diff --git a/README.md b/README.md index b601ba4..7825a16 100644 --- a/README.md +++ b/README.md @@ -1,178 +1,178 @@ -python-oletools -=============== - -[python-oletools](http://www.decalage.info/python/oletools) is a package of python tools to analyze -[Microsoft OLE2 files](http://en.wikipedia.org/wiki/Compound_File_Binary_Format) -(also called Structured Storage, Compound File Binary Format or Compound Document File Format), -such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging. -It is based on the [olefile](http://www.decalage.info/olefile) parser. -See [http://www.decalage.info/python/oletools](http://www.decalage.info/python/oletools) for more info. - -**Quick links:** -[Home page](http://www.decalage.info/python/oletools) - -[Download/Install](https://bitbucket.org/decalage/oletools/wiki/Install) - -[Documentation](https://bitbucket.org/decalage/oletools/wiki) - -[Report Issues/Suggestions/Questions](https://bitbucket.org/decalage/oletools/issues?status=new&status=open) - -[Contact the Author](http://decalage.info/contact) - -[Repository](https://bitbucket.org/decalage/oletools) - -[Updates on Twitter](https://twitter.com/decalage2) - -Note: python-oletools is not related to OLETools published by BeCubed Software. - -News ----- - -- **2016-03-11 v0.44**: improved [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba) -to extract and analyse strings from VBA Forms. -- 2016-03-04 v0.43: added new tool MacroRaptor (mraptor) to detect malicious macros, bugfix -and slight improvements in [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba). -- 2016-02-07 v0.42: added two new tools oledir and olemap, better handling of malformed -files and several bugfixes in [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba), -improved display for [olemeta](https://bitbucket.org/decalage/oletools/wiki/olemeta). -- 2015-09-22 v0.41: added new --reveal option to [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba), -to show the macro code with VBA strings deobfuscated. -- 2015-09-17 v0.40: Improved macro deobfuscation in [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba), -to decode Hex and Base64 within VBA expressions. Display printable deobfuscated strings by -default. Improved the VBA_Parser API. Improved performance. -Fixed [issue #23](https://bitbucket.org/decalage/oletools/issue/23) with sys.stderr. -- 2015-06-19 v0.12: [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba) can now deobfuscate VBA -expressions with any combination of Chr, Asc, Val, StrReverse, Environ, +, &, using a VBA parser built with -[pyparsing](http://pyparsing.wikispaces.com). New options to display only the analysis results or only the macros source code. -The analysis is now done on all the VBA modules at once. -- 2015-05-29 v0.11: Improved parsing of MHTML and ActiveMime/MSO files in -[olevba](https://bitbucket.org/decalage/oletools/wiki/olevba), added several suspicious keywords to VBA scanner -(thanks to @ozhermit and Davy Douhine for the suggestions) -- 2015-05-06 v0.10: [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba) now supports Word MHTML files -with macros, aka "Single File Web Page" (.mht) - see [issue #10](https://bitbucket.org/decalage/oletools/issue/10) for more info -- 2015-03-23 v0.09: [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba) now supports Word 2003 XML files, -added anti-sandboxing/VM detection -- 2015-02-08 v0.08: [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba) can now decode strings -obfuscated with Hex/StrReverse/Base64/Dridex and extract IOCs. Added new triage mode, support for non-western -codepages with olefile 0.42, improved API and display, several bugfixes. -- 2015-01-05 v0.07: improved [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba) to detect suspicious -keywords and IOCs in VBA macros, can now scan several files and open password-protected zip archives, added a Python API, -upgraded OleFileIO_PL to olefile v0.41 -- 2014-08-28 v0.06: added [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba), a new tool to extract VBA Macro -source code from MS Office documents (97-2003 and 2007+). Improved [documentation](https://bitbucket.org/decalage/oletools/wiki) -- 2013-07-24 v0.05: added new tools [olemeta](https://bitbucket.org/decalage/oletools/wiki/olemeta) and -[oletimes](https://bitbucket.org/decalage/oletools/wiki/oletimes) -- 2013-04-18 v0.04: fixed bug in rtfobj, added documentation for [rtfobj](https://bitbucket.org/decalage/oletools/wiki/rtfobj) -- 2012-11-09 v0.03: Improved [pyxswf](https://bitbucket.org/decalage/oletools/wiki/pyxswf) to extract Flash objects from RTF -- 2012-10-29 v0.02: Added [oleid](https://bitbucket.org/decalage/oletools/wiki/oleid) -- 2012-10-09 v0.01: Initial version of [olebrowse](https://bitbucket.org/decalage/oletools/wiki/olebrowse) and pyxswf -- see changelog in source code for more info. - - -Tools in python-oletools: -------------------------- - -- [olebrowse](https://bitbucket.org/decalage/oletools/wiki/olebrowse): A simple GUI to browse OLE files (e.g. MS Word, Excel, Powerpoint documents), to - view and extract individual data streams. -- [oleid](https://bitbucket.org/decalage/oletools/wiki/oleid): to analyze OLE files to detect specific characteristics usually found in malicious files. -- [olemeta](https://bitbucket.org/decalage/oletools/wiki/olemeta): to extract all standard properties (metadata) from OLE files. -- [oletimes](https://bitbucket.org/decalage/oletools/wiki/oletimes): to extract creation and modification timestamps of all streams and storages. -- [oledir](https://bitbucket.org/decalage/oletools/wiki/oledir): to display all the directory entries of an OLE file, including free and orphaned entries. -- [olemap](https://bitbucket.org/decalage/oletools/wiki/olemap): to display a map of all the sectors in an OLE file. -- [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba): to extract and analyze VBA Macro source code from MS Office documents (OLE and OpenXML). -- [MacroRaptor](https://bitbucket.org/decalage/oletools/wiki/mraptor): to detect malicious VBA Macros -- [pyxswf](https://bitbucket.org/decalage/oletools/wiki/pyxswf): to detect, extract and analyze Flash objects (SWF) that may - be embedded in files such as MS Office documents (e.g. Word, Excel) and RTF, - which is especially useful for malware analysis. -- [oleobj](https://bitbucket.org/decalage/oletools/wiki/oleobj): to extract embedded objects from OLE files. -- [rtfobj](https://bitbucket.org/decalage/oletools/wiki/rtfobj): to extract embedded objects from RTF files. -- and a few others (coming soon) - -Download and Install: ---------------------- - -To use python-oletools from the command line as analysis tools, you may simply -[download the zip archive](https://bitbucket.org/decalage/oletools/downloads) -and extract the files in the directory of your choice. - -To get the latest development version, click on "Download repository" on the -[downloads page](https://bitbucket.org/decalage/oletools/downloads), or use mercurial to clone the repository. - -If you plan to use python-oletools with other Python applications or your own scripts, then the simplest solution is to -use "**pip install oletools**" or "**easy_install oletools**" to download and install in one go. Otherwise you may -download/extract the zip archive and run "**setup.py install**". - -**Important: to update oletools** if it is already installed, you must run **"pip install -U oletools"**, otherwise pip -will not update it. - -Documentation: --------------- - -The latest version of the documentation can be found [online](https://bitbucket.org/decalage/oletools/wiki), otherwise -a copy is provided in the doc subfolder of the package. - - -How to Suggest Improvements, Report Issues or Contribute: ---------------------------------------------------------- - -This is a personal open-source project, developed on my spare time. Any contribution, suggestion, feedback or bug -report is welcome. - -To suggest improvements, report a bug or any issue, please use the -[issue reporting page](https://bitbucket.org/decalage/olefileio_pl/issues?status=new&status=open), providing all the -information and files to reproduce the problem. - -You may also [contact the author](http://decalage.info/contact) directly to provide feedback. - -The code is available in [a Mercurial repository on Bitbucket](https://bitbucket.org/decalage/oletools). You may use it -to submit enhancements using forks and pull requests. - -License -------- - -This license applies to the python-oletools package, apart from the thirdparty folder which contains third-party files -published with their own license. - -The python-oletools package is copyright (c) 2012-2016 Philippe Lagadec (http://www.decalage.info) - -All rights reserved. - -Redistribution and use in source and binary forms, with or without modification, -are permitted provided that the following conditions are met: - - * Redistributions of source code must retain the above copyright notice, this - list of conditions and the following disclaimer. - * Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND -ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED -WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - - ----------- - -olevba contains modified source code from the officeparser project, published -under the following MIT License (MIT): - -officeparser is copyright (c) 2014 John William Davison - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE. +python-oletools +=============== + +[python-oletools](http://www.decalage.info/python/oletools) is a package of python tools to analyze +[Microsoft OLE2 files](http://en.wikipedia.org/wiki/Compound_File_Binary_Format) +(also called Structured Storage, Compound File Binary Format or Compound Document File Format), +such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging. +It is based on the [olefile](http://www.decalage.info/olefile) parser. +See [http://www.decalage.info/python/oletools](http://www.decalage.info/python/oletools) for more info. + +**Quick links:** +[Home page](http://www.decalage.info/python/oletools) - +[Download/Install](https://bitbucket.org/decalage/oletools/wiki/Install) - +[Documentation](https://bitbucket.org/decalage/oletools/wiki) - +[Report Issues/Suggestions/Questions](https://bitbucket.org/decalage/oletools/issues?status=new&status=open) - +[Contact the Author](http://decalage.info/contact) - +[Repository](https://bitbucket.org/decalage/oletools) - +[Updates on Twitter](https://twitter.com/decalage2) + +Note: python-oletools is not related to OLETools published by BeCubed Software. + +News +---- + +- **2016-03-11 v0.44**: improved [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba) +to extract and analyse strings from VBA Forms. +- 2016-03-04 v0.43: added new tool MacroRaptor (mraptor) to detect malicious macros, bugfix +and slight improvements in [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba). +- 2016-02-07 v0.42: added two new tools oledir and olemap, better handling of malformed +files and several bugfixes in [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba), +improved display for [olemeta](https://bitbucket.org/decalage/oletools/wiki/olemeta). +- 2015-09-22 v0.41: added new --reveal option to [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba), +to show the macro code with VBA strings deobfuscated. +- 2015-09-17 v0.40: Improved macro deobfuscation in [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba), +to decode Hex and Base64 within VBA expressions. Display printable deobfuscated strings by +default. Improved the VBA_Parser API. Improved performance. +Fixed [issue #23](https://bitbucket.org/decalage/oletools/issue/23) with sys.stderr. +- 2015-06-19 v0.12: [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba) can now deobfuscate VBA +expressions with any combination of Chr, Asc, Val, StrReverse, Environ, +, &, using a VBA parser built with +[pyparsing](http://pyparsing.wikispaces.com). New options to display only the analysis results or only the macros source code. +The analysis is now done on all the VBA modules at once. +- 2015-05-29 v0.11: Improved parsing of MHTML and ActiveMime/MSO files in +[olevba](https://bitbucket.org/decalage/oletools/wiki/olevba), added several suspicious keywords to VBA scanner +(thanks to @ozhermit and Davy Douhine for the suggestions) +- 2015-05-06 v0.10: [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba) now supports Word MHTML files +with macros, aka "Single File Web Page" (.mht) - see [issue #10](https://bitbucket.org/decalage/oletools/issue/10) for more info +- 2015-03-23 v0.09: [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba) now supports Word 2003 XML files, +added anti-sandboxing/VM detection +- 2015-02-08 v0.08: [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba) can now decode strings +obfuscated with Hex/StrReverse/Base64/Dridex and extract IOCs. Added new triage mode, support for non-western +codepages with olefile 0.42, improved API and display, several bugfixes. +- 2015-01-05 v0.07: improved [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba) to detect suspicious +keywords and IOCs in VBA macros, can now scan several files and open password-protected zip archives, added a Python API, +upgraded OleFileIO_PL to olefile v0.41 +- 2014-08-28 v0.06: added [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba), a new tool to extract VBA Macro +source code from MS Office documents (97-2003 and 2007+). Improved [documentation](https://bitbucket.org/decalage/oletools/wiki) +- 2013-07-24 v0.05: added new tools [olemeta](https://bitbucket.org/decalage/oletools/wiki/olemeta) and +[oletimes](https://bitbucket.org/decalage/oletools/wiki/oletimes) +- 2013-04-18 v0.04: fixed bug in rtfobj, added documentation for [rtfobj](https://bitbucket.org/decalage/oletools/wiki/rtfobj) +- 2012-11-09 v0.03: Improved [pyxswf](https://bitbucket.org/decalage/oletools/wiki/pyxswf) to extract Flash objects from RTF +- 2012-10-29 v0.02: Added [oleid](https://bitbucket.org/decalage/oletools/wiki/oleid) +- 2012-10-09 v0.01: Initial version of [olebrowse](https://bitbucket.org/decalage/oletools/wiki/olebrowse) and pyxswf +- see changelog in source code for more info. + + +Tools in python-oletools: +------------------------- + +- [olebrowse](https://bitbucket.org/decalage/oletools/wiki/olebrowse): A simple GUI to browse OLE files (e.g. MS Word, Excel, Powerpoint documents), to + view and extract individual data streams. +- [oleid](https://bitbucket.org/decalage/oletools/wiki/oleid): to analyze OLE files to detect specific characteristics usually found in malicious files. +- [olemeta](https://bitbucket.org/decalage/oletools/wiki/olemeta): to extract all standard properties (metadata) from OLE files. +- [oletimes](https://bitbucket.org/decalage/oletools/wiki/oletimes): to extract creation and modification timestamps of all streams and storages. +- [oledir](https://bitbucket.org/decalage/oletools/wiki/oledir): to display all the directory entries of an OLE file, including free and orphaned entries. +- [olemap](https://bitbucket.org/decalage/oletools/wiki/olemap): to display a map of all the sectors in an OLE file. +- [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba): to extract and analyze VBA Macro source code from MS Office documents (OLE and OpenXML). +- [MacroRaptor](https://bitbucket.org/decalage/oletools/wiki/mraptor): to detect malicious VBA Macros +- [pyxswf](https://bitbucket.org/decalage/oletools/wiki/pyxswf): to detect, extract and analyze Flash objects (SWF) that may + be embedded in files such as MS Office documents (e.g. Word, Excel) and RTF, + which is especially useful for malware analysis. +- [oleobj](https://bitbucket.org/decalage/oletools/wiki/oleobj): to extract embedded objects from OLE files. +- [rtfobj](https://bitbucket.org/decalage/oletools/wiki/rtfobj): to extract embedded objects from RTF files. +- and a few others (coming soon) + +Download and Install: +--------------------- + +To use python-oletools from the command line as analysis tools, you may simply +[download the zip archive](https://bitbucket.org/decalage/oletools/downloads) +and extract the files in the directory of your choice. + +To get the latest development version, click on "Download repository" on the +[downloads page](https://bitbucket.org/decalage/oletools/downloads), or use mercurial to clone the repository. + +If you plan to use python-oletools with other Python applications or your own scripts, then the simplest solution is to +use "**pip install oletools**" or "**easy_install oletools**" to download and install in one go. Otherwise you may +download/extract the zip archive and run "**setup.py install**". + +**Important: to update oletools** if it is already installed, you must run **"pip install -U oletools"**, otherwise pip +will not update it. + +Documentation: +-------------- + +The latest version of the documentation can be found [online](https://bitbucket.org/decalage/oletools/wiki), otherwise +a copy is provided in the doc subfolder of the package. + + +How to Suggest Improvements, Report Issues or Contribute: +--------------------------------------------------------- + +This is a personal open-source project, developed on my spare time. Any contribution, suggestion, feedback or bug +report is welcome. + +To suggest improvements, report a bug or any issue, please use the +[issue reporting page](https://bitbucket.org/decalage/olefileio_pl/issues?status=new&status=open), providing all the +information and files to reproduce the problem. + +You may also [contact the author](http://decalage.info/contact) directly to provide feedback. + +The code is available in [a Mercurial repository on Bitbucket](https://bitbucket.org/decalage/oletools). You may use it +to submit enhancements using forks and pull requests. + +License +------- + +This license applies to the python-oletools package, apart from the thirdparty folder which contains third-party files +published with their own license. + +The python-oletools package is copyright (c) 2012-2016 Philippe Lagadec (http://www.decalage.info) + +All rights reserved. + +Redistribution and use in source and binary forms, with or without modification, +are permitted provided that the following conditions are met: + + * Redistributions of source code must retain the above copyright notice, this + list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + +---------- + +olevba contains modified source code from the officeparser project, published +under the following MIT License (MIT): + +officeparser is copyright (c) 2014 John William Davison + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/oletools/README.html b/oletools/README.html index 5033e58..a1f96d6 100644 --- a/oletools/README.html +++ b/oletools/README.html @@ -1,3 +1,13 @@ + + + + + + + + + +

