | Type       | Keyword              | Description                             |
-
 +------------+----------------------+-----------------------------------------+
-
 | AutoExec   | AutoOpen             | Runs when the Word document is opened   |
-
 | AutoExec   | Auto_Open            | Runs when the Excel Workbook is opened  |
-
 | AutoExec   | Workbook_Open        | Runs when the Excel Workbook is opened  |
-
 | Suspicious | Lib                  | May run code from a DLL                 |
-
 | Suspicious | Shell                | May run an executable file or a system  |
-
 |            |                      | command                                 |
-
 | Suspicious | Environ              | May read system environment variables   |
-
 | Suspicious | URLDownloadToFileA   | May download files from the Internet    |
-
 | IOC        | http://germanya.com. | URL                                     |
-
 |            | ec/logs/test.exe&quot;    |                                         |
-
 | IOC        | http://germanya.com. | URL                                     |
-
 |            | ec/logs/counter.php&quot; |                                         |
-
 | IOC        | germanya.com         | Executable file name                    |
-
 | IOC        | test.exe             | Executable file name                    |
-
 | IOC        | sfjozjero.exe        | Executable file name                    |
-
 +------------+----------------------+-----------------------------------------+</code></pre>
 <h3 id="triage-mode-default-for-multiple-files">Triage mode (default for multiple files)</h3>
-<p>When several files are scanned, or when using the option -t, a summary of the analysis for each file is displayed.</p>
-<p>This is more convenient for quick triage of a collection of suspicious files.</p>
+<p>When several files are scanned, or when using the option -t, a summary of the analysis for each file is displayed. This is more convenient for quick triage of a collection of suspicious files.</p>
 <p>The following flags show the results of the analysis:</p>
 <ul>
-<li><p><strong>OLE</strong>: the file type is OLE, for example MS Office 97-2003</p></li>
-<li><p><strong>OpX</strong>: the file type is OpenXML, for example MS Office 2007+</p></li>
-<li><p><strong>XML</strong>: the file type is Word 2003 XML</p></li>
-<li><p><strong>MHT</strong>: the file type is Word MHTML, aka Single File Web Page (.mht)</p></li>
-<li><p><strong>?</strong>: the file type is not supported</p></li>
-<li><p><strong>M</strong>: contains VBA Macros</p></li>
-<li><p><strong>A</strong>: auto-executable macros</p></li>
-<li><p><strong>S</strong>: suspicious VBA keywords</p></li>
-<li><p><strong>I</strong>: potential IOCs</p></li>
-<li><p><strong>H</strong>: hex-encoded strings (potential obfuscation)</p></li>
-<li><p><strong>B</strong>: Base64-encoded strings (potential obfuscation)</p></li>
-<li><p><strong>D</strong>: Dridex-encoded strings (potential obfuscation)</p></li>
-<li><p><strong>V</strong>: VBA string expressions (potential obfuscation)</p></li>
+<li><strong>OLE</strong>: the file type is OLE, for example MS Office 97-2003</li>
+<li><strong>OpX</strong>: the file type is OpenXML, for example MS Office 2007+</li>
+<li><strong>XML</strong>: the file type is Word 2003 XML</li>
+<li><strong>MHT</strong>: the file type is Word MHTML, aka Single File Web Page (.mht)</li>
+<li><strong>?</strong>: the file type is not supported</li>
+<li><strong>M</strong>: contains VBA Macros</li>
+<li><strong>A</strong>: auto-executable macros</li>
+<li><strong>S</strong>: suspicious VBA keywords</li>
+<li><strong>I</strong>: potential IOCs</li>
+<li><strong>H</strong>: hex-encoded strings (potential obfuscation)</li>
+<li><strong>B</strong>: Base64-encoded strings (potential obfuscation)</li>
+<li><strong>D</strong>: Dridex-encoded strings (potential obfuscation)</li>
+<li><strong>V</strong>: VBA string expressions (potential obfuscation)</li>
 </ul>
 <p>Here is an example:</p>
 <pre><code>c:\&gt;olevba.py \MalwareZoo\VBA\samples\*
-
 Flags       Filename
-
 ----------- -----------------------------------------------------------------
-
 OLE:MASI--- \MalwareZoo\VBA\samples\DIAN_caso-5415.doc.malware
-
 OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_1.doc.malware
-
 OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_2.doc.malware
-
 OLE:MASI--- \MalwareZoo\VBA\samples\DRIDEX_3.doc.malware
-
 OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_4.doc.malware
-
 OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_5.doc.malware
-
 OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_6.doc.malware
-
 OLE:MAS---- \MalwareZoo\VBA\samples\DRIDEX_7.doc.malware
-
 OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_8.doc.malware
-
 OLE:MASIHBD \MalwareZoo\VBA\samples\DRIDEX_9.xls.malware
-
 OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_A.doc.malware
-
 OLE:------- \MalwareZoo\VBA\samples\Normal_Document.doc
-
 OLE:M------ \MalwareZoo\VBA\samples\Normal_Document_Macro.doc
-
 OpX:MASI--- \MalwareZoo\VBA\samples\RottenKitten.xlsb.malware
-
 OLE:MASI-B- \MalwareZoo\VBA\samples\ROVNIX.doc.malware
-
 OLE:MA----- \MalwareZoo\VBA\samples\Word within Word macro auto.doc</code></pre>
 <hr />
 <h2 id="how-to-use-olevba-in-python-applications">How to use olevba in Python applications</h2>
-<p>olevba may be used to open a MS Office file, detect if it contains VBA macros, extract and analyze the VBA source code</p>
-<p>from your own python applications.</p>
+<p>olevba may be used to open a MS Office file, detect if it contains VBA macros, extract and analyze the VBA source code from your own python applications.</p>
 <p>IMPORTANT: olevba is currently under active development, therefore this API is likely to change.</p>
 <h3 id="import-olevba">Import olevba</h3>
 <p>First, import the <strong>oletools.olevba</strong> package, using at least the VBA_Parser and VBA_Scanner classes:</p>
 <pre><code>from oletools.olevba import VBA_Parser, TYPE_OLE, TYPE_OpenXML, TYPE_Word2003_XML, TYPE_MHTML </code></pre>
 <h3 id="parse-a-ms-office-file---vba_parser">Parse a MS Office file - VBA_Parser</h3>
-<p>To parse a file on disk, create an instance of the <strong>VBA_Parser</strong> class, providing the name of the file to open as parameter.</p>
-<p>For example:</p>
+<p>To parse a file on disk, create an instance of the <strong>VBA_Parser</strong> class, providing the name of the file to open as parameter. For example:</p>
 <pre><code>vbaparser = VBA_Parser(&#39;my_file_with_macros.doc&#39;)</code></pre>
-<p>The file may also be provided as a bytes string containing its data. In that case, the actual</p>
-<p>filename must be provided for reference, and the file content with the data parameter. For example:</p>
+<p>The file may also be provided as a bytes string containing its data. In that case, the actual filename must be provided for reference, and the file content with the data parameter. For example:</p>
 <pre><code>myfile = &#39;my_file_with_macros.doc&#39;
-
 filedata = open(myfile, &#39;rb&#39;).read()
-
 vbaparser = VBA_Parser(myfile, data=filedata)</code></pre>
-<p>VBA_Parser will raise an exception if the file is not a supported format, such as OLE (MS Office 97-2003), OpenXML</p>
-<p>(MS Office 2007+), MHTML or Word 2003 XML.</p>
-<p>After parsing the file, the attribute <strong>VBA_Parser.type</strong> is a string indicating the file type.</p>
-<p>It can be either TYPE_OLE, TYPE_OpenXML, TYPE_Word2003_XML or TYPE_MHTML. (constants defined in the olevba module)</p>
+<p>VBA_Parser will raise an exception if the file is not a supported format, such as OLE (MS Office 97-2003), OpenXML (MS Office 2007+), MHTML or Word 2003 XML.</p>
+<p>After parsing the file, the attribute <strong>VBA_Parser.type</strong> is a string indicating the file type. It can be either TYPE_OLE, TYPE_OpenXML, TYPE_Word2003_XML or TYPE_MHTML. (constants defined in the olevba module)</p>
 <h3 id="detect-vba-macros">Detect VBA macros</h3>
-<p>The method <strong>detect_vba_macros</strong> of a VBA_Parser object returns True if VBA macros have been found in the file,</p>
-<p>False otherwise.</p>
+<p>The method <strong>detect_vba_macros</strong> of a VBA_Parser object returns True if VBA macros have been found in the file, False otherwise.</p>
 <pre><code>if vbaparser.detect_vba_macros():
-
     print &#39;VBA Macros found&#39;
-
 else:
-
-    print &#39;No VBA Macros found&#39;</code></pre>
-<p>Note: The detection algorithm looks for streams and storage with specific names in the OLE structure, which works fine</p>
-<p>for all the supported formats listed above. However, for some formats such as PowerPoint 97-2003, this method will</p>
-<p>always return False because VBA Macros are stored in a different way which is not yet supported by olevba.</p>
-<p>Moreover, if the file contains an embedded document (e.g. an Excel workbook inserted into a Word document), this method</p>
-<p>may return True if the embedded document contains VBA Macros, even if the main document does not.</p>
+    print &#39;No VBA Macros found&#39;
+    </code></pre>
+<p>Note: The detection algorithm looks for streams and storage with specific names in the OLE structure, which works fine for all the supported formats listed above. However, for some formats such as PowerPoint 97-2003, this method will always return False because VBA Macros are stored in a different way which is not yet supported by olevba.</p>
+<p>Moreover, if the file contains an embedded document (e.g. an Excel workbook inserted into a Word document), this method may return True if the embedded document contains VBA Macros, even if the main document does not.</p>
 <h3 id="extract-vba-macro-source-code">Extract VBA Macro Source Code</h3>
-<p>The method <strong>extract_macros</strong> extracts and decompresses source code for each VBA macro found in the file (possibly</p>