python-oletools

python-oletools is a package of python tools to analyze Microsoft OLE2 files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging. It is based on the olefile parser. See http://www.decalage.info/python/oletools for more info.

Quick links: Home page - Download/Install - Documentation - Report Issues/Suggestions/Questions - Contact the Author - Repository - Updates on Twitter

@@ -66,3 +76,5 @@

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

+ + diff --git a/oletools/doc/Contribute.html b/oletools/doc/Contribute.html index a7da617..425c922 100644 --- a/oletools/doc/Contribute.html +++ b/oletools/doc/Contribute.html @@ -1,27 +1,39 @@ -

How to Suggest Improvements, Report Issues or Contribute

-

========================================================

+ + + + + + + + + + +

How to Suggest Improvements, Report Issues or Contribute

This is a personal open-source project, developed on my spare time. Any contribution, suggestion, feedback or bug report is welcome.

-

To suggest improvements, report a bug or any issue, please use the issue reporting page,

-

providing all the information and files to reproduce the problem.

+

To suggest improvements, report a bug or any issue, please use the issue reporting page, providing all the information and files to reproduce the problem.

You may also contact the author directly to provide feedback.

-

The code is available in a Mercurial repository on Bitbucket.

-

You may use it to submit enhancements using forks and pull requests.

-
-

python-oletools documentation

+

The code is available in a Mercurial repository on Bitbucket. You may use it to submit enhancements using forks and pull requests.

+

python-oletools documentation

+ + diff --git a/oletools/doc/Contribute.md b/oletools/doc/Contribute.md index 8ff3024..275e690 100644 --- a/oletools/doc/Contribute.md +++ b/oletools/doc/Contribute.md @@ -25,6 +25,10 @@ python-oletools documentation - [[oleid]] - [[olemeta]] - [[oletimes]] + - [[oledir]] + - [[olemap]] - [[olevba]] + - [[mraptor]] - [[pyxswf]] - - [[rtfobj]] \ No newline at end of file + - [[oleobj]] + - [[rtfobj]] diff --git a/oletools/doc/Home.html b/oletools/doc/Home.html index 896f457..72554ea 100644 --- a/oletools/doc/Home.html +++ b/oletools/doc/Home.html @@ -1,56 +1,54 @@ -

python-oletools v0.41 documentation

-

===================================

-

This is the home page of the documentation for python-oletools. The latest version can be found

-

online, otherwise a copy is provided in the doc subfolder of the package.

-

python-oletools is a package of python tools to analyze

-

Microsoft OLE2 files

-

(also called Structured Storage, Compound File Binary Format or Compound Document File Format),

-

such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging.

-

It is based on the olefile parser.

-

See http://www.decalage.info/python/oletools for more info.

-

Quick links: Home page -

-

Download/Install -

-

Documentation -

-

Report Issues/Suggestions/Questions -

-

Contact the author -

-

Repository -

-

Updates on Twitter

+ + + + + + + + + + +

python-oletools v0.44 documentation

+

This is the home page of the documentation for python-oletools. The latest version can be found online, otherwise a copy is provided in the doc subfolder of the package.

+

python-oletools is a package of python tools to analyze Microsoft OLE2 files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging. It is based on the olefile parser. See http://www.decalage.info/python/oletools for more info.

+

Quick links: Home page - Download/Install - Documentation - Report Issues/Suggestions/Questions - Contact the author - Repository - Updates on Twitter

Note: python-oletools is not related to OLETools published by BeCubed Software.

-

Tools in python-oletools:

-
- -

view and extract individual data streams.

+

Tools in python-oletools:

-

be embedded in files such as MS Office documents (e.g. Word, Excel) and RTF,

-

which is especially useful for malware analysis.

- -
-

python-oletools documentation

+

python-oletools documentation

+ + diff --git a/oletools/doc/Home.md b/oletools/doc/Home.md index a4c1132..dacae89 100644 --- a/oletools/doc/Home.md +++ b/oletools/doc/Home.md @@ -1,55 +1,63 @@ -python-oletools v0.41 documentation -=================================== - -This is the home page of the documentation for python-oletools. The latest version can be found -[online](https://bitbucket.org/decalage/oletools/wiki), otherwise a copy is provided in the doc subfolder of the package. - -[python-oletools](http://www.decalage.info/python/oletools) is a package of python tools to analyze -[Microsoft OLE2 files](http://en.wikipedia.org/wiki/Compound_File_Binary_Format) -(also called Structured Storage, Compound File Binary Format or Compound Document File Format), -such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging. -It is based on the [olefile](http://www.decalage.info/olefile) parser. -See [http://www.decalage.info/python/oletools](http://www.decalage.info/python/oletools) for more info. - -**Quick links:** [Home page](http://www.decalage.info/python/oletools) - -[Download/Install](https://bitbucket.org/decalage/oletools/wiki/Install) - -[Documentation](https://bitbucket.org/decalage/oletools/wiki) - -[Report Issues/Suggestions/Questions](https://bitbucket.org/decalage/oletools/issues?status=new&status=open) - -[Contact the author](http://decalage.info/contact) - -[Repository](https://bitbucket.org/decalage/oletools) - -[Updates on Twitter](https://twitter.com/decalage2) - -Note: python-oletools is not related to OLETools published by BeCubed Software. - -Tools in python-oletools: -------------------------- - -- **[[olebrowse]]**: A simple GUI to browse OLE files (e.g. MS Word, Excel, Powerpoint documents), to - view and extract individual data streams. -- **[[oleid]]**: a tool to analyze OLE files to detect specific characteristics usually found in malicious files. -- **[[olemeta]]**: a tool to extract all standard properties (metadata) from OLE files. -- **[[oletimes]]**: a tool to extract creation and modification timestamps of all streams and storages. -- **[[olevba]]**: a tool to extract and analyze VBA Macro source code from MS Office documents (OLE and OpenXML). -- **[[pyxswf]]**: a tool to detect, extract and analyze Flash objects (SWF) that may - be embedded in files such as MS Office documents (e.g. Word, Excel) and RTF, - which is especially useful for malware analysis. -- **[[rtfobj]]**: a tool and python module to extract embedded objects from RTF files. -- and a few others (coming soon) - --------------------------------------------------------------------------- - -python-oletools documentation ------------------------------ - -- [[Home]] -- [[License]] -- [[Install]] -- [[Contribute]], Suggest Improvements or Report Issues -- Tools: - - [[olebrowse]] - - [[oleid]] - - [[olemeta]] - - [[oletimes]] - - [[olevba]] - - [[pyxswf]] - - [[rtfobj]] \ No newline at end of file +python-oletools v0.44 documentation +=================================== + +This is the home page of the documentation for python-oletools. The latest version can be found +[online](https://bitbucket.org/decalage/oletools/wiki), otherwise a copy is provided in the doc subfolder of the package. + +[python-oletools](http://www.decalage.info/python/oletools) is a package of python tools to analyze +[Microsoft OLE2 files](http://en.wikipedia.org/wiki/Compound_File_Binary_Format) +(also called Structured Storage, Compound File Binary Format or Compound Document File Format), +such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging. +It is based on the [olefile](http://www.decalage.info/olefile) parser. +See [http://www.decalage.info/python/oletools](http://www.decalage.info/python/oletools) for more info. + +**Quick links:** [Home page](http://www.decalage.info/python/oletools) - +[Download/Install](https://bitbucket.org/decalage/oletools/wiki/Install) - +[Documentation](https://bitbucket.org/decalage/oletools/wiki) - +[Report Issues/Suggestions/Questions](https://bitbucket.org/decalage/oletools/issues?status=new&status=open) - +[Contact the author](http://decalage.info/contact) - +[Repository](https://bitbucket.org/decalage/oletools) - +[Updates on Twitter](https://twitter.com/decalage2) + +Note: python-oletools is not related to OLETools published by BeCubed Software. + +Tools in python-oletools: +------------------------- + +- **[[olebrowse]]**: A simple GUI to browse OLE files (e.g. MS Word, Excel, Powerpoint documents), to + view and extract individual data streams. +- **[[oleid]]**: to analyze OLE files to detect specific characteristics usually found in malicious files. +- **[[olemeta]]**: to extract all standard properties (metadata) from OLE files. +- **[[oletimes]]**: to extract creation and modification timestamps of all streams and storages. +- **[[oledir]]**: to display all the directory entries of an OLE file, including free and orphaned entries. +- **[[olemap]]**: to display a map of all the sectors in an OLE file. +- **[[olevba]]**: to extract and analyze VBA Macro source code from MS Office documents (OLE and OpenXML). +- **[[mraptor]]**: to detect malicious VBA Macros +- **[[pyxswf]]**: to detect, extract and analyze Flash objects (SWF) that may + be embedded in files such as MS Office documents (e.g. Word, Excel) and RTF, + which is especially useful for malware analysis. +- **[[oleobj]]**: to extract embedded objects from OLE files. +- **[[rtfobj]]**: to extract embedded objects from RTF files. +- and a few others (coming soon) + +-------------------------------------------------------------------------- + +python-oletools documentation +----------------------------- + +- [[Home]] +- [[License]] +- [[Install]] +- [[Contribute]], Suggest Improvements or Report Issues +- Tools: + - [[olebrowse]] + - [[oleid]] + - [[olemeta]] + - [[oletimes]] + - [[oledir]] + - [[olemap]] + - [[olevba]] + - [[mraptor]] + - [[pyxswf]] + - [[oleobj]] + - [[rtfobj]] diff --git a/oletools/doc/Install.html b/oletools/doc/Install.html index 41d9b7f..e2d59dd 100644 --- a/oletools/doc/Install.html +++ b/oletools/doc/Install.html @@ -1,54 +1,53 @@ -

How to Download and Install python-oletools

-

===========================================

-

Pre-requisites

-
+ + + + + + + + + + +

How to Download and Install python-oletools

+

Pre-requisites

For now, python-oletools require Python 2.x, if possible 2.7 or 2.6 to enable all features.

They are not compatible with Python 3.x yet. (Please contact me if that is a strong requirement)

-

To use oletools as command-line tools

-
-

To use python-oletools from the command line as analysis tools, you may simply

-

download the zip archive

-

and extract the files into the directory of your choice. Pick the latest release version, or click on

-

"Download Repository" to get the latest development version with the most recent features.

-

Another possibility is to use a Mercurial client (hg) to clone the repository into a folder. You can then update it easily

-

in the future.

+

To use oletools as command-line tools

+

To use python-oletools from the command line as analysis tools, you may simply download the zip archive and extract the files into the directory of your choice. Pick the latest release version, or click on "Download Repository" to get the latest development version with the most recent features.

+

Another possibility is to use a Mercurial client (hg) to clone the repository into a folder. You can then update it easily in the future.

Windows

You may add the oletools directory to your PATH environment variable to access the tools from anywhere.

Linux, Mac OSX, Unix

-

It is very convenient to create symbolic links to each tool in one of the bin directories in order to run them as shell

-

commands from anywhere. For example, here is how to create an executable link "olevba" in /usr/local/bin pointing to

-

olevba.py, assuming oletools was unzipped into /opt/oletools:

+

It is very convenient to create symbolic links to each tool in one of the bin directories in order to run them as shell commands from anywhere. For example, here is how to create an executable link "olevba" in /usr/local/bin pointing to olevba.py, assuming oletools was unzipped into /opt/oletools:

chmod +x /opt/oletools/oletools/olevba.py
-
 ln -s /opt/oletools/oletools/olevba.py /usr/local/bin/olevba

Then the olevba command can be used from any directory:

user@remnux:~/MalwareZoo/VBA$ olevba dridex427.xls |less
-

For python applications

-
-

If you plan to use python-oletools with other Python applications or your own scripts, the simplest solution is to use

-

"pip install oletools" or "easy_install oletools" to download and install the package in one go. Pip is included

-

with Python since version 2.7.9.

-

Important: to update oletools if it is already installed, you must run "pip install -U oletools", otherwise pip

-

will not update it.

-

Alternatively if you prefer the old school way, you may download the

-

zip archive, extract it into

-

a temporary directory and run "python setup.py install".

-
-

python-oletools documentation

+

For python applications

+

If you plan to use python-oletools with other Python applications or your own scripts, the simplest solution is to use "pip install oletools" or "easy_install oletools" to download and install the package in one go. Pip is included with Python since version 2.7.9.

+

Important: to update oletools if it is already installed, you must run "pip install -U oletools", otherwise pip will not update it.

+

Alternatively if you prefer the old school way, you may download the zip archive, extract it into a temporary directory and run "python setup.py install".

+

python-oletools documentation

+ + diff --git a/oletools/doc/Install.md b/oletools/doc/Install.md index 6bcec9b..96581c2 100644 --- a/oletools/doc/Install.md +++ b/oletools/doc/Install.md @@ -68,6 +68,10 @@ python-oletools documentation - [[oleid]] - [[olemeta]] - [[oletimes]] + - [[oledir]] + - [[olemap]] - [[olevba]] + - [[mraptor]] - [[pyxswf]] - - [[rtfobj]] \ No newline at end of file + - [[oleobj]] + - [[rtfobj]] diff --git a/oletools/doc/License.html b/oletools/doc/License.html index 8aabbc4..13bc45e 100644 --- a/oletools/doc/License.html +++ b/oletools/doc/License.html @@ -1,67 +1,56 @@ -

License for python-oletools

-

===========================

-

This license applies to the python-oletools package, apart from the

-

thirdparty folder which contains third-party files published with their own license.

-

The python-oletools package is copyright (c) 2012-2015 Philippe Lagadec (http://www.decalage.info)

+ + + + + + + + + + +

License for python-oletools

+

This license applies to the python-oletools package, apart from the thirdparty folder which contains third-party files published with their own license.

+

The python-oletools package is copyright (c) 2012-2016 Philippe Lagadec (http://www.decalage.info)

All rights reserved.

-

Redistribution and use in source and binary forms, with or without modification,

-

are permitted provided that the following conditions are met:

+

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

-

list of conditions and the following disclaimer.

- -

this list of conditions and the following disclaimer in the documentation

-

and/or other materials provided with the distribution.

-

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND

-

ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED

-

WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE

-

DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE

-

FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

-

DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR

-

SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER

-

CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,

-

OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE

-

OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

-
-

License for officeparser

-
-

olevba contains modified source code from the officeparser project, published

-

under the following MIT License (MIT):

+

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

+ + + + + + +
License for officeparser
+

olevba contains modified source code from the officeparser project, published under the following MIT License (MIT):

officeparser is copyright (c) 2014 John William Davison

-

Permission is hereby granted, free of charge, to any person obtaining a copy

-

of this software and associated documentation files (the "Software"), to deal

-

in the Software without restriction, including without limitation the rights

-

to use, copy, modify, merge, publish, distribute, sublicense, and/or sell

-

copies of the Software, and to permit persons to whom the Software is

-

furnished to do so, subject to the following conditions:

-

The above copyright notice and this permission notice shall be included in all

-

copies or substantial portions of the Software.

-

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

-

IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,

-

FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE

-

AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

-

LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,

-

OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE

-

SOFTWARE.

-
-

python-oletools documentation

+

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

+

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

+

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

+

python-oletools documentation

+ + diff --git a/oletools/doc/License.md b/oletools/doc/License.md index 0081017..3de3386 100644 --- a/oletools/doc/License.md +++ b/oletools/doc/License.md @@ -4,7 +4,7 @@ License for python-oletools This license applies to the [python-oletools](http://www.decalage.info/python/oletools) package, apart from the thirdparty folder which contains third-party files published with their own license. -The python-oletools package is copyright (c) 2012-2015 Philippe Lagadec ([http://www.decalage.info](http://www.decalage.info)) +The python-oletools package is copyright (c) 2012-2016 Philippe Lagadec ([http://www.decalage.info](http://www.decalage.info)) All rights reserved. @@ -70,6 +70,10 @@ python-oletools documentation - [[oleid]] - [[olemeta]] - [[oletimes]] + - [[oledir]] + - [[olemap]] - [[olevba]] + - [[mraptor]] - [[pyxswf]] - - [[rtfobj]] \ No newline at end of file + - [[oleobj]] + - [[rtfobj]] diff --git a/oletools/doc/olebrowse.html b/oletools/doc/olebrowse.html index 7dff955..00d7b7d 100644 --- a/oletools/doc/olebrowse.html +++ b/oletools/doc/olebrowse.html @@ -1,14 +1,20 @@ -

olebrowse

-

=========

-

olebrowse is a simple GUI to browse OLE files (e.g. MS Word, Excel, Powerpoint documents), to

-

view and extract individual data streams.

+ + + + + + + + + + +

olebrowse

+

olebrowse is a simple GUI to browse OLE files (e.g. MS Word, Excel, Powerpoint documents), to view and extract individual data streams.

It is part of the python-oletools package.

-

Usage

-
+

Usage

olebrowse.py [file]

If you provide a file it will be opened, else a dialog will allow you to browse folders to open a file. Then if it is a valid OLE file, the list of data streams will be displayed. You can select a stream, and then either view its content in a builtin hexadecimal viewer, or save it to a file for further analysis.

-

Screenshots

-
+

Screenshots

Main menu, showing all streams in the OLE file:

@@ -22,21 +28,26 @@
-

python-oletools documentation

-
+

python-oletools documentation

+ + diff --git a/oletools/doc/olebrowse.md b/oletools/doc/olebrowse.md index 454bffe..9650402 100644 --- a/oletools/doc/olebrowse.md +++ b/oletools/doc/olebrowse.md @@ -42,6 +42,10 @@ python-oletools documentation - [[oleid]] - [[olemeta]] - [[oletimes]] + - [[oledir]] + - [[olemap]] - [[olevba]] + - [[mraptor]] - [[pyxswf]] - - [[rtfobj]] \ No newline at end of file + - [[oleobj]] + - [[rtfobj]] diff --git a/oletools/doc/oleid.html b/oletools/doc/oleid.html index 280afbd..9148751 100644 --- a/oletools/doc/oleid.html +++ b/oletools/doc/oleid.html @@ -1,30 +1,37 @@ -

oleid

-

=====

-

oleid is a script to analyze OLE files such as MS Office documents (e.g. Word,

-

Excel), to detect specific characteristics usually found in malicious files (e.g. malware).

-

For example it can detect VBA macros and embedded Flash objects.

+ + + + + + + + + + +

oleid

+

oleid is a script to analyze OLE files such as MS Office documents (e.g. Word, Excel), to detect specific characteristics usually found in malicious files (e.g. malware). For example it can detect VBA macros and embedded Flash objects.

It is part of the python-oletools package.

Main Features

Planned improvements:

Usage

oleid.py <file>
@@ -32,83 +39,65 @@

Analyzing a Word document containing a Flash object and VBA macros:

C:\oletools>oleid.py word_flash_vba.doc
 
-
-
 Filename: word_flash_vba.doc
-
 +-------------------------------+-----------------------+
-
 | Indicator                     | Value                 |
-
 +-------------------------------+-----------------------+
-
 | OLE format                    | True                  |
-
 | Has SummaryInformation stream | True                  |
-
 | Application name              | Microsoft Office Word |
-
 | Encrypted                     | False                 |
-
 | Word Document                 | True                  |
-
 | VBA Macros                    | True                  |
-
 | Excel Workbook                | False                 |
-
 | PowerPoint Presentation       | False                 |
-
 | Visio Drawing                 | False                 |
-
 | ObjectPool                    | True                  |
-
 | Flash objects                 | 1                     |
-
 +-------------------------------+-----------------------+

How to use oleid in your Python applications

First, import oletools.oleid, and create an OleID object to scan a file:

import oletools.oleid
 
-
-
 oid = oletools.oleid.OleID(filename)

Note: filename can be a filename, a file-like object, or a bytes string containing the file to be analyzed.

Second, call the check() method. It returns a list of Indicator objects.

Each Indicator object has the following attributes:

For example, the following code displays all the indicators:

indicators = oid.check()
-
 for i in indicators:
-
     print 'Indicator id=%s name="%s" type=%s value=%s' % (i.id, i.name, i.type, repr(i.value))
-
     print 'description:', i.description
-
     print ''

See the source code of oleid.py for more details.

-

python-oletools documentation

-
+

python-oletools documentation

+ + diff --git a/oletools/doc/oleid.md b/oletools/doc/oleid.md index 3d70df0..3e99e29 100644 --- a/oletools/doc/oleid.md +++ b/oletools/doc/oleid.md @@ -104,6 +104,10 @@ python-oletools documentation - [[oleid]] - [[olemeta]] - [[oletimes]] + - [[oledir]] + - [[olemap]] - [[olevba]] + - [[mraptor]] - [[pyxswf]] - - [[rtfobj]] \ No newline at end of file + - [[oleobj]] + - [[rtfobj]] diff --git a/oletools/doc/olemeta.html b/oletools/doc/olemeta.html index c28a0a1..82e44d3 100644 --- a/oletools/doc/olemeta.html +++ b/oletools/doc/olemeta.html @@ -1,133 +1,45 @@ -

olemeta

-

=======

-

olemeta is a script to parse OLE files such as MS Office documents (e.g. Word,

-

Excel), to extract all standard properties present in the OLE file.

+ + + + + + + + + + +

olemeta

+

olemeta is a script to parse OLE files such as MS Office documents (e.g. Word, Excel), to extract all standard properties present in the OLE file.

It is part of the python-oletools package.