-<p>including embedded files). It is a generator yielding a tuple (filename, stream_path, vba_filename, vba_code)</p>
-<p>for each VBA macro found.</p>
+<p>The method <strong>extract_macros</strong> extracts and decompresses source code for each VBA macro found in the file (possibly including embedded files). It is a generator yielding a tuple (filename, stream_path, vba_filename, vba_code) for each VBA macro found.</p>
 <ul>
-<li><p>filename: If the file is OLE (MS Office 97-2003), filename is the path of the file.</p>
-<p>If the file is OpenXML (MS Office 2007+), filename is the path of the OLE subfile containing VBA macros within the zip archive,</p>
-<p>e.g. word/vbaProject.bin.</p></li>
-<li><p>stream_path: path of the OLE stream containing the VBA macro source code</p></li>
-<li><p>vba_filename: corresponding VBA filename</p></li>
-<li><p>vba_code: string containing the VBA source code in clear text</p></li>
+<li>filename: If the file is OLE (MS Office 97-2003), filename is the path of the file. If the file is OpenXML (MS Office 2007+), filename is the path of the OLE subfile containing VBA macros within the zip archive, e.g. word/vbaProject.bin.</li>
+<li>stream_path: path of the OLE stream containing the VBA macro source code</li>
+<li>vba_filename: corresponding VBA filename</li>
+<li>vba_code: string containing the VBA source code in clear text</li>
 </ul>
 <p>Example:</p>
 <pre><code>for (filename, stream_path, vba_filename, vba_code) in vbaparser.extract_macros():
-
     print &#39;-&#39;*79
-
     print &#39;Filename    :&#39;, filename
-
     print &#39;OLE stream  :&#39;, stream_path
-
     print &#39;VBA filename:&#39;, vba_filename
-
     print &#39;- &#39;*39
-
-    print vba_code</code></pre>
+    print vba_code
+    </code></pre>
 <p>Alternatively, the VBA_Parser method <strong>extract_all_macros</strong> returns the same results as a list of tuples.</p>
 <h3 id="analyze-vba-source-code">Analyze VBA Source Code</h3>
-<p>Since version 0.40, the VBA_Parser class provides simpler methods than VBA_Scanner to analyze all macros contained</p>
-<p>in a file:</p>
-<p>The method <strong>analyze_macros</strong> from the class <strong>VBA_Parser</strong> can be used to scan the source code of all</p>
-<p>VBA modules to find obfuscated strings, suspicious keywords, IOCs, auto-executable macros, etc.</p>
-<p>analyze_macros() takes an optional argument show_decoded_strings: if set to True, the results will contain all the encoded</p>
-<p>strings found in the code (Hex, Base64, Dridex) with their decoded value.</p>
-<p>By default, it will only include the strings which contain printable characters.</p>
+<p>Since version 0.40, the VBA_Parser class provides simpler methods than VBA_Scanner to analyze all macros contained in a file:</p>
+<p>The method <strong>analyze_macros</strong> from the class <strong>VBA_Parser</strong> can be used to scan the source code of all VBA modules to find obfuscated strings, suspicious keywords, IOCs, auto-executable macros, etc.</p>
+<p>analyze_macros() takes an optional argument show_decoded_strings: if set to True, the results will contain all the encoded strings found in the code (Hex, Base64, Dridex) with their decoded value. By default, it will only include the strings which contain printable characters.</p>
 <p><strong>VBA_Parser.analyze_macros()</strong> returns a list of tuples (type, keyword, description), one for each item in the results.</p>
 <ul>
-<li>type may be either 'AutoExec', 'Suspicious', 'IOC', 'Hex String', 'Base64 String', 'Dridex String' or</li>
-</ul>
-<p>'VBA obfuscated Strings'.</p>
-<ul>
-<li>keyword is the string found for auto-executable macros, suspicious keywords or IOCs. For obfuscated strings, it is</li>
-</ul>
-<p>the decoded value of the string.</p>
-<ul>
+<li>type may be either 'AutoExec', 'Suspicious', 'IOC', 'Hex String', 'Base64 String', 'Dridex String' or 'VBA obfuscated Strings'.</li>
+<li>keyword is the string found for auto-executable macros, suspicious keywords or IOCs. For obfuscated strings, it is the decoded value of the string.</li>
 <li>description provides a description of the keyword. For obfuscated strings, it is the encoded value of the string.</li>
 </ul>
 <p>Example:</p>
 <pre><code>results = vbaparser.analyze_macros()
-
 for kw_type, keyword, description in results:
-
-    print &#39;type=%s - keyword=%s - description=%s&#39; % (kw_type, keyword, description)</code></pre>
-<p>After calling analyze_macros, the following VBA_Parser attributes also provide the number</p>
-<p>of items found for each category:</p>
+    print &#39;type=%s - keyword=%s - description=%s&#39; % (kw_type, keyword, description)
+    </code></pre>
+<p>After calling analyze_macros, the following VBA_Parser attributes also provide the number of items found for each category:</p>
 <pre><code>print &#39;AutoExec keywords: %d&#39; % vbaparser.nb_autoexec
-
 print &#39;Suspicious keywords: %d&#39; % vbaparser.nb_suspicious
-
 print &#39;IOCs: %d&#39; % vbaparser.nb_iocs
-
 print &#39;Hex obfuscated strings: %d&#39; % vbaparser.nb_hexstrings
-
 print &#39;Base64 obfuscated strings: %d&#39; % vbaparser.nb_base64strings
-
 print &#39;Dridex obfuscated strings: %d&#39; % vbaparser.nb_dridexstrings
-
 print &#39;VBA obfuscated strings: %d&#39; % vbaparser.nb_vbastrings</code></pre>
 <h3 id="deobfuscate-vba-macro-source-code">Deobfuscate VBA Macro Source Code</h3>
-<p>The method <strong>reveal</strong> attempts to deobfuscate the macro source code by replacing all</p>
-<p>the obfuscated strings by their decoded content. Returns a single string.</p>
+<p>The method <strong>reveal</strong> attempts to deobfuscate the macro source code by replacing all the obfuscated strings by their decoded content. Returns a single string.</p>
 <p>Example:</p>
 <pre><code>print vbaparser.reveal()</code></pre>
 <h3 id="close-the-vba_parser">Close the VBA_Parser</h3>
-<p>After usage, it is better to call the <strong>close</strong> method of the VBA_Parser object, to make sure the file is closed,</p>
-<p>especially if your application is parsing many files.</p>
+<p>After usage, it is better to call the <strong>close</strong> method of the VBA_Parser object, to make sure the file is closed, especially if your application is parsing many files.</p>
 <pre><code>vbaparser.close()</code></pre>
 <hr />
 <h2 id="deprecated-api">Deprecated API</h2>
-<p>The following methods and functions are still functional, but their usage is not recommended</p>
-<p>since they have been replaced by better solutions.</p>
+<p>The following methods and functions are still functional, but their usage is not recommended since they have been replaced by better solutions.</p>
 <h3 id="vba_scanner-deprecated">VBA_Scanner (deprecated)</h3>
-<p>The class <strong>VBA_Scanner</strong> can be used to scan the source code of a VBA module to find obfuscated strings,</p>
-<p>suspicious keywords, IOCs, auto-executable macros, etc.</p>
-<p>First, create a VBA_Scanner object with a string containing the VBA source code (for example returned by the</p>
-<p>extract_macros method). Then call the methods <strong>scan</strong> or <strong>scan_summary</strong> to get the results of the analysis.</p>
-<p>scan() takes an optional argument include_decoded_strings: if set to True, the results will contain all the encoded</p>
-<p>strings found in the code (Hex, Base64, Dridex) with their decoded value.</p>
+<p>The class <strong>VBA_Scanner</strong> can be used to scan the source code of a VBA module to find obfuscated strings, suspicious keywords, IOCs, auto-executable macros, etc.</p>
+<p>First, create a VBA_Scanner object with a string containing the VBA source code (for example returned by the extract_macros method). Then call the methods <strong>scan</strong> or <strong>scan_summary</strong> to get the results of the analysis.</p>
+<p>scan() takes an optional argument include_decoded_strings: if set to True, the results will contain all the encoded strings found in the code (Hex, Base64, Dridex) with their decoded value.</p>
 <p><strong>scan</strong> returns a list of tuples (type, keyword, description), one for each item in the results.</p>
 <ul>
-<li><p>type may be either 'AutoExec', 'Suspicious', 'IOC', 'Hex String', 'Base64 String' or 'Dridex String'.</p></li>
-<li><p>keyword is the string found for auto-executable macros, suspicious keywords or IOCs. For obfuscated strings, it is</p></li>
-</ul>
-<p>the decoded value of the string.</p>
-<ul>
+<li>type may be either 'AutoExec', 'Suspicious', 'IOC', 'Hex String', 'Base64 String' or 'Dridex String'.</li>
+<li>keyword is the string found for auto-executable macros, suspicious keywords or IOCs. For obfuscated strings, it is the decoded value of the string.</li>
 <li>description provides a description of the keyword. For obfuscated strings, it is the encoded value of the string.</li>
 </ul>
 <p>Example:</p>
 <pre><code>vba_scanner = VBA_Scanner(vba_code)
-
 results = vba_scanner.scan(include_decoded_strings=True)
-
 for kw_type, keyword, description in results:
-
     print &#39;type=%s - keyword=%s - description=%s&#39; % (kw_type, keyword, description)</code></pre>
 <p>The function <strong>scan_vba</strong> is a shortcut for VBA_Scanner(vba_code).scan():</p>
 <pre><code>results = scan_vba(vba_code, include_decoded_strings=True)
-
 for kw_type, keyword, description in results:
-
-    print &#39;type=%s - keyword=%s - description=%s&#39; % (kw_type, keyword, description)</code></pre>
-<p><strong>scan_summary</strong> returns a tuple with the number of items found for each category:</p>
-<p>(autoexec, suspicious, IOCs, hex, base64, dridex).</p>
+    print &#39;type=%s - keyword=%s - description=%s&#39; % (kw_type, keyword, description)
+    </code></pre>
+<p><strong>scan_summary</strong> returns a tuple with the number of items found for each category: (autoexec, suspicious, IOCs, hex, base64, dridex).</p>
 <h3 id="detect-auto-executable-macros-deprecated">Detect auto-executable macros (deprecated)</h3>
 <p><strong>Deprecated</strong>: It is preferable to use either scan_vba or VBA_Scanner to get all results at once.</p>
-<p>The function <strong>detect_autoexec</strong> checks if VBA macro code contains specific macro names</p>
-<p>that will be triggered when the document/workbook is opened, closed, changed, etc.</p>
-<p>It returns a list of tuples containing two strings, the detected keyword, and the</p>
-<p>description of the trigger. (See the malware example above)</p>
+<p>The function <strong>detect_autoexec</strong> checks if VBA macro code contains specific macro names that will be triggered when the document/workbook is opened, closed, changed, etc.</p>
+<p>It returns a list of tuples containing two strings, the detected keyword, and the description of the trigger. (See the malware example above)</p>
 <p>Sample usage:</p>
 <pre><code>from oletools.olevba import detect_autoexec
-
 autoexec_keywords = detect_autoexec(vba_code)
-
 if autoexec_keywords:
-
     print &#39;Auto-executable macro keywords found:&#39;
-
     for keyword, description in autoexec_keywords:
-
         print &#39;%s: %s&#39; % (keyword, description)
-
 else:
-
     print &#39;Auto-executable macro keywords: None found&#39;</code></pre>
 <h3 id="detect-suspicious-vba-keywords-deprecated">Detect suspicious VBA keywords (deprecated)</h3>
 <p><strong>Deprecated</strong>: It is preferable to use either scan_vba or VBA_Scanner to get all results at once.</p>
-<p>The function <strong>detect_suspicious</strong> checks if VBA macro code contains specific</p>
-<p>keywords often used by malware to act on the system (create files, run</p>
-<p>commands or applications, write to the registry, etc).</p>
-<p>It returns a list of tuples containing two strings, the detected keyword, and the</p>
-<p>description of the corresponding malicious behaviour. (See the malware example above)</p>
+<p>The function <strong>detect_suspicious</strong> checks if VBA macro code contains specific keywords often used by malware to act on the system (create files, run commands or applications, write to the registry, etc).</p>
+<p>It returns a list of tuples containing two strings, the detected keyword, and the description of the corresponding malicious behaviour. (See the malware example above)</p>
 <p>Sample usage:</p>
 <pre><code>from oletools.olevba import detect_suspicious
-
 suspicious_keywords = detect_suspicious(vba_code)
-
 if suspicious_keywords:
-
     print &#39;Suspicious VBA keywords found:&#39;
-
     for keyword, description in suspicious_keywords:
-
         print &#39;%s: %s&#39; % (keyword, description)
-
 else:
-
     print &#39;Suspicious VBA keywords: None found&#39;</code></pre>
 <h3 id="extract-potential-iocs-deprecated">Extract potential IOCs (deprecated)</h3>
 <p><strong>Deprecated</strong>: It is preferable to use either scan_vba or VBA_Scanner to get all results at once.</p>
-<p>The function <strong>detect_patterns</strong> checks if VBA macro code contains specific</p>
-<p>patterns of interest, that may be useful for malware analysis and detection</p>
-<p>(potential Indicators of Compromise): IP addresses, e-mail addresses,</p>
-<p>URLs, executable file names.</p>
-<p>It returns a list of tuples containing two strings, the pattern type, and the</p>
-<p>extracted value. (See the malware example above)</p>
+<p>The function <strong>detect_patterns</strong> checks if VBA macro code contains specific patterns of interest, that may be useful for malware analysis and detection (potential Indicators of Compromise): IP addresses, e-mail addresses, URLs, executable file names.</p>
+<p>It returns a list of tuples containing two strings, the pattern type, and the extracted value. (See the malware example above)</p>
 <p>Sample usage:</p>
 <pre><code>from oletools.olevba import detect_patterns
-
 patterns = detect_patterns(vba_code)
-
 if patterns:
-
     print &#39;Patterns found:&#39;
-
     for pattern_type, value in patterns:
-
         print &#39;%s: %s&#39; % (pattern_type, value)
-
 else:
-
     print &#39;Patterns: None found&#39;</code></pre>
 <hr />
-<p>python-oletools documentation</p>
-<hr />
+<h2 id="python-oletools-documentation">python-oletools documentation</h2>
 <ul>
-<li><p><a href="Home.html">Home</a></p></li>
-<li><p><a href="License.html">License</a></p></li>
-<li><p><a href="Install.html">Install</a></p></li>
-<li><p><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</p></li>
-<li><p>Tools:</p>
+<li><a href="Home.html">Home</a></li>
+<li><a href="License.html">License</a></li>
+<li><a href="Install.html">Install</a></li>
+<li><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</li>
+<li>Tools:
 <ul>
-<li><p><a href="olebrowse.html">olebrowse</a></p></li>
-<li><p><a href="oleid.html">oleid</a></p></li>
-<li><p><a href="olemeta.html">olemeta</a></p></li>
-<li><p><a href="oletimes.html">oletimes</a></p></li>
-<li><p><a href="olevba.html">olevba</a></p></li>
-<li><p><a href="pyxswf.html">pyxswf</a></p></li>
-<li><p><a href="rtfobj.html">rtfobj</a></p></li>
+<li><a href="olebrowse.html">olebrowse</a></li>
+<li><a href="oleid.html">oleid</a></li>
+<li><a href="olemeta.html">olemeta</a></li>
+<li><a href="oletimes.html">oletimes</a></li>
+<li><a href="oledir.html">oledir</a></li>
+<li><a href="olemap.html">olemap</a></li>
+<li><a href="olevba.html">olevba</a></li>
+<li><a href="mraptor.html">mraptor</a></li>
+<li><a href="pyxswf.html">pyxswf</a></li>
+<li><a href="oleobj.html">oleobj</a></li>
+<li><a href="rtfobj.html">rtfobj</a></li>
 </ul></li>
 </ul>
+</body>
+</html>
-olevba
-======
-
-olevba is a script to parse OLE and OpenXML files such as MS Office documents
-(e.g. Word, Excel), to **detect VBA Macros**, extract their **source code** in clear text, 
-and detect security-related patterns such as **auto-executable macros**, **suspicious
-VBA keywords** used by malware, anti-sandboxing and anti-virtualization techniques, 
-and potential **IOCs** (IP addresses, URLs, executable filenames, etc). 
-It also detects and decodes several common **obfuscation methods including Hex encoding,
-StrReverse, Base64, Dridex, VBA expressions**, and extracts IOCs from decoded strings.
-
-It can be used either as a command-line tool, or as a python module from your own applications.
-
-It is part of the [python-oletools](http://www.decalage.info/python/oletools) package.
-
-olevba is based on source code from [officeparser](https://github.com/unixfreak0037/officeparser) 
-by John William Davison, with significant modifications.
-
-## Supported formats
-
-- Word 97-2003 (.doc, .dot)
-- Word 2007+ (.docm, .dotm)
-- Word 2003 XML (.xml)
-- Word/Excel MHTML, aka Single File Web Page (.mht)
-- Excel 97-2003 (.xls)
-- Excel 2007+ (.xlsm, .xlsb)
-- PowerPoint 2007+ (.pptm, .ppsm)
-- Text file containing VBA or VBScript source code
-- Password-protected Zip archive containing any of the above
-
-## Main Features
-
-- Detect VBA macros in MS Office 97-2003 and 2007+ files, XML, MHT
-- Extract VBA macro source code
-- Detect auto-executable macros
-- Detect suspicious VBA keywords often used by malware
-- Detect anti-sandboxing and anti-virtualization techniques
-- Detect and decodes strings obfuscated with Hex/Base64/StrReverse/Dridex
-- Deobfuscates VBA expressions with any combination of Chr, Asc, Val, StrReverse, Environ, +, &, using a VBA parser built with
-[pyparsing](http://pyparsing.wikispaces.com), including custom Hex and Base64 encodings
-- Extract IOCs/patterns of interest such as IP addresses, URLs, e-mail addresses and executable file names
-- Scan multiple files and sample collections (wildcards, recursive)
-- Triage mode for a summary view of multiple files
-- Scan malware samples in password-protected Zip archives
-- Python API to use olevba from your applications
-
-MS Office files encrypted with a password are also supported, because VBA macro code is never
-encrypted, only the content of the document.
-
-## About VBA Macros
-
-See [this article](http://www.decalage.info/en/vba_tools) for more information and technical details about VBA Macros
-and how they are stored in MS Office documents.
-
-## How it works
-
-1. olevba checks the file type: If it is an OLE file (i.e MS Office 97-2003), it is parsed right away.
-1. If it is a zip file (i.e. MS Office 2007+), XML or MHTML, olevba looks for all OLE files stored in it (e.g. vbaProject.bin, editdata.mso), and opens them.
-1. olevba identifies all the VBA projects stored in the OLE structure.
-1. Each VBA project is parsed to find the corresponding OLE streams containing macro code.
-1. In each of these OLE streams, the VBA macro source code is extracted and decompressed (RLE compression).
-1. olevba looks for specific strings obfuscated with various algorithms (Hex, Base64, StrReverse, Dridex, VBA expressions).
-1. olevba scans the macro source code and the deobfuscated strings to find suspicious keywords, auto-executable macros
-and potential IOCs (URLs, IP addresses, e-mail addresses, executable filenames, etc).
-
-
-## Usage
-
-	:::text
-    Usage: olevba.py [options] <filename> [filename2 ...]
-    
-    Options:
-      -h, --help            show this help message and exit
-      -r                    find files recursively in subdirectories.
-      -z ZIP_PASSWORD, --zip=ZIP_PASSWORD
-                            if the file is a zip archive, open all files from it,
-                            using the provided password (requires Python 2.6+)
-      -f ZIP_FNAME, --zipfname=ZIP_FNAME
-                            if the file is a zip archive, file(s) to be opened
-                            within the zip. Wildcards * and ? are supported.