Usage

olemeta.py <file>

Example

-

Checking the malware sample DIAN_caso-5415.doc:

-
>olemeta.py DIAN_caso-5415.doc
-
-
-
-Properties from SummaryInformation stream:
-
-- codepage: 1252
-
-- title: 'Gu\xeda MIPYME para ser emisor electr\xf3nico'
-
-- subject: ''
-
-- author: 'OFEyDV'
-
-- keywords: ''
-
-- comments: ''
-
-- template: 'Normal.dotm'
-
-- last_saved_by: 'clein'
-
-- revision_number: '13'
-
-- total_edit_time: 4800L
-
-- last_printed: datetime.datetime(2006, 6, 7, 14, 4)
-
-- create_time: datetime.datetime(2009, 3, 30, 14, 18)
-
-- last_saved_time: datetime.datetime(2014, 5, 14, 12, 45)
-
-- num_pages: 7
-
-- num_words: 269
-
-- num_chars: 1485
-
-- thumbnail: None
-
-- creating_application: 'Microsoft Office Word'
-
-- security: 0
-
-
-
-Properties from DocumentSummaryInformation stream:
-
-- codepage_doc: 1252
-
-- category: None
-
-- presentation_target: None
-
-- bytes: None
-
-- lines: 12
-
-- paragraphs: 3
-
-- slides: None
-
-- notes: None
-
-- hidden_slides: None
-
-- mm_clips: None
-
-- scale_crop: False
-
-- heading_pairs: None
-
-- titles_of_parts: None
-
-- manager: None
-
-- company: 'Servicio de Impuestos Internos'
-
-- links_dirty: False
-
-- chars_with_spaces: 1751
-
-- unused: None
-
-- shared_doc: False
-
-- link_base: None
-
-- hlinks: None
-
-- hlinks_changed: False
-
-- version: 786432
-
-- dig_sig: None
-
-- content_type: None
-
-- content_status: None
-
-- language: None
-
-- doc_version: None
+
+ +

How to use olemeta in Python applications

TODO

-

python-oletools documentation

-
+

python-oletools documentation

+ + diff --git a/oletools/doc/olemeta.md b/oletools/doc/olemeta.md index 3e67505..a8f8f20 100644 --- a/oletools/doc/olemeta.md +++ b/oletools/doc/olemeta.md @@ -13,61 +13,7 @@ It is part of the [python-oletools](http://www.decalage.info/python/oletools) pa ### Example -Checking the malware sample [DIAN_caso-5415.doc](https://malwr.com/analysis/M2I4YWRhM2IwY2QwNDljN2E3ZWFjYTg3ODk4NmZhYmE/): - - :::text - >olemeta.py DIAN_caso-5415.doc - - Properties from SummaryInformation stream: - - codepage: 1252 - - title: 'Gu\xeda MIPYME para ser emisor electr\xf3nico' - - subject: '' - - author: 'OFEyDV' - - keywords: '' - - comments: '' - - template: 'Normal.dotm' - - last_saved_by: 'clein' - - revision_number: '13' - - total_edit_time: 4800L - - last_printed: datetime.datetime(2006, 6, 7, 14, 4) - - create_time: datetime.datetime(2009, 3, 30, 14, 18) - - last_saved_time: datetime.datetime(2014, 5, 14, 12, 45) - - num_pages: 7 - - num_words: 269 - - num_chars: 1485 - - thumbnail: None - - creating_application: 'Microsoft Office Word' - - security: 0 - - Properties from DocumentSummaryInformation stream: - - codepage_doc: 1252 - - category: None - - presentation_target: None - - bytes: None - - lines: 12 - - paragraphs: 3 - - slides: None - - notes: None - - hidden_slides: None - - mm_clips: None - - scale_crop: False - - heading_pairs: None - - titles_of_parts: None - - manager: None - - company: 'Servicio de Impuestos Internos' - - links_dirty: False - - chars_with_spaces: 1751 - - unused: None - - shared_doc: False - - link_base: None - - hlinks: None - - hlinks_changed: False - - version: 786432 - - dig_sig: None - - content_type: None - - content_status: None - - language: None - - doc_version: None +![](olemeta1.png) ## How to use olemeta in Python applications @@ -87,6 +33,10 @@ python-oletools documentation - [[oleid]] - [[olemeta]] - [[oletimes]] + - [[oledir]] + - [[olemap]] - [[olevba]] + - [[mraptor]] - [[pyxswf]] - - [[rtfobj]] \ No newline at end of file + - [[oleobj]] + - [[rtfobj]] diff --git a/oletools/doc/oletimes.html b/oletools/doc/oletimes.html index 8c6e1b2..29b3eeb 100644 --- a/oletools/doc/oletimes.html +++ b/oletools/doc/oletimes.html @@ -1,8 +1,15 @@ -

oletimes

-

========

-

oletimes is a script to parse OLE files such as MS Office documents (e.g. Word,

-

Excel), to extract creation and modification times of all streams and storages

-

in the OLE file.

+ + + + + + + + + + +

oletimes

+

oletimes is a script to parse OLE files such as MS Office documents (e.g. Word, Excel), to extract creation and modification times of all streams and storages in the OLE file.

It is part of the python-oletools package.

Usage

oletimes.py <file>
@@ -10,71 +17,52 @@

Checking the malware sample DIAN_caso-5415.doc:

>oletimes.py DIAN_caso-5415.doc
 
-
-
 +----------------------------+---------------------+---------------------+
-
 | Stream/Storage name        | Modification Time   | Creation Time       |
-
 +----------------------------+---------------------+---------------------+
-
 | Root                       | 2014-05-14 12:45:24 | None                |
-
 | '\x01CompObj'              | None                | None                |
-
 | '\x05DocumentSummaryInform | None                | None                |
-
 | ation'                     |                     |                     |
-
 | '\x05SummaryInformation'   | None                | None                |
-
 | '1Table'                   | None                | None                |
-
 | 'Data'                     | None                | None                |
-
 | 'Macros'                   | 2014-05-14 12:45:24 | 2014-05-14 12:45:24 |
-
 | 'Macros/PROJECT'           | None                | None                |
-
 | 'Macros/PROJECTwm'         | None                | None                |
-
 | 'Macros/VBA'               | 2014-05-14 12:45:24 | 2014-05-14 12:45:24 |
-
 | 'Macros/VBA/ThisDocument'  | None                | None                |
-
 | 'Macros/VBA/_VBA_PROJECT'  | None                | None                |
-
 | 'Macros/VBA/__SRP_0'       | None                | None                |
-
 | 'Macros/VBA/__SRP_1'       | None                | None                |
-
 | 'Macros/VBA/__SRP_2'       | None                | None                |
-
 | 'Macros/VBA/__SRP_3'       | None                | None                |
-
 | 'Macros/VBA/dir'           | None                | None                |
-
 | 'WordDocument'             | None                | None                |
-
 +----------------------------+---------------------+---------------------+

How to use oletimes in Python applications

TODO

-

python-oletools documentation

-
+

python-oletools documentation

+ + diff --git a/oletools/doc/oletimes.md b/oletools/doc/oletimes.md index 3058ea5..488d0ee 100644 --- a/oletools/doc/oletimes.md +++ b/oletools/doc/oletimes.md @@ -61,6 +61,10 @@ python-oletools documentation - [[oleid]] - [[olemeta]] - [[oletimes]] + - [[oledir]] + - [[olemap]] - [[olevba]] + - [[mraptor]] - [[pyxswf]] - - [[rtfobj]] \ No newline at end of file + - [[oleobj]] + - [[rtfobj]] diff --git a/oletools/doc/olevba.html b/oletools/doc/olevba.html index 0b5abaa..05d583a 100644 --- a/oletools/doc/olevba.html +++ b/oletools/doc/olevba.html @@ -1,117 +1,86 @@ -

olevba

-

======

-

olevba is a script to parse OLE and OpenXML files such as MS Office documents

-

(e.g. Word, Excel), to detect VBA Macros, extract their source code in clear text,

-

and detect security-related patterns such as auto-executable macros, **suspicious

-

VBA keywords** used by malware, anti-sandboxing and anti-virtualization techniques,

-

and potential IOCs (IP addresses, URLs, executable filenames, etc).

-

It also detects and decodes several common **obfuscation methods including Hex encoding,

-

StrReverse, Base64, Dridex, VBA expressions**, and extracts IOCs from decoded strings.

+ + + + + + + + + + +

olevba

+

olevba is a script to parse OLE and OpenXML files such as MS Office documents (e.g. Word, Excel), to detect VBA Macros, extract their source code in clear text, and detect security-related patterns such as auto-executable macros, suspicious VBA keywords used by malware, anti-sandboxing and anti-virtualization techniques, and potential IOCs (IP addresses, URLs, executable filenames, etc). It also detects and decodes several common obfuscation methods including Hex encoding, StrReverse, Base64, Dridex, VBA expressions, and extracts IOCs from decoded strings.

It can be used either as a command-line tool, or as a python module from your own applications.

It is part of the python-oletools package.

-

olevba is based on source code from officeparser

-

by John William Davison, with significant modifications.

+

olevba is based on source code from officeparser by John William Davison, with significant modifications.

Supported formats

Main Features

-

pyparsing, including custom Hex and Base64 encodings

- -

MS Office files encrypted with a password are also supported, because VBA macro code is never

-

encrypted, only the content of the document.

+

MS Office files encrypted with a password are also supported, because VBA macro code is never encrypted, only the content of the document.

About VBA Macros

-

See this article for more information and technical details about VBA Macros

-

and how they are stored in MS Office documents.

+

See this article for more information and technical details about VBA Macros and how they are stored in MS Office documents.

How it works

    -

  1. olevba checks the file type: If it is an OLE file (i.e MS Office 97-2003), it is parsed right away.

    2. -

  2. If it is a zip file (i.e. MS Office 2007+), XML or MHTML, olevba looks for all OLE files stored in it (e.g. vbaProject.bin, editdata.mso), and opens them.

    3. -

  3. olevba identifies all the VBA projects stored in the OLE structure.

    4. -

  4. Each VBA project is parsed to find the corresponding OLE streams containing macro code.

    5. -

  5. In each of these OLE streams, the VBA macro source code is extracted and decompressed (RLE compression).

    6. -

  6. olevba looks for specific strings obfuscated with various algorithms (Hex, Base64, StrReverse, Dridex, VBA expressions).

    7. -

  7. olevba scans the macro source code and the deobfuscated strings to find suspicious keywords, auto-executable macros

    8. +
  8. olevba checks the file type: If it is an OLE file (i.e MS Office 97-2003), it is parsed right away.
    9. +
  9. If it is a zip file (i.e. MS Office 2007+), XML or MHTML, olevba looks for all OLE files stored in it (e.g. vbaProject.bin, editdata.mso), and opens them.
    10. +
  10. olevba identifies all the VBA projects stored in the OLE structure.
    11. +
  11. Each VBA project is parsed to find the corresponding OLE streams containing macro code.
    12. +
  12. In each of these OLE streams, the VBA macro source code is extracted and decompressed (RLE compression).
    13. +
  13. olevba looks for specific strings obfuscated with various algorithms (Hex, Base64, StrReverse, Dridex, VBA expressions).
    14. +
  14. olevba scans the macro source code and the deobfuscated strings to find suspicious keywords, auto-executable macros and potential IOCs (URLs, IP addresses, e-mail addresses, executable filenames, etc).
-

and potential IOCs (URLs, IP addresses, e-mail addresses, executable filenames, etc).

Usage

Usage: olevba.py [options] <filename> [filename2 ...]
 
-
-
 Options:
-
   -h, --help            show this help message and exit
-
   -r                    find files recursively in subdirectories.
-
   -z ZIP_PASSWORD, --zip=ZIP_PASSWORD
-
                         if the file is a zip archive, open all files from it,
-
                         using the provided password (requires Python 2.6+)
-
   -f ZIP_FNAME, --zipfname=ZIP_FNAME
-
                         if the file is a zip archive, file(s) to be opened
-
                         within the zip. Wildcards * and ? are supported.
-
                         (default:*)
-
   -t, --triage          triage mode, display results as a summary table
-
                         (default for multiple files)
-
   -d, --detailed        detailed mode, display full results (default for
-
                         single file)
-
   -a, --analysis        display only analysis results, not the macro source
-
                         code
-
   -c, --code            display only VBA source code, do not analyze it
-
   -i INPUT, --input=INPUT
-
                         input file containing VBA source code to be analyzed
-
                         (no parsing)
-
   --decode              display all the obfuscated strings with their decoded
-
                         content (Hex, Base64, StrReverse, Dridex, VBA).
-
   --attr                display the attribute lines at the beginning of VBA
-
                         source code
-
   --reveal              display the macro source code after replacing all the
-
                         obfuscated strings by their decoded content.

Examples

Scan a single file:

@@ -134,399 +103,251 @@ Options:

When a single file is scanned, or when using the option -d, all details of the analysis are displayed.

For example, checking the malware sample DIAN_caso-5415.doc:

>olevba.py c:\MalwareZoo\VBA\DIAN_caso-5415.doc.zip -z infected
-
 ===============================================================================
-
 FILE: DIAN_caso-5415.doc.malware in c:\MalwareZoo\VBA\DIAN_caso-5415.doc.zip
-
 Type: OLE
-
 -------------------------------------------------------------------------------
-
 VBA MACRO ThisDocument.cls
-
 in file: DIAN_caso-5415.doc.malware - OLE stream: Macros/VBA/ThisDocument
-
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
 Option Explicit
-
 Private Declare Function URLDownloadToFileA Lib "urlmon" (ByVal FVQGKS As Long,_
-
 ByVal WSGSGY As String, ByVal IFRRFV As String, ByVal NCVOLV As Long, _
-
 ByVal HQTLDG As Long) As Long
-
 Sub AutoOpen()
-
     Auto_Open
-
 End Sub
-
 Sub Auto_Open()
-
 SNVJYQ
-
 End Sub
-
 Public Sub SNVJYQ()
-
     [Malicious Code...]
-
 End Sub
-
 Function OGEXYR(XSTAHU As String, PHHWIV As String) As Boolean
-
     [Malicious Code...]
-
     Application.DisplayAlerts = False
-
     Application.Quit
-
 End Function
-
 Sub Workbook_Open()
-
     Auto_Open
-
 End Sub
 
-
-
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
 ANALYSIS:
-
 +------------+----------------------+-----------------------------------------+
-
 | Type       | Keyword              | Description                             |
-
 +------------+----------------------+-----------------------------------------+
-
 | AutoExec   | AutoOpen             | Runs when the Word document is opened   |
-
 | AutoExec   | Auto_Open            | Runs when the Excel Workbook is opened  |
-
 | AutoExec   | Workbook_Open        | Runs when the Excel Workbook is opened  |
-
 | Suspicious | Lib                  | May run code from a DLL                 |
-
 | Suspicious | Shell                | May run an executable file or a system  |
-
 |            |                      | command                                 |
-
 | Suspicious | Environ              | May read system environment variables   |
-
 | Suspicious | URLDownloadToFileA   | May download files from the Internet    |
-
 | IOC        | http://germanya.com. | URL                                     |
-
 |            | ec/logs/test.exe"    |                                         |
-
 | IOC        | http://germanya.com. | URL                                     |
-
 |            | ec/logs/counter.php" |                                         |
-
 | IOC        | germanya.com         | Executable file name                    |
-
 | IOC        | test.exe             | Executable file name                    |
-
 | IOC        | sfjozjero.exe        | Executable file name                    |
-
 +------------+----------------------+-----------------------------------------+

Triage mode (default for multiple files)

-

When several files are scanned, or when using the option -t, a summary of the analysis for each file is displayed.