-                            (default:*)
-      -t, --triage          triage mode, display results as a summary table
-                            (default for multiple files)
-      -d, --detailed        detailed mode, display full results (default for
-                            single file)
-      -a, --analysis        display only analysis results, not the macro source
-                            code
-      -c, --code            display only VBA source code, do not analyze it
-      -i INPUT, --input=INPUT
-                            input file containing VBA source code to be analyzed
-                            (no parsing)
-      --decode              display all the obfuscated strings with their decoded
-                            content (Hex, Base64, StrReverse, Dridex, VBA).
-      --attr                display the attribute lines at the beginning of VBA
-                            source code
-      --reveal              display the macro source code after replacing all the
-                            obfuscated strings by their decoded content.
-
-### Examples
-
-Scan a single file:
-
-    :::text
-    olevba.py file.doc
-    
-Scan a single file, stored in a Zip archive with password "infected":
-
-    :::text
-    olevba.py malicious_file.xls.zip -z infected
-    
-Scan a single file, showing all obfuscated strings decoded:
-
-    :::text
-    olevba.py file.doc --decode
-    
-Scan a single file, showing the macro source code with VBA strings deobfuscated:
-
-    :::text
-    olevba.py file.doc --reveal
-
-Scan VBA source code extracted into a text file:
-
-    :::text
-    olevba.py -i source_code.vba
-
-Scan a collection of files stored in a folder:
-
-    :::text
-    olevba.py MalwareZoo/VBA/*
-    
-Scan all .doc and .xls files, recursively in all subfolders:
-
-    :::text
-    olevba.py MalwareZoo/VBA/*.doc MalwareZoo/VBA/*.xls -r
-    
-Scan all .doc files within all .zip files with password, recursively:
-
-    :::text
-    olevba.py MalwareZoo/VBA/*.zip -r -z infected -f *.doc
-
-
-### Detailed analysis mode (default for single file)
-
-When a single file is scanned, or when using the option -d, all details of the analysis are displayed. 
-
-For example, checking the malware sample [DIAN_caso-5415.doc](https://malwr.com/analysis/M2I4YWRhM2IwY2QwNDljN2E3ZWFjYTg3ODk4NmZhYmE/):
-
-	:::text
-    >olevba.py c:\MalwareZoo\VBA\DIAN_caso-5415.doc.zip -z infected
-    ===============================================================================
-    FILE: DIAN_caso-5415.doc.malware in c:\MalwareZoo\VBA\DIAN_caso-5415.doc.zip
-    Type: OLE
-    -------------------------------------------------------------------------------
-    VBA MACRO ThisDocument.cls
-    in file: DIAN_caso-5415.doc.malware - OLE stream: Macros/VBA/ThisDocument
-    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-    Option Explicit
-    Private Declare Function URLDownloadToFileA Lib "urlmon" (ByVal FVQGKS As Long,_
-    ByVal WSGSGY As String, ByVal IFRRFV As String, ByVal NCVOLV As Long, _
-    ByVal HQTLDG As Long) As Long
-    Sub AutoOpen()
-        Auto_Open
-    End Sub
-    Sub Auto_Open()
-    SNVJYQ
-    End Sub
-    Public Sub SNVJYQ()
-        [Malicious Code...]
-    End Sub
-    Function OGEXYR(XSTAHU As String, PHHWIV As String) As Boolean
-        [Malicious Code...]
-        Application.DisplayAlerts = False
-        Application.Quit
-    End Function
-    Sub Workbook_Open()
-        Auto_Open
-    End Sub
-    
-    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-    ANALYSIS:
-    +------------+----------------------+-----------------------------------------+
-    | Type       | Keyword              | Description                             |
-    +------------+----------------------+-----------------------------------------+
-    | AutoExec   | AutoOpen             | Runs when the Word document is opened   |
-    | AutoExec   | Auto_Open            | Runs when the Excel Workbook is opened  |
-    | AutoExec   | Workbook_Open        | Runs when the Excel Workbook is opened  |
-    | Suspicious | Lib                  | May run code from a DLL                 |
-    | Suspicious | Shell                | May run an executable file or a system  |
-    |            |                      | command                                 |
-    | Suspicious | Environ              | May read system environment variables   |
-    | Suspicious | URLDownloadToFileA   | May download files from the Internet    |
-    | IOC        | http://germanya.com. | URL                                     |
-    |            | ec/logs/test.exe"    |                                         |
-    | IOC        | http://germanya.com. | URL                                     |
-    |            | ec/logs/counter.php" |                                         |
-    | IOC        | germanya.com         | Executable file name                    |
-    | IOC        | test.exe             | Executable file name                    |
-    | IOC        | sfjozjero.exe        | Executable file name                    |
-    +------------+----------------------+-----------------------------------------+
-
-### Triage mode (default for multiple files)
-
-When several files are scanned, or when using the option -t, a summary of the analysis for each file is displayed.
-This is more convenient for quick triage of a collection of suspicious files.
-
-The following flags show the results of the analysis:
-
-- **OLE**: the file type is OLE, for example MS Office 97-2003
-- **OpX**: the file type is OpenXML, for example MS Office 2007+
-- **XML**: the file type is Word 2003 XML
-- **MHT**: the file type is Word MHTML, aka Single File Web Page (.mht)
-- **?**: the file type is not supported
-- **M**: contains VBA Macros
-- **A**: auto-executable macros
-- **S**: suspicious VBA keywords
-- **I**: potential IOCs
-- **H**: hex-encoded strings (potential obfuscation)
-- **B**: Base64-encoded strings (potential obfuscation)
-- **D**: Dridex-encoded strings (potential obfuscation)
-- **V**: VBA string expressions (potential obfuscation)
-
-Here is an example:
-
-    :::text
-    c:\>olevba.py \MalwareZoo\VBA\samples\*
-    Flags       Filename
-    ----------- -----------------------------------------------------------------
-    OLE:MASI--- \MalwareZoo\VBA\samples\DIAN_caso-5415.doc.malware
-    OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_1.doc.malware
-    OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_2.doc.malware
-    OLE:MASI--- \MalwareZoo\VBA\samples\DRIDEX_3.doc.malware
-    OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_4.doc.malware
-    OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_5.doc.malware
-    OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_6.doc.malware
-    OLE:MAS---- \MalwareZoo\VBA\samples\DRIDEX_7.doc.malware
-    OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_8.doc.malware
-    OLE:MASIHBD \MalwareZoo\VBA\samples\DRIDEX_9.xls.malware
-    OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_A.doc.malware
-    OLE:------- \MalwareZoo\VBA\samples\Normal_Document.doc
-    OLE:M------ \MalwareZoo\VBA\samples\Normal_Document_Macro.doc
-    OpX:MASI--- \MalwareZoo\VBA\samples\RottenKitten.xlsb.malware
-    OLE:MASI-B- \MalwareZoo\VBA\samples\ROVNIX.doc.malware
-    OLE:MA----- \MalwareZoo\VBA\samples\Word within Word macro auto.doc
-  
-  
---------------------------------------------------------------------------
-    
-## How to use olevba in Python applications	
-
-olevba may be used to open a MS Office file, detect if it contains VBA macros, extract and analyze the VBA source code 
-from your own python applications.
-
-IMPORTANT: olevba is currently under active development, therefore this API is likely to change.
-
-### Import olevba
-
-First, import the **oletools.olevba** package, using at least the VBA_Parser and VBA_Scanner classes:
-
-    :::python
-    from oletools.olevba import VBA_Parser, TYPE_OLE, TYPE_OpenXML, TYPE_Word2003_XML, TYPE_MHTML 
-    
-### Parse a MS Office file - VBA_Parser
-
-To parse a file on disk, create an instance of the **VBA_Parser** class, providing the name of the file to open as parameter.
-For example:
-
-    :::python
-    vbaparser = VBA_Parser('my_file_with_macros.doc')
-
-The file may also be provided as a bytes string containing its data. In that case, the actual 
-filename must be provided for reference, and the file content with the data parameter. For example:
-
-    :::python
-    myfile = 'my_file_with_macros.doc'
-    filedata = open(myfile, 'rb').read()
-    vbaparser = VBA_Parser(myfile, data=filedata)
-    
-VBA_Parser will raise an exception if the file is not a supported format, such as OLE (MS Office 97-2003), OpenXML 
-(MS Office 2007+), MHTML or Word 2003 XML.
- 
-After parsing the file, the attribute **VBA_Parser.type** is a string indicating the file type.
-It can be either TYPE_OLE, TYPE_OpenXML, TYPE_Word2003_XML or TYPE_MHTML. (constants defined in the olevba module)
-
-### Detect VBA macros
-
-The method **detect_vba_macros** of a VBA_Parser object returns True if VBA macros have been found in the file, 
-False otherwise.
-
-    :::python
-    if vbaparser.detect_vba_macros():
-        print 'VBA Macros found'
-    else:
-        print 'No VBA Macros found'
-        
-Note: The detection algorithm looks for streams and storage with specific names in the OLE structure, which works fine
-for all the supported formats listed above. However, for some formats such as PowerPoint 97-2003, this method will 
-always return False because VBA Macros are stored in a different way which is not yet supported by olevba.
-
-Moreover, if the file contains an embedded document (e.g. an Excel workbook inserted into a Word document), this method
-may return True if the embedded document contains VBA Macros, even if the main document does not.
- 
-### Extract VBA Macro Source Code
- 
-The method **extract_macros** extracts and decompresses source code for each VBA macro found in the file (possibly 
-including embedded files). It is a generator yielding a tuple (filename, stream_path, vba_filename, vba_code) 
-for each VBA macro found.
-
-- filename: If the file is OLE (MS Office 97-2003), filename is the path of the file.
-    If the file is OpenXML (MS Office 2007+), filename is the path of the OLE subfile containing VBA macros within the zip archive, 
-    e.g. word/vbaProject.bin.
-- stream_path: path of the OLE stream containing the VBA macro source code
-- vba_filename: corresponding VBA filename
-- vba_code: string containing the VBA source code in clear text
-
-Example:
-
-    :::python
-    for (filename, stream_path, vba_filename, vba_code) in vbaparser.extract_macros():
-        print '-'*79
-        print 'Filename    :', filename
-        print 'OLE stream  :', stream_path
-        print 'VBA filename:', vba_filename
-        print '- '*39
-        print vba_code
-        
-Alternatively, the VBA_Parser method **extract_all_macros** returns the same results as a list of tuples.