-

This is more convenient for quick triage of a collection of suspicious files.

+

When several files are scanned, or when using the option -t, a summary of the analysis for each file is displayed. This is more convenient for quick triage of a collection of suspicious files.

The following flags show the results of the analysis:

Here is an example:

c:\>olevba.py \MalwareZoo\VBA\samples\*
-
 Flags       Filename
-
 ----------- -----------------------------------------------------------------
-
 OLE:MASI--- \MalwareZoo\VBA\samples\DIAN_caso-5415.doc.malware
-
 OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_1.doc.malware
-
 OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_2.doc.malware
-
 OLE:MASI--- \MalwareZoo\VBA\samples\DRIDEX_3.doc.malware
-
 OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_4.doc.malware
-
 OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_5.doc.malware
-
 OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_6.doc.malware
-
 OLE:MAS---- \MalwareZoo\VBA\samples\DRIDEX_7.doc.malware
-
 OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_8.doc.malware
-
 OLE:MASIHBD \MalwareZoo\VBA\samples\DRIDEX_9.xls.malware
-
 OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_A.doc.malware
-
 OLE:------- \MalwareZoo\VBA\samples\Normal_Document.doc
-
 OLE:M------ \MalwareZoo\VBA\samples\Normal_Document_Macro.doc
-
 OpX:MASI--- \MalwareZoo\VBA\samples\RottenKitten.xlsb.malware
-
 OLE:MASI-B- \MalwareZoo\VBA\samples\ROVNIX.doc.malware
-
 OLE:MA----- \MalwareZoo\VBA\samples\Word within Word macro auto.doc

How to use olevba in Python applications

-

olevba may be used to open a MS Office file, detect if it contains VBA macros, extract and analyze the VBA source code

-

from your own python applications.

+

olevba may be used to open a MS Office file, detect if it contains VBA macros, extract and analyze the VBA source code from your own python applications.

IMPORTANT: olevba is currently under active development, therefore this API is likely to change.

Import olevba

First, import the oletools.olevba package, using at least the VBA_Parser and VBA_Scanner classes:

from oletools.olevba import VBA_Parser, TYPE_OLE, TYPE_OpenXML, TYPE_Word2003_XML, TYPE_MHTML

Parse a MS Office file - VBA_Parser

-

To parse a file on disk, create an instance of the VBA_Parser class, providing the name of the file to open as parameter.

-

For example:

+

To parse a file on disk, create an instance of the VBA_Parser class, providing the name of the file to open as parameter. For example:

vbaparser = VBA_Parser('my_file_with_macros.doc')
-

The file may also be provided as a bytes string containing its data. In that case, the actual

-

filename must be provided for reference, and the file content with the data parameter. For example:

+

The file may also be provided as a bytes string containing its data. In that case, the actual filename must be provided for reference, and the file content with the data parameter. For example:

myfile = 'my_file_with_macros.doc'
-
 filedata = open(myfile, 'rb').read()
-
 vbaparser = VBA_Parser(myfile, data=filedata)
-

VBA_Parser will raise an exception if the file is not a supported format, such as OLE (MS Office 97-2003), OpenXML

-

(MS Office 2007+), MHTML or Word 2003 XML.

-

After parsing the file, the attribute VBA_Parser.type is a string indicating the file type.

-

It can be either TYPE_OLE, TYPE_OpenXML, TYPE_Word2003_XML or TYPE_MHTML. (constants defined in the olevba module)

+

VBA_Parser will raise an exception if the file is not a supported format, such as OLE (MS Office 97-2003), OpenXML (MS Office 2007+), MHTML or Word 2003 XML.

+

After parsing the file, the attribute VBA_Parser.type is a string indicating the file type. It can be either TYPE_OLE, TYPE_OpenXML, TYPE_Word2003_XML or TYPE_MHTML. (constants defined in the olevba module)

Detect VBA macros

-

The method detect_vba_macros of a VBA_Parser object returns True if VBA macros have been found in the file,

-

False otherwise.

+

The method detect_vba_macros of a VBA_Parser object returns True if VBA macros have been found in the file, False otherwise.

if vbaparser.detect_vba_macros():
-
     print 'VBA Macros found'
-
 else:
-
-    print 'No VBA Macros found'
-

Note: The detection algorithm looks for streams and storage with specific names in the OLE structure, which works fine

-

for all the supported formats listed above. However, for some formats such as PowerPoint 97-2003, this method will

-

always return False because VBA Macros are stored in a different way which is not yet supported by olevba.

-

Moreover, if the file contains an embedded document (e.g. an Excel workbook inserted into a Word document), this method

-

may return True if the embedded document contains VBA Macros, even if the main document does not.

+ print 'No VBA Macros found' + +

Note: The detection algorithm looks for streams and storage with specific names in the OLE structure, which works fine for all the supported formats listed above. However, for some formats such as PowerPoint 97-2003, this method will always return False because VBA Macros are stored in a different way which is not yet supported by olevba.

+

Moreover, if the file contains an embedded document (e.g. an Excel workbook inserted into a Word document), this method may return True if the embedded document contains VBA Macros, even if the main document does not.

Extract VBA Macro Source Code

-

The method extract_macros extracts and decompresses source code for each VBA macro found in the file (possibly

-

including embedded files). It is a generator yielding a tuple (filename, stream_path, vba_filename, vba_code)

-

for each VBA macro found.

+

The method extract_macros extracts and decompresses source code for each VBA macro found in the file (possibly including embedded files). It is a generator yielding a tuple (filename, stream_path, vba_filename, vba_code) for each VBA macro found.

Example:

for (filename, stream_path, vba_filename, vba_code) in vbaparser.extract_macros():
-
     print '-'*79
-
     print 'Filename    :', filename
-
     print 'OLE stream  :', stream_path
-
     print 'VBA filename:', vba_filename
-
     print '- '*39
-
-    print vba_code
+ print vba_code +

Alternatively, the VBA_Parser method extract_all_macros returns the same results as a list of tuples.

Analyze VBA Source Code

-

Since version 0.40, the VBA_Parser class provides simpler methods than VBA_Scanner to analyze all macros contained

-

in a file:

-

The method analyze_macros from the class VBA_Parser can be used to scan the source code of all

-

VBA modules to find obfuscated strings, suspicious keywords, IOCs, auto-executable macros, etc.

-

analyze_macros() takes an optional argument show_decoded_strings: if set to True, the results will contain all the encoded

-

strings found in the code (Hex, Base64, Dridex) with their decoded value.

-

By default, it will only include the strings which contain printable characters.

+

Since version 0.40, the VBA_Parser class provides simpler methods than VBA_Scanner to analyze all macros contained in a file:

+

The method analyze_macros from the class VBA_Parser can be used to scan the source code of all VBA modules to find obfuscated strings, suspicious keywords, IOCs, auto-executable macros, etc.

+

analyze_macros() takes an optional argument show_decoded_strings: if set to True, the results will contain all the encoded strings found in the code (Hex, Base64, Dridex) with their decoded value. By default, it will only include the strings which contain printable characters.

VBA_Parser.analyze_macros() returns a list of tuples (type, keyword, description), one for each item in the results.

-

'VBA obfuscated Strings'.

- -

the decoded value of the string.

-

Example:

results = vbaparser.analyze_macros()
-
 for kw_type, keyword, description in results:
-
-    print 'type=%s - keyword=%s - description=%s' % (kw_type, keyword, description)
-

After calling analyze_macros, the following VBA_Parser attributes also provide the number

-

of items found for each category:

+ print 'type=%s - keyword=%s - description=%s' % (kw_type, keyword, description) + +

After calling analyze_macros, the following VBA_Parser attributes also provide the number of items found for each category:

print 'AutoExec keywords: %d' % vbaparser.nb_autoexec
-
 print 'Suspicious keywords: %d' % vbaparser.nb_suspicious
-
 print 'IOCs: %d' % vbaparser.nb_iocs
-
 print 'Hex obfuscated strings: %d' % vbaparser.nb_hexstrings
-
 print 'Base64 obfuscated strings: %d' % vbaparser.nb_base64strings
-
 print 'Dridex obfuscated strings: %d' % vbaparser.nb_dridexstrings
-
 print 'VBA obfuscated strings: %d' % vbaparser.nb_vbastrings

Deobfuscate VBA Macro Source Code

-

The method reveal attempts to deobfuscate the macro source code by replacing all

-

the obfuscated strings by their decoded content. Returns a single string.

+

The method reveal attempts to deobfuscate the macro source code by replacing all the obfuscated strings by their decoded content. Returns a single string.

Example:

print vbaparser.reveal()

Close the VBA_Parser

-

After usage, it is better to call the close method of the VBA_Parser object, to make sure the file is closed,

-

especially if your application is parsing many files.

+

After usage, it is better to call the close method of the VBA_Parser object, to make sure the file is closed, especially if your application is parsing many files.

vbaparser.close()

Deprecated API

-

The following methods and functions are still functional, but their usage is not recommended

-

since they have been replaced by better solutions.

+

The following methods and functions are still functional, but their usage is not recommended since they have been replaced by better solutions.

VBA_Scanner (deprecated)

-

The class VBA_Scanner can be used to scan the source code of a VBA module to find obfuscated strings,

-

suspicious keywords, IOCs, auto-executable macros, etc.

-

First, create a VBA_Scanner object with a string containing the VBA source code (for example returned by the

-

extract_macros method). Then call the methods scan or scan_summary to get the results of the analysis.

-

scan() takes an optional argument include_decoded_strings: if set to True, the results will contain all the encoded

-

strings found in the code (Hex, Base64, Dridex) with their decoded value.

+

The class VBA_Scanner can be used to scan the source code of a VBA module to find obfuscated strings, suspicious keywords, IOCs, auto-executable macros, etc.

+

First, create a VBA_Scanner object with a string containing the VBA source code (for example returned by the extract_macros method). Then call the methods scan or scan_summary to get the results of the analysis.

+

scan() takes an optional argument include_decoded_strings: if set to True, the results will contain all the encoded strings found in the code (Hex, Base64, Dridex) with their decoded value.

scan returns a list of tuples (type, keyword, description), one for each item in the results.

-

the decoded value of the string.

-

Example:

vba_scanner = VBA_Scanner(vba_code)
-
 results = vba_scanner.scan(include_decoded_strings=True)
-
 for kw_type, keyword, description in results:
-
     print 'type=%s - keyword=%s - description=%s' % (kw_type, keyword, description)

The function scan_vba is a shortcut for VBA_Scanner(vba_code).scan():

results = scan_vba(vba_code, include_decoded_strings=True)
-
 for kw_type, keyword, description in results:
-
-    print 'type=%s - keyword=%s - description=%s' % (kw_type, keyword, description)
-

scan_summary returns a tuple with the number of items found for each category:

-

(autoexec, suspicious, IOCs, hex, base64, dridex).

+ print 'type=%s - keyword=%s - description=%s' % (kw_type, keyword, description) + +

scan_summary returns a tuple with the number of items found for each category: (autoexec, suspicious, IOCs, hex, base64, dridex).

Detect auto-executable macros (deprecated)

Deprecated: It is preferable to use either scan_vba or VBA_Scanner to get all results at once.

-

The function detect_autoexec checks if VBA macro code contains specific macro names

-

that will be triggered when the document/workbook is opened, closed, changed, etc.

-

It returns a list of tuples containing two strings, the detected keyword, and the

-

description of the trigger. (See the malware example above)

+

The function detect_autoexec checks if VBA macro code contains specific macro names that will be triggered when the document/workbook is opened, closed, changed, etc.

+

It returns a list of tuples containing two strings, the detected keyword, and the description of the trigger. (See the malware example above)

Sample usage:

from oletools.olevba import detect_autoexec
-
 autoexec_keywords = detect_autoexec(vba_code)
-
 if autoexec_keywords:
-
     print 'Auto-executable macro keywords found:'
-
     for keyword, description in autoexec_keywords:
-
         print '%s: %s' % (keyword, description)
-
 else:
-
     print 'Auto-executable macro keywords: None found'

Detect suspicious VBA keywords (deprecated)

Deprecated: It is preferable to use either scan_vba or VBA_Scanner to get all results at once.

-

The function detect_suspicious checks if VBA macro code contains specific

-

keywords often used by malware to act on the system (create files, run

-

commands or applications, write to the registry, etc).

-

It returns a list of tuples containing two strings, the detected keyword, and the

-

description of the corresponding malicious behaviour. (See the malware example above)

+

The function detect_suspicious checks if VBA macro code contains specific keywords often used by malware to act on the system (create files, run commands or applications, write to the registry, etc).

+

It returns a list of tuples containing two strings, the detected keyword, and the description of the corresponding malicious behaviour. (See the malware example above)

Sample usage:

from oletools.olevba import detect_suspicious
-
 suspicious_keywords = detect_suspicious(vba_code)
-
 if suspicious_keywords:
-
     print 'Suspicious VBA keywords found:'
-
     for keyword, description in suspicious_keywords:
-
         print '%s: %s' % (keyword, description)
-
 else:
-
     print 'Suspicious VBA keywords: None found'

Extract potential IOCs (deprecated)

Deprecated: It is preferable to use either scan_vba or VBA_Scanner to get all results at once.

-

The function detect_patterns checks if VBA macro code contains specific

-

patterns of interest, that may be useful for malware analysis and detection

-

(potential Indicators of Compromise): IP addresses, e-mail addresses,

-

URLs, executable file names.

-

It returns a list of tuples containing two strings, the pattern type, and the

-

extracted value. (See the malware example above)

+

The function detect_patterns checks if VBA macro code contains specific patterns of interest, that may be useful for malware analysis and detection (potential Indicators of Compromise): IP addresses, e-mail addresses, URLs, executable file names.

+

It returns a list of tuples containing two strings, the pattern type, and the extracted value. (See the malware example above)

Sample usage:

from oletools.olevba import detect_patterns
-
 patterns = detect_patterns(vba_code)
-
 if patterns:
-
     print 'Patterns found:'
-
     for pattern_type, value in patterns:
-
         print '%s: %s' % (pattern_type, value)
-
 else:
-
     print 'Patterns: None found'
-

python-oletools documentation

-
+

python-oletools documentation

+ + diff --git a/oletools/doc/olevba.md b/oletools/doc/olevba.md index ebcf06b..11d0627 100644 --- a/oletools/doc/olevba.md +++ b/oletools/doc/olevba.md @@ -1,520 +1,524 @@ -olevba -====== - -olevba is a script to parse OLE and OpenXML files such as MS Office documents -(e.g. Word, Excel), to **detect VBA Macros**, extract their **source code** in clear text, -and detect security-related patterns such as **auto-executable macros**, **suspicious -VBA keywords** used by malware, anti-sandboxing and anti-virtualization techniques, -and potential **IOCs** (IP addresses, URLs, executable filenames, etc). -It also detects and decodes several common **obfuscation methods including Hex encoding, -StrReverse, Base64, Dridex, VBA expressions**, and extracts IOCs from decoded strings. - -It can be used either as a command-line tool, or as a python module from your own applications. - -It is part of the [python-oletools](http://www.decalage.info/python/oletools) package. - -olevba is based on source code from [officeparser](https://github.com/unixfreak0037/officeparser) -by John William Davison, with significant modifications. - -## Supported formats - -- Word 97-2003 (.doc, .dot) -- Word 2007+ (.docm, .dotm) -- Word 2003 XML (.xml) -- Word/Excel MHTML, aka Single File Web Page (.mht) -- Excel 97-2003 (.xls) -- Excel 2007+ (.xlsm, .xlsb) -- PowerPoint 2007+ (.pptm, .ppsm) -- Text file containing VBA or VBScript source code -- Password-protected Zip archive containing any of the above - -## Main Features - -- Detect VBA macros in MS Office 97-2003 and 2007+ files, XML, MHT -- Extract VBA macro source code -- Detect auto-executable macros -- Detect suspicious VBA keywords often used by malware -- Detect anti-sandboxing and anti-virtualization techniques -- Detect and decodes strings obfuscated with Hex/Base64/StrReverse/Dridex -- Deobfuscates VBA expressions with any combination of Chr, Asc, Val, StrReverse, Environ, +, &, using a VBA parser built with -[pyparsing](http://pyparsing.wikispaces.com), including custom Hex and Base64 encodings -- Extract IOCs/patterns of interest such as IP addresses, URLs, e-mail addresses and executable file names -- Scan multiple files and sample collections (wildcards, recursive) -- Triage mode for a summary view of multiple files -- Scan malware samples in password-protected Zip archives -- Python API to use olevba from your applications - -MS Office files encrypted with a password are also supported, because VBA macro code is never -encrypted, only the content of the document. - -## About VBA Macros - -See [this article](http://www.decalage.info/en/vba_tools) for more information and technical details about VBA Macros -and how they are stored in MS Office documents. - -## How it works - -1. olevba checks the file type: If it is an OLE file (i.e MS Office 97-2003), it is parsed right away. -1. If it is a zip file (i.e. MS Office 2007+), XML or MHTML, olevba looks for all OLE files stored in it (e.g. vbaProject.bin, editdata.mso), and opens them. -1. olevba identifies all the VBA projects stored in the OLE structure. -1. Each VBA project is parsed to find the corresponding OLE streams containing macro code. -1. In each of these OLE streams, the VBA macro source code is extracted and decompressed (RLE compression). -1. olevba looks for specific strings obfuscated with various algorithms (Hex, Base64, StrReverse, Dridex, VBA expressions). -1. olevba scans the macro source code and the deobfuscated strings to find suspicious keywords, auto-executable macros -and potential IOCs (URLs, IP addresses, e-mail addresses, executable filenames, etc). - - -## Usage - - :::text - Usage: olevba.py [options] [filename2 ...] - - Options: - -h, --help show this help message and exit - -r find files recursively in subdirectories. - -z ZIP_PASSWORD, --zip=ZIP_PASSWORD - if the file is a zip archive, open all files from it, - using the provided password (requires Python 2.6+) - -f ZIP_FNAME, --zipfname=ZIP_FNAME - if the file is a zip archive, file(s) to be opened - within the zip. Wildcards * and ? are supported. - (default:*) - -t, --triage triage mode, display results as a summary table - (default for multiple files) - -d, --detailed detailed mode, display full results (default for - single file) - -a, --analysis display only analysis results, not the macro source - code - -c, --code display only VBA source code, do not analyze it - -i INPUT, --input=INPUT - input file containing VBA source code to be analyzed - (no parsing) - --decode display all the obfuscated strings with their decoded - content (Hex, Base64, StrReverse, Dridex, VBA). - --attr display the attribute lines at the beginning of VBA - source code - --reveal display the macro source code after replacing all the - obfuscated strings by their decoded content. - -### Examples - -Scan a single file: - - :::text - olevba.py file.doc - -Scan a single file, stored in a Zip archive with password "infected": - - :::text - olevba.py malicious_file.xls.zip -z infected - -Scan a single file, showing all obfuscated strings decoded: - - :::text - olevba.py file.doc --decode - -Scan a single file, showing the macro source code with VBA strings deobfuscated: - - :::text - olevba.py file.doc --reveal - -Scan VBA source code extracted into a text file: - - :::text - olevba.py -i source_code.vba - -Scan a collection of files stored in a folder: - - :::text - olevba.py MalwareZoo/VBA/* - -Scan all .doc and .xls files, recursively in all subfolders: - - :::text - olevba.py MalwareZoo/VBA/*.doc MalwareZoo/VBA/*.xls -r - -Scan all .doc files within all .zip files with password, recursively: - - :::text - olevba.py MalwareZoo/VBA/*.zip -r -z infected -f *.doc - - -### Detailed analysis mode (default for single file) - -When a single file is scanned, or when using the option -d, all details of the analysis are displayed. - -For example, checking the malware sample [DIAN_caso-5415.doc](https://malwr.com/analysis/M2I4YWRhM2IwY2QwNDljN2E3ZWFjYTg3ODk4NmZhYmE/): - - :::text - >olevba.py c:\MalwareZoo\VBA\DIAN_caso-5415.doc.zip -z infected - =============================================================================== - FILE: DIAN_caso-5415.doc.malware in c:\MalwareZoo\VBA\DIAN_caso-5415.doc.zip - Type: OLE - ------------------------------------------------------------------------------- - VBA MACRO ThisDocument.cls - in file: DIAN_caso-5415.doc.malware - OLE stream: Macros/VBA/ThisDocument - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Option Explicit - Private Declare Function URLDownloadToFileA Lib "urlmon" (ByVal FVQGKS As Long,_ - ByVal WSGSGY As String, ByVal IFRRFV As String, ByVal NCVOLV As Long, _ - ByVal HQTLDG As Long) As Long - Sub AutoOpen() - Auto_Open - End Sub - Sub Auto_Open() - SNVJYQ - End Sub - Public Sub SNVJYQ() - [Malicious Code...] - End Sub - Function OGEXYR(XSTAHU As String, PHHWIV As String) As Boolean - [Malicious Code...] - Application.DisplayAlerts = False - Application.Quit - End Function - Sub Workbook_Open() - Auto_Open - End Sub - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ANALYSIS: - +------------+----------------------+-----------------------------------------+ - | Type | Keyword | Description | - +------------+----------------------+-----------------------------------------+ - | AutoExec | AutoOpen | Runs when the Word document is opened | - | AutoExec | Auto_Open | Runs when the Excel Workbook is opened | - | AutoExec | Workbook_Open | Runs when the Excel Workbook is opened | - | Suspicious | Lib | May run code from a DLL | - | Suspicious | Shell | May run an executable file or a system | - | | | command | - | Suspicious | Environ | May read system environment variables | - | Suspicious | URLDownloadToFileA | May download files from the Internet | - | IOC | http://germanya.com. | URL | - | | ec/logs/test.exe" | | - | IOC | http://germanya.com. | URL | - | | ec/logs/counter.php" | | - | IOC | germanya.com | Executable file name | - | IOC | test.exe | Executable file name | - | IOC | sfjozjero.exe | Executable file name | - +------------+----------------------+-----------------------------------------+ - -### Triage mode (default for multiple files) - -When several files are scanned, or when using the option -t, a summary of the analysis for each file is displayed. -This is more convenient for quick triage of a collection of suspicious files. - -The following flags show the results of the analysis: - -- **OLE**: the file type is OLE, for example MS Office 97-2003 -- **OpX**: the file type is OpenXML, for example MS Office 2007+ -- **XML**: the file type is Word 2003 XML -- **MHT**: the file type is Word MHTML, aka Single File Web Page (.mht) -- **?**: the file type is not supported -- **M**: contains VBA Macros -- **A**: auto-executable macros -- **S**: suspicious VBA keywords -- **I**: potential IOCs -- **H**: hex-encoded strings (potential obfuscation) -- **B**: Base64-encoded strings (potential obfuscation) -- **D**: Dridex-encoded strings (potential obfuscation) -- **V**: VBA string expressions (potential obfuscation) - -Here is an example: - - :::text - c:\>olevba.py \MalwareZoo\VBA\samples\* - Flags Filename - ----------- ----------------------------------------------------------------- - OLE:MASI--- \MalwareZoo\VBA\samples\DIAN_caso-5415.doc.malware - OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_1.doc.malware - OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_2.doc.malware - OLE:MASI--- \MalwareZoo\VBA\samples\DRIDEX_3.doc.malware - OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_4.doc.malware - OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_5.doc.malware - OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_6.doc.malware - OLE:MAS---- \MalwareZoo\VBA\samples\DRIDEX_7.doc.malware - OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_8.doc.malware - OLE:MASIHBD \MalwareZoo\VBA\samples\DRIDEX_9.xls.malware - OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_A.doc.malware - OLE:------- \MalwareZoo\VBA\samples\Normal_Document.doc - OLE:M------ \MalwareZoo\VBA\samples\Normal_Document_Macro.doc - OpX:MASI--- \MalwareZoo\VBA\samples\RottenKitten.xlsb.malware - OLE:MASI-B- \MalwareZoo\VBA\samples\ROVNIX.doc.malware - OLE:MA----- \MalwareZoo\VBA\samples\Word within Word macro auto.doc - - --------------------------------------------------------------------------- - -## How to use olevba in Python applications - -olevba may be used to open a MS Office file, detect if it contains VBA macros, extract and analyze the VBA source code -from your own python applications. - -IMPORTANT: olevba is currently under active development, therefore this API is likely to change. - -### Import olevba - -First, import the **oletools.olevba** package, using at least the VBA_Parser and VBA_Scanner classes: - - :::python - from oletools.olevba import VBA_Parser, TYPE_OLE, TYPE_OpenXML, TYPE_Word2003_XML, TYPE_MHTML - -### Parse a MS Office file - VBA_Parser - -To parse a file on disk, create an instance of the **VBA_Parser** class, providing the name of the file to open as parameter. -For example: - - :::python - vbaparser = VBA_Parser('my_file_with_macros.doc') - -The file may also be provided as a bytes string containing its data. In that case, the actual -filename must be provided for reference, and the file content with the data parameter. For example: - - :::python - myfile = 'my_file_with_macros.doc' - filedata = open(myfile, 'rb').read() - vbaparser = VBA_Parser(myfile, data=filedata) - -VBA_Parser will raise an exception if the file is not a supported format, such as OLE (MS Office 97-2003), OpenXML -(MS Office 2007+), MHTML or Word 2003 XML. - -After parsing the file, the attribute **VBA_Parser.type** is a string indicating the file type. -It can be either TYPE_OLE, TYPE_OpenXML, TYPE_Word2003_XML or TYPE_MHTML. (constants defined in the olevba module) - -### Detect VBA macros - -The method **detect_vba_macros** of a VBA_Parser object returns True if VBA macros have been found in the file, -False otherwise. - - :::python - if vbaparser.detect_vba_macros(): - print 'VBA Macros found' - else: - print 'No VBA Macros found' - -Note: The detection algorithm looks for streams and storage with specific names in the OLE structure, which works fine -for all the supported formats listed above. However, for some formats such as PowerPoint 97-2003, this method will -always return False because VBA Macros are stored in a different way which is not yet supported by olevba. - -Moreover, if the file contains an embedded document (e.g. an Excel workbook inserted into a Word document), this method -may return True if the embedded document contains VBA Macros, even if the main document does not. - -### Extract VBA Macro Source Code - -The method **extract_macros** extracts and decompresses source code for each VBA macro found in the file (possibly -including embedded files). It is a generator yielding a tuple (filename, stream_path, vba_filename, vba_code) -for each VBA macro found. - -- filename: If the file is OLE (MS Office 97-2003), filename is the path of the file. - If the file is OpenXML (MS Office 2007+), filename is the