-
-### Analyze VBA Source Code
-
-Since version 0.40, the VBA_Parser class provides simpler methods than VBA_Scanner to analyze all macros contained
-in a file:
-
-The method **analyze_macros** from the class **VBA_Parser** can be used to scan the source code of all
-VBA modules to find obfuscated strings, suspicious keywords, IOCs, auto-executable macros, etc.
-
-analyze_macros() takes an optional argument show_decoded_strings: if set to True, the results will contain all the encoded
-strings found in the code (Hex, Base64, Dridex) with their decoded value.
-By default, it will only include the strings which contain printable characters.
-
-**VBA_Parser.analyze_macros()** returns a list of tuples (type, keyword, description), one for each item in the results.
-
-- type may be either 'AutoExec', 'Suspicious', 'IOC', 'Hex String', 'Base64 String', 'Dridex String' or 
-  'VBA obfuscated Strings'.
-- keyword is the string found for auto-executable macros, suspicious keywords or IOCs. For obfuscated strings, it is
-  the decoded value of the string.
-- description provides a description of the keyword. For obfuscated strings, it is the encoded value of the string.
-
-Example:
-
-    :::python
-    results = vbaparser.analyze_macros()
-    for kw_type, keyword, description in results:
-        print 'type=%s - keyword=%s - description=%s' % (kw_type, keyword, description)
-        
-After calling analyze_macros, the following VBA_Parser attributes also provide the number
-of items found for each category:
-
-    :::python
-    print 'AutoExec keywords: %d' % vbaparser.nb_autoexec
-    print 'Suspicious keywords: %d' % vbaparser.nb_suspicious
-    print 'IOCs: %d' % vbaparser.nb_iocs
-    print 'Hex obfuscated strings: %d' % vbaparser.nb_hexstrings
-    print 'Base64 obfuscated strings: %d' % vbaparser.nb_base64strings
-    print 'Dridex obfuscated strings: %d' % vbaparser.nb_dridexstrings
-    print 'VBA obfuscated strings: %d' % vbaparser.nb_vbastrings
-
-
-### Deobfuscate VBA Macro Source Code
-
-The method **reveal** attempts to deobfuscate the macro source code by replacing all
-the obfuscated strings by their decoded content. Returns a single string.
-
-Example:
-
-    :::python
-    print vbaparser.reveal()
-
-
-### Close the VBA_Parser
-
-After usage, it is better to call the **close** method of the VBA_Parser object, to make sure the file is closed, 
-especially if your application is parsing many files.
-
-    :::python
-    vbaparser.close()
-
-
---------------------------------------------------------------------------
-
-## Deprecated API
-
-The following methods and functions are still functional, but their usage is not recommended
-since they have been replaced by better solutions.
-
-### VBA_Scanner (deprecated)
-
-The class **VBA_Scanner** can be used to scan the source code of a VBA module to find obfuscated strings,
-suspicious keywords, IOCs, auto-executable macros, etc.
-
-First, create a VBA_Scanner object with a string containing the VBA source code (for example returned by the 
-extract_macros method). Then call the methods **scan** or **scan_summary** to get the results of the analysis.
-
-scan() takes an optional argument include_decoded_strings: if set to True, the results will contain all the encoded
-strings found in the code (Hex, Base64, Dridex) with their decoded value.
-
-**scan** returns a list of tuples (type, keyword, description), one for each item in the results. 
-
-- type may be either 'AutoExec', 'Suspicious', 'IOC', 'Hex String', 'Base64 String' or 'Dridex String'.
-- keyword is the string found for auto-executable macros, suspicious keywords or IOCs. For obfuscated strings, it is
-  the decoded value of the string.
-- description provides a description of the keyword. For obfuscated strings, it is the encoded value of the string.
-
-Example:
-
-    :::python
-    vba_scanner = VBA_Scanner(vba_code)
-    results = vba_scanner.scan(include_decoded_strings=True)
-    for kw_type, keyword, description in results:
-        print 'type=%s - keyword=%s - description=%s' % (kw_type, keyword, description)
-
-The function **scan_vba** is a shortcut for VBA_Scanner(vba_code).scan():
-
-    :::python
-    results = scan_vba(vba_code, include_decoded_strings=True)
-    for kw_type, keyword, description in results:
-        print 'type=%s - keyword=%s - description=%s' % (kw_type, keyword, description)
-        
-**scan_summary** returns a tuple with the number of items found for each category: 
-(autoexec, suspicious, IOCs, hex, base64, dridex).
-
-
-### Detect auto-executable macros (deprecated)
-
-**Deprecated**: It is preferable to use either scan_vba or VBA_Scanner to get all results at once. 
-
-The function **detect_autoexec** checks if VBA macro code contains specific macro names
-that will be triggered when the document/workbook is opened, closed, changed, etc.
-
-It returns a list of tuples containing two strings, the detected keyword, and the
-description of the trigger. (See the malware example above)
-
-Sample usage:
-
-    :::python
-    from oletools.olevba import detect_autoexec
-    autoexec_keywords = detect_autoexec(vba_code)
-    if autoexec_keywords:
-        print 'Auto-executable macro keywords found:'
-        for keyword, description in autoexec_keywords:
-            print '%s: %s' % (keyword, description)
-    else:
-        print 'Auto-executable macro keywords: None found'
-
-
-### Detect suspicious VBA keywords (deprecated)
-
-**Deprecated**: It is preferable to use either scan_vba or VBA_Scanner to get all results at once. 
-
-The function **detect_suspicious** checks if VBA macro code contains specific
-keywords often used by malware to act on the system (create files, run
-commands or applications, write to the registry, etc).
-
-It returns a list of tuples containing two strings, the detected keyword, and the
-description of the corresponding malicious behaviour. (See the malware example above)
-
-Sample usage:
-
-    :::python
-    from oletools.olevba import detect_suspicious
-    suspicious_keywords = detect_suspicious(vba_code)
-    if suspicious_keywords:
-        print 'Suspicious VBA keywords found:'
-        for keyword, description in suspicious_keywords:
-            print '%s: %s' % (keyword, description)
-    else:
-        print 'Suspicious VBA keywords: None found'
-
-
-### Extract potential IOCs (deprecated)
-
-**Deprecated**: It is preferable to use either scan_vba or VBA_Scanner to get all results at once. 
-
-The function **detect_patterns** checks if VBA macro code contains specific
-patterns of interest, that may be useful for malware analysis and detection
-(potential Indicators of Compromise): IP addresses, e-mail addresses,
-URLs, executable file names.
-
-It returns a list of tuples containing two strings, the pattern type, and the
-extracted value. (See the malware example above)
-
-Sample usage:
-
-    :::python
-    from oletools.olevba import detect_patterns
-    patterns = detect_patterns(vba_code)
-    if patterns:
-        print 'Patterns found:'
-        for pattern_type, value in patterns:
-            print '%s: %s' % (pattern_type, value)
-    else:
-        print 'Patterns: None found'
-
-
---------------------------------------------------------------------------
-
-python-oletools documentation
------------------------------
-
-- [[Home]]
-- [[License]]
-- [[Install]]
-- [[Contribute]], Suggest Improvements or Report Issues
-- Tools:
-	- [[olebrowse]]
-	- [[oleid]]
-	- [[olemeta]]
-	- [[oletimes]]
-	- [[olevba]]
-	- [[pyxswf]]
-	- [[rtfobj]] 
 \ No newline at end of file
+olevba
+======
+
+olevba is a script to parse OLE and OpenXML files such as MS Office documents
+(e.g. Word, Excel), to **detect VBA Macros**, extract their **source code** in clear text, 
+and detect security-related patterns such as **auto-executable macros**, **suspicious
+VBA keywords** used by malware, anti-sandboxing and anti-virtualization techniques, 
+and potential **IOCs** (IP addresses, URLs, executable filenames, etc). 
+It also detects and decodes several common **obfuscation methods including Hex encoding,
+StrReverse, Base64, Dridex, VBA expressions**, and extracts IOCs from decoded strings.
+
+It can be used either as a command-line tool, or as a python module from your own applications.
+
+It is part of the [python-oletools](http://www.decalage.info/python/oletools) package.
+
+olevba is based on source code from [officeparser](https://github.com/unixfreak0037/officeparser) 
+by John William Davison, with significant modifications.
+
+## Supported formats
+
+- Word 97-2003 (.doc, .dot)
+- Word 2007+ (.docm, .dotm)
+- Word 2003 XML (.xml)
+- Word/Excel MHTML, aka Single File Web Page (.mht)
+- Excel 97-2003 (.xls)
+- Excel 2007+ (.xlsm, .xlsb)
+- PowerPoint 2007+ (.pptm, .ppsm)
+- Text file containing VBA or VBScript source code
+- Password-protected Zip archive containing any of the above
+
+## Main Features
+
+- Detect VBA macros in MS Office 97-2003 and 2007+ files, XML, MHT
+- Extract VBA macro source code
+- Detect auto-executable macros
+- Detect suspicious VBA keywords often used by malware
+- Detect anti-sandboxing and anti-virtualization techniques
+- Detect and decodes strings obfuscated with Hex/Base64/StrReverse/Dridex
+- Deobfuscates VBA expressions with any combination of Chr, Asc, Val, StrReverse, Environ, +, &, using a VBA parser built with
+[pyparsing](http://pyparsing.wikispaces.com), including custom Hex and Base64 encodings
+- Extract IOCs/patterns of interest such as IP addresses, URLs, e-mail addresses and executable file names
+- Scan multiple files and sample collections (wildcards, recursive)
+- Triage mode for a summary view of multiple files
+- Scan malware samples in password-protected Zip archives
+- Python API to use olevba from your applications
+
+MS Office files encrypted with a password are also supported, because VBA macro code is never
+encrypted, only the content of the document.
+
+## About VBA Macros
+
+See [this article](http://www.decalage.info/en/vba_tools) for more information and technical details about VBA Macros
+and how they are stored in MS Office documents.
+
+## How it works
+
+1. olevba checks the file type: If it is an OLE file (i.e MS Office 97-2003), it is parsed right away.
+1. If it is a zip file (i.e. MS Office 2007+), XML or MHTML, olevba looks for all OLE files stored in it (e.g. vbaProject.bin, editdata.mso), and opens them.
+1. olevba identifies all the VBA projects stored in the OLE structure.
+1. Each VBA project is parsed to find the corresponding OLE streams containing macro code.
+1. In each of these OLE streams, the VBA macro source code is extracted and decompressed (RLE compression).
+1. olevba looks for specific strings obfuscated with various algorithms (Hex, Base64, StrReverse, Dridex, VBA expressions).
+1. olevba scans the macro source code and the deobfuscated strings to find suspicious keywords, auto-executable macros
+and potential IOCs (URLs, IP addresses, e-mail addresses, executable filenames, etc).
+
+
+## Usage
+
+	:::text
+    Usage: olevba.py [options] <filename> [filename2 ...]
+    
+    Options:
+      -h, --help            show this help message and exit
+      -r                    find files recursively in subdirectories.
+      -z ZIP_PASSWORD, --zip=ZIP_PASSWORD
+                            if the file is a zip archive, open all files from it,
+                            using the provided password (requires Python 2.6+)
+      -f ZIP_FNAME, --zipfname=ZIP_FNAME
+                            if the file is a zip archive, file(s) to be opened
+                            within the zip. Wildcards * and ? are supported.
+                            (default:*)
+      -t, --triage          triage mode, display results as a summary table
+                            (default for multiple files)
+      -d, --detailed        detailed mode, display full results (default for
+                            single file)
+      -a, --analysis        display only analysis results, not the macro source
+                            code
+      -c, --code            display only VBA source code, do not analyze it
+      -i INPUT, --input=INPUT
+                            input file containing VBA source code to be analyzed
+                            (no parsing)
+      --decode              display all the obfuscated strings with their decoded
+                            content (Hex, Base64, StrReverse, Dridex, VBA).
+      --attr                display the attribute lines at the beginning of VBA
+                            source code
+      --reveal              display the macro source code after replacing all the
+                            obfuscated strings by their decoded content.
+
+### Examples
+
+Scan a single file:
+
+    :::text
+    olevba.py file.doc
+    
+Scan a single file, stored in a Zip archive with password "infected":
+
+    :::text
+    olevba.py malicious_file.xls.zip -z infected
+    
+Scan a single file, showing all obfuscated strings decoded:
+
+    :::text
+    olevba.py file.doc --decode
+    
+Scan a single file, showing the macro source code with VBA strings deobfuscated:
+
+    :::text
+    olevba.py file.doc --reveal
+
+Scan VBA source code extracted into a text file:
+
+    :::text
+    olevba.py -i source_code.vba
+
+Scan a collection of files stored in a folder:
+
+    :::text
+    olevba.py MalwareZoo/VBA/*
+    
+Scan all .doc and .xls files, recursively in all subfolders:
+
+    :::text
+    olevba.py MalwareZoo/VBA/*.doc MalwareZoo/VBA/*.xls -r
+    
+Scan all .doc files within all .zip files with password, recursively:
+
+    :::text
+    olevba.py MalwareZoo/VBA/*.zip -r -z infected -f *.doc
+
+
+### Detailed analysis mode (default for single file)
+
+When a single file is scanned, or when using the option -d, all details of the analysis are displayed. 
+
+For example, checking the malware sample [DIAN_caso-5415.doc](https://malwr.com/analysis/M2I4YWRhM2IwY2QwNDljN2E3ZWFjYTg3ODk4NmZhYmE/):
+
+	:::text
+    >olevba.py c:\MalwareZoo\VBA\DIAN_caso-5415.doc.zip -z infected
+    ===============================================================================
+    FILE: DIAN_caso-5415.doc.malware in c:\MalwareZoo\VBA\DIAN_caso-5415.doc.zip
+    Type: OLE
+    -------------------------------------------------------------------------------
+    VBA MACRO ThisDocument.cls
+    in file: DIAN_caso-5415.doc.malware - OLE stream: Macros/VBA/ThisDocument
+    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+    Option Explicit
+    Private Declare Function URLDownloadToFileA Lib "urlmon" (ByVal FVQGKS As Long,_
+    ByVal WSGSGY As String, ByVal IFRRFV As String, ByVal NCVOLV As Long, _
+    ByVal HQTLDG As Long) As Long
+    Sub AutoOpen()
+        Auto_Open
+    End Sub
+    Sub Auto_Open()
+    SNVJYQ
+    End Sub
+    Public Sub SNVJYQ()
+        [Malicious Code...]
+    End Sub
+    Function OGEXYR(XSTAHU As String, PHHWIV As String) As Boolean
+        [Malicious Code...]
+        Application.DisplayAlerts = False
+        Application.Quit
+    End Function
+    Sub Workbook_Open()
+        Auto_Open
+    End Sub
+    
+    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+    ANALYSIS:
+    +------------+----------------------+-----------------------------------------+
+    | Type       | Keyword              | Description                             |
+    +------------+----------------------+-----------------------------------------+
+    | AutoExec   | AutoOpen             | Runs when the Word document is opened   |
+    | AutoExec   | Auto_Open            | Runs when the Excel Workbook is opened  |
+    | AutoExec   | Workbook_Open        | Runs when the Excel Workbook is opened  |
+    | Suspicious | Lib                  | May run code from a DLL                 |
+    | Suspicious | Shell                | May run an executable file or a system  |
+    |            |                      | command                                 |
+    | Suspicious | Environ              | May read system environment variables   |
+    | Suspicious | URLDownloadToFileA   | May download files from the Internet    |
+    | IOC        | http://germanya.com. | URL                                     |
+    |            | ec/logs/test.exe"    |                                         |
+    | IOC        | http://germanya.com. | URL                                     |
+    |            | ec/logs/counter.php" |                                         |
+    | IOC        | germanya.com         | Executable file name                    |
+    | IOC        | test.exe             | Executable file name                    |
+    | IOC        | sfjozjero.exe        | Executable file name                    |
+    +------------+----------------------+-----------------------------------------+
+
+### Triage mode (default for multiple files)
+
+When several files are scanned, or when using the option -t, a summary of the analysis for each file is displayed.
+This is more convenient for quick triage of a collection of suspicious files.
+
+The following flags show the results of the analysis:
+
+- **OLE**: the file type is OLE, for example MS Office 97-2003
+- **OpX**: the file type is OpenXML, for example MS Office 2007+
+- **XML**: the file type is Word 2003 XML
+- **MHT**: the file type is Word MHTML, aka Single File Web Page (.mht)
+- **?**: the file type is not supported
+- **M**: contains VBA Macros
+- **A**: auto-executable macros
+- **S**: suspicious VBA keywords
+- **I**: potential IOCs
+- **H**: hex-encoded strings (potential obfuscation)
+- **B**: Base64-encoded strings (potential obfuscation)
+- **D**: Dridex-encoded strings (potential obfuscation)
+- **V**: VBA string expressions (potential obfuscation)
+
+Here is an example:
+
+    :::text
+    c:\>olevba.py \MalwareZoo\VBA\samples\*
+    Flags       Filename
+    ----------- -----------------------------------------------------------------
+    OLE:MASI--- \MalwareZoo\VBA\samples\DIAN_caso-5415.doc.malware
+    OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_1.doc.malware
+    OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_2.doc.malware
+    OLE:MASI--- \MalwareZoo\VBA\samples\DRIDEX_3.doc.malware
+    OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_4.doc.malware
+    OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_5.doc.malware
+    OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_6.doc.malware
+    OLE:MAS---- \MalwareZoo\VBA\samples\DRIDEX_7.doc.malware
+    OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_8.doc.malware
+    OLE:MASIHBD \MalwareZoo\VBA\samples\DRIDEX_9.xls.malware
+    OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_A.doc.malware
+    OLE:------- \MalwareZoo\VBA\samples\Normal_Document.doc
+    OLE:M------ \MalwareZoo\VBA\samples\Normal_Document_Macro.doc
+    OpX:MASI--- \MalwareZoo\VBA\samples\RottenKitten.xlsb.malware
+    OLE:MASI-B- \MalwareZoo\VBA\samples\ROVNIX.doc.malware
+    OLE:MA----- \MalwareZoo\VBA\samples\Word within Word macro auto.doc
+  
+  
+--------------------------------------------------------------------------
+    
+## How to use olevba in Python applications	
+
+olevba may be used to open a MS Office file, detect if it contains VBA macros, extract and analyze the VBA source code 
+from your own python applications.
+
+IMPORTANT: olevba is currently under active development, therefore this API is likely to change.
+
+### Import olevba
+
+First, import the **oletools.olevba** package, using at least the VBA_Parser and VBA_Scanner classes:
+
+    :::python
+    from oletools.olevba import VBA_Parser, TYPE_OLE, TYPE_OpenXML, TYPE_Word2003_XML, TYPE_MHTML 
+    
+### Parse a MS Office file - VBA_Parser
+
+To parse a file on disk, create an instance of the **VBA_Parser** class, providing the name of the file to open as parameter.
+For example:
+
+    :::python
+    vbaparser = VBA_Parser('my_file_with_macros.doc')
+
+The file may also be provided as a bytes string containing its data. In that case, the actual 
+filename must be provided for reference, and the file content with the data parameter. For example:
+
+    :::python
+    myfile = 'my_file_with_macros.doc'
+    filedata = open(myfile, 'rb').read()
+    vbaparser = VBA_Parser(myfile, data=filedata)
+    
+VBA_Parser will raise an exception if the file is not a supported format, such as OLE (MS Office 97-2003), OpenXML 
+(MS Office 2007+), MHTML or Word 2003 XML.
+ 
+After parsing the file, the attribute **VBA_Parser.type** is a string indicating the file type.
+It can be either TYPE_OLE, TYPE_OpenXML, TYPE_Word2003_XML or TYPE_MHTML. (constants defined in the olevba module)
+
+### Detect VBA macros
+
+The method **detect_vba_macros** of a VBA_Parser object returns True if VBA macros have been found in the file, 
+False otherwise.
+
+    :::python
+    if vbaparser.detect_vba_macros():
+        print 'VBA Macros found'
+    else:
+        print 'No VBA Macros found'
+        
+Note: The detection algorithm looks for streams and storage with specific names in the OLE structure, which works fine
+for all the supported formats listed above. However, for some formats such as PowerPoint 97-2003, this method will 
+always return False because VBA Macros are stored in a different way which is not yet supported by olevba.
+
+Moreover, if the file contains an embedded document (e.g. an Excel workbook inserted into a Word document), this method
+may return True if the embedded document contains VBA Macros, even if the main document does not.
+ 
+### Extract VBA Macro Source Code
+ 
+The method **extract_macros** extracts and decompresses source code for each VBA macro found in the file (possibly 
+including embedded files). It is a generator yielding a tuple (filename, stream_path, vba_filename, vba_code) 
+for each VBA macro found.
+
+- filename: If the file is OLE (MS Office 97-2003), filename is the path of the file.
+    If the file is OpenXML (MS Office 2007+), filename is the path of the OLE subfile containing VBA macros within the zip archive, 
+    e.g. word/vbaProject.bin.
+- stream_path: path of the OLE stream containing the VBA macro source code
+- vba_filename: corresponding VBA filename
+- vba_code: string containing the VBA source code in clear text
+
+Example:
+
+    :::python
+    for (filename, stream_path, vba_filename, vba_code) in vbaparser.extract_macros():
+        print '-'*79
+        print 'Filename    :', filename
+        print 'OLE stream  :', stream_path
+        print 'VBA filename:', vba_filename
+        print '- '*39
+        print vba_code
+        
+Alternatively, the VBA_Parser method **extract_all_macros** returns the same results as a list of tuples.
+
+### Analyze VBA Source Code
+
+Since version 0.40, the VBA_Parser class provides simpler methods than VBA_Scanner to analyze all macros contained
+in a file:
+
+The method **analyze_macros** from the class **VBA_Parser** can be used to scan the source code of all
+VBA modules to find obfuscated strings, suspicious keywords, IOCs, auto-executable macros, etc.
+
+analyze_macros() takes an optional argument show_decoded_strings: if set to True, the results will contain all the encoded
+strings found in the code (Hex, Base64, Dridex) with their decoded value.
+By default, it will only include the strings which contain printable characters.
+
+**VBA_Parser.analyze_macros()** returns a list of tuples (type, keyword, description), one for each item in the results.
+
+- type may be either 'AutoExec', 'Suspicious', 'IOC', 'Hex String', 'Base64 String', 'Dridex String' or 
+  'VBA obfuscated Strings'.
+- keyword is the string found for auto-executable macros, suspicious keywords or IOCs. For obfuscated strings, it is
+  the decoded value of the string.
+- description provides a description of the keyword. For obfuscated strings, it is the encoded value of the string.
+
+Example:
+
+    :::python
+    results = vbaparser.analyze_macros()
+    for kw_type, keyword, description in results:
+        print 'type=%s - keyword=%s - description=%s' % (kw_type, keyword, description)
+        
+After calling analyze_macros, the following VBA_Parser attributes also provide the number
+of items found for each category:
+
+    :::python
+    print 'AutoExec keywords: %d' % vbaparser.nb_autoexec
+    print 'Suspicious keywords: %d' % vbaparser.nb_suspicious
+    print 'IOCs: %d' % vbaparser.nb_iocs
+    print 'Hex obfuscated strings: %d' % vbaparser.nb_hexstrings
+    print 'Base64 obfuscated strings: %d' % vbaparser.nb_base64strings
+    print 'Dridex obfuscated strings: %d' % vbaparser.nb_dridexstrings
+    print 'VBA obfuscated strings: %d' % vbaparser.nb_vbastrings
+
+
+### Deobfuscate VBA Macro Source Code
+
+The method **reveal** attempts to deobfuscate the macro source code by replacing all
+the obfuscated strings by their decoded content. Returns a single string.
+
+Example:
+
+    :::python
+    print vbaparser.reveal()
+
+
+### Close the VBA_Parser
+
+After usage, it is better to call the **close** method of the VBA_Parser object, to make sure the file is closed, 
+especially if your application is parsing many files.
+
+    :::python
+    vbaparser.close()
+
+
+--------------------------------------------------------------------------
+
+## Deprecated API
+
+The following methods and functions are still functional, but their usage is not recommended
+since they have been replaced by better solutions.
+
+### VBA_Scanner (deprecated)
+
+The class **VBA_Scanner** can be used to scan the source code of a VBA module to find obfuscated strings,
+suspicious keywords, IOCs, auto-executable macros, etc.
+
+First, create a VBA_Scanner object with a string containing the VBA source code (for example returned by the 
+extract_macros method). Then call the methods **scan** or **scan_summary** to get the results of the analysis.
+
+scan() takes an optional argument include_decoded_strings: if set to True, the results will contain all the encoded
+strings found in the code (Hex, Base64, Dridex) with their decoded value.
+
+**scan** returns a list of tuples (type, keyword, description), one for each item in the results. 
+
+- type may be either 'AutoExec', 'Suspicious', 'IOC', 'Hex String', 'Base64 String' or 'Dridex String'.
+- keyword is the string found for auto-executable macros, suspicious keywords or IOCs. For obfuscated strings, it is
+  the decoded value of the string.
+- description provides a description of the keyword. For obfuscated strings, it is the encoded value of the string.
+
+Example:
+
+    :::python
+    vba_scanner = VBA_Scanner(vba_code)
+    results = vba_scanner.scan(include_decoded_strings=True)
+    for kw_type, keyword, description in results:
+        print 'type=%s - keyword=%s - description=%s' % (kw_type, keyword, description)
+
+The function **scan_vba** is a shortcut for VBA_Scanner(vba_code).scan():
+
+    :::python
+    results = scan_vba(vba_code, include_decoded_strings=True)
+    for kw_type, keyword, description in results:
+        print 'type=%s - keyword=%s - description=%s' % (kw_type, keyword, description)
+        
+**scan_summary** returns a tuple with the number of items found for each category: 
+(autoexec, suspicious, IOCs, hex, base64, dridex).
+
+
+### Detect auto-executable macros (deprecated)
+
+**Deprecated**: It is preferable to use either scan_vba or VBA_Scanner to get all results at once. 
+
+The function **detect_autoexec** checks if VBA macro code contains specific macro names
+that will be triggered when the document/workbook is opened, closed, changed, etc.
+
+It returns a list of tuples containing two strings, the detected keyword, and the
+description of the trigger. (See the malware example above)
+
+Sample usage:
+
+    :::python
+    from oletools.olevba import detect_autoexec
+    autoexec_keywords = detect_autoexec(vba_code)
+    if autoexec_keywords:
+        print 'Auto-executable macro keywords found:'
+        for keyword, description in autoexec_keywords:
+            print '%s: %s' % (keyword, description)
+    else:
+        print 'Auto-executable macro keywords: None found'
+
+
+### Detect suspicious VBA keywords (deprecated)
+
+**Deprecated**: It is preferable to use either scan_vba or VBA_Scanner to get all results at once. 
+
+The function **detect_suspicious** checks if VBA macro code contains specific
+keywords often used by malware to act on the system (create files, run
+commands or applications, write to the registry, etc).
+
+It returns a list of tuples containing two strings, the detected keyword, and the
+description of the corresponding malicious behaviour. (See the malware example above)
+
+Sample usage:
+
+    :::python
+    from oletools.olevba import detect_suspicious
+    suspicious_keywords = detect_suspicious(vba_code)
+    if suspicious_keywords:
+        print 'Suspicious VBA keywords found:'
+        for keyword, description in suspicious_keywords:
+            print '%s: %s' % (keyword, description)
+    else:
+        print 'Suspicious VBA keywords: None found'
+
+
+### Extract potential IOCs (deprecated)
+
+**Deprecated**: It is preferable to use either scan_vba or VBA_Scanner to get all results at once. 
+
+The function **detect_patterns** checks if VBA macro code contains specific
+patterns of interest, that may be useful for malware analysis and detection
+(potential Indicators of Compromise): IP addresses, e-mail addresses,
+URLs, executable file names.
+
+It returns a list of tuples containing two strings, the pattern type, and the
+extracted value. (See the malware example above)
+
+Sample usage:
+
+    :::python
+    from oletools.olevba import detect_patterns
+    patterns = detect_patterns(vba_code)
+    if patterns:
+        print 'Patterns found:'
+        for pattern_type, value in patterns:
+            print '%s: %s' % (pattern_type, value)
+    else:
+        print 'Patterns: None found'
+
+
+--------------------------------------------------------------------------
+
+python-oletools documentation
+-----------------------------
+
+- [[Home]]
+- [[License]]
+- [[Install]]
+- [[Contribute]], Suggest Improvements or Report Issues
+- Tools:
+	- [[olebrowse]]
+	- [[oleid]]
+	- [[olemeta]]
+	- [[oletimes]]
+	- [[oledir]]
+	- [[olemap]]
+	- [[olevba]]
+	- [[mraptor]]
+	- [[pyxswf]]
+	- [[oleobj]]
+	- [[rtfobj]]
-<p>pyxswf</p>
-<p>======</p>
-<p>pyxswf is a script to detect, extract and analyze Flash objects (SWF files) that may</p>
-<p>be embedded in files such as MS Office documents (e.g. Word, Excel),</p>
-<p>which is especially useful for malware analysis.</p>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+  <meta http-equiv="Content-Style-Type" content="text/css" />
+  <meta name="generator" content="pandoc" />
+  <title></title>
+  <style type="text/css">code{white-space: pre;}</style>
+</head>
+<body>
+<h1 id="pyxswf">pyxswf</h1>
+<p>pyxswf is a script to detect, extract and analyze Flash objects (SWF files) that may be embedded in files such as MS Office documents (e.g. Word, Excel), which is especially useful for malware analysis.</p>
 <p>It is part of the <a href="http://www.decalage.info/python/oletools">python-oletools</a> package.</p>
 <p>pyxswf is an extension to <a href="http://hooked-on-mnemonics.blogspot.nl/2011/12/xxxswfpy.html">xxxswf.py</a> published by Alexander Hanel.</p>
-<p>Compared to xxxswf, it can extract streams from MS Office documents by parsing</p>
-<p>their OLE structure properly, which is necessary when streams are fragmented.</p>
-<p>Stream fragmentation is a known obfuscation technique, as explained on</p>
-<p><a href="http://www.breakingpointsystems.com/resources/blog/evasion-with-ole2-fragmentation/">http://www.breakingpointsystems.com/resources/blog/evasion-with-ole2-fragmentation/</a></p>
+<p>Compared to xxxswf, it can extract streams from MS Office documents by parsing their OLE structure properly, which is necessary when streams are fragmented. Stream fragmentation is a known obfuscation technique, as explained on <a href="http://www.breakingpointsystems.com/resources/blog/evasion-with-ole2-fragmentation/">http://www.breakingpointsystems.com/resources/blog/evasion-with-ole2-fragmentation/</a></p>
 <p>It can also extract Flash objects from RTF documents, by parsing embedded objects encoded in hexadecimal format (-f option).</p>
 <p>For this, simply add the -o option to work on OLE streams rather than raw files, or the -f option to work on RTF files.</p>
 <h2 id="usage">Usage</h2>
 <pre><code>Usage: pyxswf.py [options] &lt;file.bad&gt;
  
-
-
 Options:
-
   -o, --ole             Parse an OLE file (e.g. Word, Excel) to look for SWF
-
                         in each stream
-
   -f, --rtf             Parse an RTF file to look for SWF in each embedded
-
                         object
-
   -x, --extract         Extracts the embedded SWF(s), names it MD5HASH.swf &amp;
-
                         saves it in the working dir. No addition args needed
-
   -h, --help            show this help message and exit
-
   -y, --yara            Scans the SWF(s) with yara. If the SWF(s) is
-
                         compressed it will be deflated. No addition args
-
                         needed
-
   -s, --md5scan         Scans the SWF(s) for MD5 signatures. Please see func
-
                         checkMD5 to define hashes. No addition args needed
-
   -H, --header          Displays the SWFs file header. No addition args needed
-
   -d, --decompress      Deflates compressed SWFS(s)
-
   -r PATH, --recdir=PATH
-
                         Will recursively scan a directory for files that
-
                         contain SWFs. Must provide path in quotes
-
   -c, --compress        Compresses the SWF using Zlib</code></pre>
 <h3 id="example-1---detecting-and-extracting-a-swf-file-from-a-word-document-on-windows">Example 1 - detecting and extracting a SWF file from a Word document on Windows:</h3>
 <pre><code>C:\oletools&gt;pyxswf.py -o word_flash.doc
-
 OLE stream: &#39;Contents&#39;
-
 [SUMMARY] 1 SWF(s) in MD5:993664cc86f60d52d671b6610813cfd1:Contents
-
         [ADDR] SWF 1 at 0x8  - FWS Header
  
-
-
 C:\oletools&gt;pyxswf.py -xo word_flash.doc
-
 OLE stream: &#39;Contents&#39;
-
 [SUMMARY] 1 SWF(s) in MD5:993664cc86f60d52d671b6610813cfd1:Contents
-
         [ADDR] SWF 1 at 0x8  - FWS Header
-
                 [FILE] Carved SWF MD5: 2498e9c0701dc0e461ab4358f9102bc5.swf</code></pre>
 <h3 id="example-2---detecting-and-extracting-a-swf-file-from-a-rtf-document-on-windows">Example 2 - detecting and extracting a SWF file from a RTF document on Windows:</h3>
 <pre><code>C:\oletools&gt;pyxswf.py -xf &quot;rtf_flash.rtf&quot;
-
 RTF embedded object size 1498557 at index 000036DD
-
 [SUMMARY] 1 SWF(s) in MD5:46a110548007e04f4043785ac4184558:RTF_embedded_object_0
-
 00036DD
-
         [ADDR] SWF 1 at 0xc40  - FWS Header
-
-                [FILE] Carved SWF MD5: 2498e9c0701dc0e461ab4358f9102bc5.swf</code></pre>
+                [FILE] Carved SWF MD5: 2498e9c0701dc0e461ab4358f9102bc5.swf
+    </code></pre>
 <h2 id="how-to-use-pyxswf-in-python-applications">How to use pyxswf in Python applications</h2>
 <p>TODO</p>
 <hr />
-<p>python-oletools documentation</p>
-<hr />
+<h2 id="python-oletools-documentation">python-oletools documentation</h2>
 <ul>
-<li><p><a href="Home.html">Home</a></p></li>
-<li><p><a href="License.html">License</a></p></li>
-<li><p><a href="Install.html">Install</a></p></li>
-<li><p><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</p></li>
-<li><p>Tools:</p>
+<li><a href="Home.html">Home</a></li>
+<li><a href="License.html">License</a></li>
+<li><a href="Install.html">Install</a></li>
+<li><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</li>
+<li>Tools:
 <ul>
-<li><p><a href="olebrowse.html">olebrowse</a></p></li>
-<li><p><a href="oleid.html">oleid</a></p></li>
-<li><p><a href="olemeta.html">olemeta</a></p></li>
-<li><p><a href="oletimes.html">oletimes</a></p></li>
-<li><p><a href="olevba.html">olevba</a></p></li>
-<li><p><a href="pyxswf.html">pyxswf</a></p></li>
-<li><p><a href="rtfobj.html">rtfobj</a></p></li>
+<li><a href="olebrowse.html">olebrowse</a></li>
+<li><a href="oleid.html">oleid</a></li>
+<li><a href="olemeta.html">olemeta</a></li>
+<li><a href="oletimes.html">oletimes</a></li>
+<li><a href="oledir.html">oledir</a></li>
+<li><a href="olemap.html">olemap</a></li>
+<li><a href="olevba.html">olevba</a></li>
+<li><a href="mraptor.html">mraptor</a></li>
+<li><a href="pyxswf.html">pyxswf</a></li>
+<li><a href="oleobj.html">oleobj</a></li>
+<li><a href="rtfobj.html">rtfobj</a></li>
 </ul></li>
 </ul>
+</body>
+</html>
@@ -87,6 +87,10 @@ python-oletools documentation
 	- [[oleid]]
 	- [[olemeta]]
 	- [[oletimes]]
+	- [[oledir]]
+	- [[olemap]]
 	- [[olevba]]
+	- [[mraptor]]
 	- [[pyxswf]]
-	- [[rtfobj]] 
 \ No newline at end of file
+	- [[oleobj]]
+	- [[rtfobj]]
-<p>rtfobj</p>
-<p>======</p>
-<p>rtfobj is a Python module to extract embedded objects from RTF files, such as</p>
-<p>OLE ojects. It can be used as a Python library or a command-line tool.</p>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+  <meta http-equiv="Content-Style-Type" content="text/css" />
+  <meta name="generator" content="pandoc" />
+  <title></title>
+  <style type="text/css">code{white-space: pre;}</style>
+</head>
+<body>
+<h1 id="rtfobj">rtfobj</h1>
+<p>rtfobj is a Python module to extract embedded objects from RTF files, such as OLE ojects. It can be used as a Python library or a command-line tool.</p>
 <p>It is part of the <a href="http://www.decalage.info/python/oletools">python-oletools</a> package.</p>
 <h2 id="usage">Usage</h2>
 <pre><code>rtfobj.py &lt;file.rtf&gt;</code></pre>
@@ -11,26 +19,29 @@
 <p>rtf_iter_objects(filename) is an iterator which yields a tuple (index, object) providing the index of each hexadecimal stream in the RTF file, and the corresponding decoded object.</p>
 <p>Example:</p>
 <pre><code>import rtfobj    
-
 for index, data in rtfobj.rtf_iter_objects(&quot;myfile.rtf&quot;):
-
     print &#39;found object size %d at index %08X&#39; % (len(data), index)</code></pre>
 <hr />
-<p>python-oletools documentation</p>
-<hr />
+<h2 id="python-oletools-documentation">python-oletools documentation</h2>
 <ul>
-<li><p><a href="Home.html">Home</a></p></li>
-<li><p><a href="License.html">License</a></p></li>
-<li><p><a href="Install.html">Install</a></p></li>
-<li><p><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</p></li>
-<li><p>Tools:</p>
+<li><a href="Home.html">Home</a></li>
+<li><a href="License.html">License</a></li>
+<li><a href="Install.html">Install</a></li>
+<li><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</li>
+<li>Tools:
 <ul>
-<li><p><a href="olebrowse.html">olebrowse</a></p></li>
-<li><p><a href="oleid.html">oleid</a></p></li>
-<li><p><a href="olemeta.html">olemeta</a></p></li>
-<li><p><a href="oletimes.html">oletimes</a></p></li>
-<li><p><a href="olevba.html">olevba</a></p></li>
-<li><p><a href="pyxswf.html">pyxswf</a></p></li>
-<li><p><a href="rtfobj.html">rtfobj</a></p></li>
+<li><a href="olebrowse.html">olebrowse</a></li>
+<li><a href="oleid.html">oleid</a></li>
+<li><a href="olemeta.html">olemeta</a></li>
+<li><a href="oletimes.html">oletimes</a></li>
+<li><a href="oledir.html">oledir</a></li>
+<li><a href="olemap.html">olemap</a></li>
+<li><a href="olevba.html">olevba</a></li>
+<li><a href="mraptor.html">mraptor</a></li>
+<li><a href="pyxswf.html">pyxswf</a></li>
+<li><a href="oleobj.html">oleobj</a></li>
+<li><a href="rtfobj.html">rtfobj</a></li>
 </ul></li>
 </ul>
+</body>
+</html>
@@ -42,6 +42,10 @@ python-oletools documentation
 	- [[oleid]]
 	- [[olemeta]]
 	- [[oletimes]]
+	- [[oledir]]
+	- [[olemap]]
 	- [[olevba]]
+	- [[mraptor]]
 	- [[pyxswf]]
-	- [[rtfobj]] 
 \ No newline at end of file
+	- [[oleobj]]
+	- [[rtfobj]]