path of the OLE subfile containing VBA macros within the zip archive, - e.g. word/vbaProject.bin. -- stream_path: path of the OLE stream containing the VBA macro source code -- vba_filename: corresponding VBA filename -- vba_code: string containing the VBA source code in clear text - -Example: - - :::python - for (filename, stream_path, vba_filename, vba_code) in vbaparser.extract_macros(): - print '-'*79 - print 'Filename :', filename - print 'OLE stream :', stream_path - print 'VBA filename:', vba_filename - print '- '*39 - print vba_code - -Alternatively, the VBA_Parser method **extract_all_macros** returns the same results as a list of tuples. - -### Analyze VBA Source Code - -Since version 0.40, the VBA_Parser class provides simpler methods than VBA_Scanner to analyze all macros contained -in a file: - -The method **analyze_macros** from the class **VBA_Parser** can be used to scan the source code of all -VBA modules to find obfuscated strings, suspicious keywords, IOCs, auto-executable macros, etc. - -analyze_macros() takes an optional argument show_decoded_strings: if set to True, the results will contain all the encoded -strings found in the code (Hex, Base64, Dridex) with their decoded value. -By default, it will only include the strings which contain printable characters. - -**VBA_Parser.analyze_macros()** returns a list of tuples (type, keyword, description), one for each item in the results. - -- type may be either 'AutoExec', 'Suspicious', 'IOC', 'Hex String', 'Base64 String', 'Dridex String' or - 'VBA obfuscated Strings'. -- keyword is the string found for auto-executable macros, suspicious keywords or IOCs. For obfuscated strings, it is - the decoded value of the string. -- description provides a description of the keyword. For obfuscated strings, it is the encoded value of the string. - -Example: - - :::python - results = vbaparser.analyze_macros() - for kw_type, keyword, description in results: - print 'type=%s - keyword=%s - description=%s' % (kw_type, keyword, description) - -After calling analyze_macros, the following VBA_Parser attributes also provide the number -of items found for each category: - - :::python - print 'AutoExec keywords: %d' % vbaparser.nb_autoexec - print 'Suspicious keywords: %d' % vbaparser.nb_suspicious - print 'IOCs: %d' % vbaparser.nb_iocs - print 'Hex obfuscated strings: %d' % vbaparser.nb_hexstrings - print 'Base64 obfuscated strings: %d' % vbaparser.nb_base64strings - print 'Dridex obfuscated strings: %d' % vbaparser.nb_dridexstrings - print 'VBA obfuscated strings: %d' % vbaparser.nb_vbastrings - - -### Deobfuscate VBA Macro Source Code - -The method **reveal** attempts to deobfuscate the macro source code by replacing all -the obfuscated strings by their decoded content. Returns a single string. - -Example: - - :::python - print vbaparser.reveal() - - -### Close the VBA_Parser - -After usage, it is better to call the **close** method of the VBA_Parser object, to make sure the file is closed, -especially if your application is parsing many files. - - :::python - vbaparser.close() - - --------------------------------------------------------------------------- - -## Deprecated API - -The following methods and functions are still functional, but their usage is not recommended -since they have been replaced by better solutions. - -### VBA_Scanner (deprecated) - -The class **VBA_Scanner** can be used to scan the source code of a VBA module to find obfuscated strings, -suspicious keywords, IOCs, auto-executable macros, etc. - -First, create a VBA_Scanner object with a string containing the VBA source code (for example returned by the -extract_macros method). Then call the methods **scan** or **scan_summary** to get the results of the analysis. - -scan() takes an optional argument include_decoded_strings: if set to True, the results will contain all the encoded -strings found in the code (Hex, Base64, Dridex) with their decoded value. - -**scan** returns a list of tuples (type, keyword, description), one for each item in the results. - -- type may be either 'AutoExec', 'Suspicious', 'IOC', 'Hex String', 'Base64 String' or 'Dridex String'. -- keyword is the string found for auto-executable macros, suspicious keywords or IOCs. For obfuscated strings, it is - the decoded value of the string. -- description provides a description of the keyword. For obfuscated strings, it is the encoded value of the string. - -Example: - - :::python - vba_scanner = VBA_Scanner(vba_code) - results = vba_scanner.scan(include_decoded_strings=True) - for kw_type, keyword, description in results: - print 'type=%s - keyword=%s - description=%s' % (kw_type, keyword, description) - -The function **scan_vba** is a shortcut for VBA_Scanner(vba_code).scan(): - - :::python - results = scan_vba(vba_code, include_decoded_strings=True) - for kw_type, keyword, description in results: - print 'type=%s - keyword=%s - description=%s' % (kw_type, keyword, description) - -**scan_summary** returns a tuple with the number of items found for each category: -(autoexec, suspicious, IOCs, hex, base64, dridex). - - -### Detect auto-executable macros (deprecated) - -**Deprecated**: It is preferable to use either scan_vba or VBA_Scanner to get all results at once. - -The function **detect_autoexec** checks if VBA macro code contains specific macro names -that will be triggered when the document/workbook is opened, closed, changed, etc. - -It returns a list of tuples containing two strings, the detected keyword, and the -description of the trigger. (See the malware example above) - -Sample usage: - - :::python - from oletools.olevba import detect_autoexec - autoexec_keywords = detect_autoexec(vba_code) - if autoexec_keywords: - print 'Auto-executable macro keywords found:' - for keyword, description in autoexec_keywords: - print '%s: %s' % (keyword, description) - else: - print 'Auto-executable macro keywords: None found' - - -### Detect suspicious VBA keywords (deprecated) - -**Deprecated**: It is preferable to use either scan_vba or VBA_Scanner to get all results at once. - -The function **detect_suspicious** checks if VBA macro code contains specific -keywords often used by malware to act on the system (create files, run -commands or applications, write to the registry, etc). - -It returns a list of tuples containing two strings, the detected keyword, and the -description of the corresponding malicious behaviour. (See the malware example above) - -Sample usage: - - :::python - from oletools.olevba import detect_suspicious - suspicious_keywords = detect_suspicious(vba_code) - if suspicious_keywords: - print 'Suspicious VBA keywords found:' - for keyword, description in suspicious_keywords: - print '%s: %s' % (keyword, description) - else: - print 'Suspicious VBA keywords: None found' - - -### Extract potential IOCs (deprecated) - -**Deprecated**: It is preferable to use either scan_vba or VBA_Scanner to get all results at once. - -The function **detect_patterns** checks if VBA macro code contains specific -patterns of interest, that may be useful for malware analysis and detection -(potential Indicators of Compromise): IP addresses, e-mail addresses, -URLs, executable file names. - -It returns a list of tuples containing two strings, the pattern type, and the -extracted value. (See the malware example above) - -Sample usage: - - :::python - from oletools.olevba import detect_patterns - patterns = detect_patterns(vba_code) - if patterns: - print 'Patterns found:' - for pattern_type, value in patterns: - print '%s: %s' % (pattern_type, value) - else: - print 'Patterns: None found' - - --------------------------------------------------------------------------- - -python-oletools documentation ------------------------------ - -- [[Home]] -- [[License]] -- [[Install]] -- [[Contribute]], Suggest Improvements or Report Issues -- Tools: - - [[olebrowse]] - - [[oleid]] - - [[olemeta]] - - [[oletimes]] - - [[olevba]] - - [[pyxswf]] - - [[rtfobj]] \ No newline at end of file +olevba +====== + +olevba is a script to parse OLE and OpenXML files such as MS Office documents +(e.g. Word, Excel), to **detect VBA Macros**, extract their **source code** in clear text, +and detect security-related patterns such as **auto-executable macros**, **suspicious +VBA keywords** used by malware, anti-sandboxing and anti-virtualization techniques, +and potential **IOCs** (IP addresses, URLs, executable filenames, etc). +It also detects and decodes several common **obfuscation methods including Hex encoding, +StrReverse, Base64, Dridex, VBA expressions**, and extracts IOCs from decoded strings. + +It can be used either as a command-line tool, or as a python module from your own applications. + +It is part of the [python-oletools](http://www.decalage.info/python/oletools) package. + +olevba is based on source code from [officeparser](https://github.com/unixfreak0037/officeparser) +by John William Davison, with significant modifications. + +## Supported formats + +- Word 97-2003 (.doc, .dot) +- Word 2007+ (.docm, .dotm) +- Word 2003 XML (.xml) +- Word/Excel MHTML, aka Single File Web Page (.mht) +- Excel 97-2003 (.xls) +- Excel 2007+ (.xlsm, .xlsb) +- PowerPoint 2007+ (.pptm, .ppsm) +- Text file containing VBA or VBScript source code +- Password-protected Zip archive containing any of the above + +## Main Features + +- Detect VBA macros in MS Office 97-2003 and 2007+ files, XML, MHT +- Extract VBA macro source code +- Detect auto-executable macros +- Detect suspicious VBA keywords often used by malware +- Detect anti-sandboxing and anti-virtualization techniques +- Detect and decodes strings obfuscated with Hex/Base64/StrReverse/Dridex +- Deobfuscates VBA expressions with any combination of Chr, Asc, Val, StrReverse, Environ, +, &, using a VBA parser built with +[pyparsing](http://pyparsing.wikispaces.com), including custom Hex and Base64 encodings +- Extract IOCs/patterns of interest such as IP addresses, URLs, e-mail addresses and executable file names +- Scan multiple files and sample collections (wildcards, recursive) +- Triage mode for a summary view of multiple files +- Scan malware samples in password-protected Zip archives +- Python API to use olevba from your applications + +MS Office files encrypted with a password are also supported, because VBA macro code is never +encrypted, only the content of the document. + +## About VBA Macros + +See [this article](http://www.decalage.info/en/vba_tools) for more information and technical details about VBA Macros +and how they are stored in MS Office documents. + +## How it works + +1. olevba checks the file type: If it is an OLE file (i.e MS Office 97-2003), it is parsed right away. +1. If it is a zip file (i.e. MS Office 2007+), XML or MHTML, olevba looks for all OLE files stored in it (e.g. vbaProject.bin, editdata.mso), and opens them. +1. olevba identifies all the VBA projects stored in the OLE structure. +1. Each VBA project is parsed to find the corresponding OLE streams containing macro code. +1. In each of these OLE streams, the VBA macro source code is extracted and decompressed (RLE compression). +1. olevba looks for specific strings obfuscated with various algorithms (Hex, Base64, StrReverse, Dridex, VBA expressions). +1. olevba scans the macro source code and the deobfuscated strings to find suspicious keywords, auto-executable macros +and potential IOCs (URLs, IP addresses, e-mail addresses, executable filenames, etc). + + +## Usage + + :::text + Usage: olevba.py [options] [filename2 ...] + + Options: + -h, --help show this help message and exit + -r find files recursively in subdirectories. + -z ZIP_PASSWORD, --zip=ZIP_PASSWORD + if the file is a zip archive, open all files from it, + using the provided password (requires Python 2.6+) + -f ZIP_FNAME, --zipfname=ZIP_FNAME + if the file is a zip archive, file(s) to be opened + within the zip. Wildcards * and ? are supported. + (default:*) + -t, --triage triage mode, display results as a summary table + (default for multiple files) + -d, --detailed detailed mode, display full results (default for + single file) + -a, --analysis display only analysis results, not the macro source + code + -c, --code display only VBA source code, do not analyze it + -i INPUT, --input=INPUT + input file containing VBA source code to be analyzed + (no parsing) + --decode display all the obfuscated strings with their decoded + content (Hex, Base64, StrReverse, Dridex, VBA). + --attr display the attribute lines at the beginning of VBA + source code + --reveal display the macro source code after replacing all the + obfuscated strings by their decoded content. + +### Examples + +Scan a single file: + + :::text + olevba.py file.doc + +Scan a single file, stored in a Zip archive with password "infected": + + :::text + olevba.py malicious_file.xls.zip -z infected + +Scan a single file, showing all obfuscated strings decoded: + + :::text + olevba.py file.doc --decode + +Scan a single file, showing the macro source code with VBA strings deobfuscated: + + :::text + olevba.py file.doc --reveal + +Scan VBA source code extracted into a text file: + + :::text + olevba.py -i source_code.vba + +Scan a collection of files stored in a folder: + + :::text + olevba.py MalwareZoo/VBA/* + +Scan all .doc and .xls files, recursively in all subfolders: + + :::text + olevba.py MalwareZoo/VBA/*.doc MalwareZoo/VBA/*.xls -r + +Scan all .doc files within all .zip files with password, recursively: + + :::text + olevba.py MalwareZoo/VBA/*.zip -r -z infected -f *.doc + + +### Detailed analysis mode (default for single file) + +When a single file is scanned, or when using the option -d, all details of the analysis are displayed. + +For example, checking the malware sample [DIAN_caso-5415.doc](https://malwr.com/analysis/M2I4YWRhM2IwY2QwNDljN2E3ZWFjYTg3ODk4NmZhYmE/): + + :::text + >olevba.py c:\MalwareZoo\VBA\DIAN_caso-5415.doc.zip -z infected + =============================================================================== + FILE: DIAN_caso-5415.doc.malware in c:\MalwareZoo\VBA\DIAN_caso-5415.doc.zip + Type: OLE + ------------------------------------------------------------------------------- + VBA MACRO ThisDocument.cls + in file: DIAN_caso-5415.doc.malware - OLE stream: Macros/VBA/ThisDocument + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + Option Explicit + Private Declare Function URLDownloadToFileA Lib "urlmon" (ByVal FVQGKS As Long,_ + ByVal WSGSGY As String, ByVal IFRRFV As String, ByVal NCVOLV As Long, _ + ByVal HQTLDG As Long) As Long + Sub AutoOpen() + Auto_Open + End Sub + Sub Auto_Open() + SNVJYQ + End Sub + Public Sub SNVJYQ() + [Malicious Code...] + End Sub + Function OGEXYR(XSTAHU As String, PHHWIV As String) As Boolean + [Malicious Code...] + Application.DisplayAlerts = False + Application.Quit + End Function + Sub Workbook_Open() + Auto_Open + End Sub + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ANALYSIS: + +------------+----------------------+-----------------------------------------+ + | Type | Keyword | Description | + +------------+----------------------+-----------------------------------------+ + | AutoExec | AutoOpen | Runs when the Word document is opened | + | AutoExec | Auto_Open | Runs when the Excel Workbook is opened | + | AutoExec | Workbook_Open | Runs when the Excel Workbook is opened | + | Suspicious | Lib | May run code from a DLL | + | Suspicious | Shell | May run an executable file or a system | + | | | command | + | Suspicious | Environ | May read system environment variables | + | Suspicious | URLDownloadToFileA | May download files from the Internet | + | IOC | http://germanya.com. | URL | + | | ec/logs/test.exe" | | + | IOC | http://germanya.com. | URL | + | | ec/logs/counter.php" | | + | IOC | germanya.com | Executable file name | + | IOC | test.exe | Executable file name | + | IOC | sfjozjero.exe | Executable file name | + +------------+----------------------+-----------------------------------------+ + +### Triage mode (default for multiple files) + +When several files are scanned, or when using the option -t, a summary of the analysis for each file is displayed. +This is more convenient for quick triage of a collection of suspicious files. + +The following flags show the results of the analysis: + +- **OLE**: the file type is OLE, for example MS Office 97-2003 +- **OpX**: the file type is OpenXML, for example MS Office 2007+ +- **XML**: the file type is Word 2003 XML +- **MHT**: the file type is Word MHTML, aka Single File Web Page (.mht) +- **?**: the file type is not supported +- **M**: contains VBA Macros +- **A**: auto-executable macros +- **S**: suspicious VBA keywords +- **I**: potential IOCs +- **H**: hex-encoded strings (potential obfuscation) +- **B**: Base64-encoded strings (potential obfuscation) +- **D**: Dridex-encoded strings (potential obfuscation) +- **V**: VBA string expressions (potential obfuscation) + +Here is an example: + + :::text + c:\>olevba.py \MalwareZoo\VBA\samples\* + Flags Filename + ----------- ----------------------------------------------------------------- + OLE:MASI--- \MalwareZoo\VBA\samples\DIAN_caso-5415.doc.malware + OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_1.doc.malware + OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_2.doc.malware + OLE:MASI--- \MalwareZoo\VBA\samples\DRIDEX_3.doc.malware + OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_4.doc.malware + OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_5.doc.malware + OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_6.doc.malware + OLE:MAS---- \MalwareZoo\VBA\samples\DRIDEX_7.doc.malware + OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_8.doc.malware + OLE:MASIHBD \MalwareZoo\VBA\samples\DRIDEX_9.xls.malware + OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_A.doc.malware + OLE:------- \MalwareZoo\VBA\samples\Normal_Document.doc + OLE:M------ \MalwareZoo\VBA\samples\Normal_Document_Macro.doc + OpX:MASI--- \MalwareZoo\VBA\samples\RottenKitten.xlsb.malware + OLE:MASI-B- \MalwareZoo\VBA\samples\ROVNIX.doc.malware + OLE:MA----- \MalwareZoo\VBA\samples\Word within Word macro auto.doc + + +-------------------------------------------------------------------------- + +## How to use olevba in Python applications + +olevba may be used to open a MS Office file, detect if it contains VBA macros, extract and analyze the VBA source code +from your own python applications. + +IMPORTANT: olevba is currently under active development, therefore this API is likely to change. + +### Import olevba + +First, import the **oletools.olevba** package, using at least the VBA_Parser and VBA_Scanner classes: + + :::python + from oletools.olevba import VBA_Parser, TYPE_OLE, TYPE_OpenXML, TYPE_Word2003_XML, TYPE_MHTML + +### Parse a MS Office file - VBA_Parser + +To parse a file on disk, create an instance of the **VBA_Parser** class, providing the name of the file to open as parameter. +For example: + + :::python + vbaparser = VBA_Parser('my_file_with_macros.doc') + +The file may also be provided as a bytes string containing its data. In that case, the actual +filename must be provided for reference, and the file content with the data parameter. For example: + + :::python + myfile = 'my_file_with_macros.doc' + filedata = open(myfile, 'rb').read() + vbaparser = VBA_Parser(myfile, data=filedata) + +VBA_Parser will raise an exception if the file is not a supported format, such as OLE (MS Office 97-2003), OpenXML +(MS Office 2007+), MHTML or Word 2003 XML. + +After parsing the file, the attribute **VBA_Parser.type** is a string indicating the file type. +It can be either TYPE_OLE, TYPE_OpenXML, TYPE_Word2003_XML or TYPE_MHTML. (constants defined in the olevba module) + +### Detect VBA macros + +The method **detect_vba_macros** of a VBA_Parser object returns True if VBA macros have been found in the file, +False otherwise. + + :::python + if vbaparser.detect_vba_macros(): + print 'VBA Macros found' + else: + print 'No VBA Macros found' + +Note: The detection algorithm looks for streams and storage with specific names in the OLE structure, which works fine +for all the supported formats listed above. However, for some formats such as PowerPoint 97-2003, this method will +always return False because VBA Macros are stored in a different way which is not yet supported by olevba. + +Moreover, if the file contains an embedded document (e.g. an Excel workbook inserted into a Word document), this method +may return True if the embedded document contains VBA Macros, even if the main document does not. + +### Extract VBA Macro Source Code + +The method **extract_macros** extracts and decompresses source code for each VBA macro found in the file (possibly +including embedded files). It is a generator yielding a tuple (filename, stream_path, vba_filename, vba_code) +for each VBA macro found. + +- filename: If the file is OLE (MS Office 97-2003), filename is the path of the file. + If the file is OpenXML (MS Office 2007+), filename is the path of the OLE subfile containing VBA macros within the zip archive, + e.g. word/vbaProject.bin. +- stream_path: path of the OLE stream containing the VBA macro source code +- vba_filename: corresponding VBA filename +- vba_code: string containing the VBA source code in clear text + +Example: + + :::python + for (filename, stream_path, vba_filename, vba_code) in vbaparser.extract_macros(): + print '-'*79 + print 'Filename :', filename + print 'OLE stream :', stream_path + print 'VBA filename:', vba_filename + print '- '*39 + print vba_code + +Alternatively, the VBA_Parser method **extract_all_macros** returns the same results as a list of tuples. + +### Analyze VBA Source Code + +Since version 0.40, the VBA_Parser class provides simpler methods than VBA_Scanner to analyze all macros contained +in a file: + +The method **analyze_macros** from the class **VBA_Parser** can be used to scan the source code of all +VBA modules to find obfuscated strings, suspicious keywords, IOCs, auto-executable macros, etc. + +analyze_macros() takes an optional argument show_decoded_strings: if set to True, the results will contain all the encoded +strings found in the code (Hex, Base64, Dridex) with their decoded value. +By default, it will only include the strings which contain printable characters. + +**VBA_Parser.analyze_macros()** returns a list of tuples (type, keyword, description), one for each item in the results. + +- type may be either 'AutoExec', 'Suspicious', 'IOC', 'Hex String', 'Base64 String', 'Dridex String' or + 'VBA obfuscated Strings'. +- keyword is the string found for auto-executable macros, suspicious keywords or IOCs. For obfuscated strings, it is + the decoded value of the string. +- description provides a description of the keyword. For obfuscated strings, it is the encoded value of the string. + +Example: + + :::python + results = vbaparser.analyze_macros() + for kw_type, keyword, description in results: + print 'type=%s - keyword=%s - description=%s' % (kw_type, keyword, description) + +After calling analyze_macros, the following VBA_Parser attributes also provide the number +of items found for each category: + + :::python + print 'AutoExec keywords: %d' % vbaparser.nb_autoexec + print 'Suspicious keywords: %d' % vbaparser.nb_suspicious + print 'IOCs: %d' % vbaparser.nb_iocs + print 'Hex obfuscated strings: %d' % vbaparser.nb_hexstrings + print 'Base64 obfuscated strings: %d' % vbaparser.nb_base64strings + print 'Dridex obfuscated strings: %d' % vbaparser.nb_dridexstrings + print 'VBA obfuscated strings: %d' % vbaparser.nb_vbastrings + + +### Deobfuscate VBA Macro Source Code + +The method **reveal** attempts to deobfuscate the macro source code by replacing all +the obfuscated strings by their decoded content. Returns a single string. + +Example: + + :::python + print vbaparser.reveal() + + +### Close the VBA_Parser + +After usage, it is better to call the **close** method of the VBA_Parser object, to make sure the file is closed, +especially if your application is parsing many files. + + :::python + vbaparser.close() + + +-------------------------------------------------------------------------- + +## Deprecated API + +The following methods and functions are still functional, but their usage is not recommended +since they have been replaced by better solutions. + +### VBA_Scanner (deprecated) + +The class **VBA_Scanner** can be used to scan the source code of a VBA module to find obfuscated strings, +suspicious keywords, IOCs, auto-executable macros, etc. + +First, create a VBA_Scanner object with a string containing the VBA source code (for example returned by the +extract_macros method). Then call the methods **scan** or **scan_summary** to get the results of the analysis. + +scan() takes an optional argument include_decoded_strings: if set to True, the results will contain all the encoded +strings found in the code (Hex, Base64, Dridex) with their decoded value. + +**scan** returns a list of tuples (type, keyword, description), one for each item in the results. + +- type may be either 'AutoExec', 'Suspicious', 'IOC', 'Hex String', 'Base64 String' or 'Dridex String'. +- keyword is the string found for auto-executable macros, suspicious keywords or IOCs. For obfuscated strings, it is + the decoded value of the string. +- description provides a description of the keyword. For obfuscated strings, it is the encoded value of the string. + +Example: + + :::python + vba_scanner = VBA_Scanner(vba_code) + results = vba_scanner.scan(include_decoded_strings=True) + for kw_type, keyword, description in results: + print 'type=%s - keyword=%s - description=%s' % (kw_type, keyword, description) + +The function **scan_vba** is a shortcut for VBA_Scanner(vba_code).scan(): + + :::python + results = scan_vba(vba_code, include_decoded_strings=True) + for kw_type, keyword, description in results: + print 'type=%s - keyword=%s - description=%s' % (kw_type, keyword, description) + +**scan_summary** returns a tuple with the number of items found for each category: +(autoexec, suspicious, IOCs, hex, base64, dridex). + + +### Detect auto-executable macros (deprecated) + +**Deprecated**: It is preferable to use either scan_vba or VBA_Scanner to get all results at once. + +The function **detect_autoexec** checks if VBA macro code contains specific macro names +that will be triggered when the document/workbook is opened, closed, changed, etc. + +It returns a list of tuples containing two strings, the detected keyword, and the +description of the trigger. (See the malware example above) + +Sample usage: + + :::python + from oletools.olevba import detect_autoexec + autoexec_keywords = detect_autoexec(vba_code) + if autoexec_keywords: + print 'Auto-executable macro keywords found:' + for keyword, description in autoexec_keywords: + print '%s: %s' % (keyword, description) + else: + print 'Auto-executable macro keywords: None found' + + +### Detect suspicious VBA keywords (deprecated) + +**Deprecated**: It is preferable to use either scan_vba or VBA_Scanner to get all results at once. + +The function **detect_suspicious** checks if VBA macro code contains specific +keywords often used by malware to act on the system (create files, run +commands or applications, write to the registry, etc). + +It returns a list of tuples containing two strings, the detected keyword, and the +description of the corresponding malicious behaviour. (See the malware example above) + +Sample usage: + + :::python + from oletools.olevba import detect_suspicious + suspicious_keywords = detect_suspicious(vba_code) + if suspicious_keywords: + print 'Suspicious VBA keywords found:' + for keyword, description in suspicious_keywords: + print '%s: %s' % (keyword, description) + else: + print 'Suspicious VBA keywords: None found' + + +### Extract potential IOCs (deprecated) + +**Deprecated**: It is preferable to use either scan_vba or VBA_Scanner to get all results at once. + +The function **detect_patterns** checks if VBA macro code contains specific +patterns of interest, that may be useful for malware analysis and detection +(potential Indicators of Compromise): IP addresses, e-mail addresses, +URLs, executable file names. + +It returns a list of tuples containing two strings, the pattern type, and the +extracted value. (See the malware example above) + +Sample usage: + + :::python + from oletools.olevba import detect_patterns + patterns = detect_patterns(vba_code) + if patterns: + print 'Patterns found:' + for pattern_type, value in patterns: + print '%s: %s' % (pattern_type, value) + else: + print 'Patterns: None found' + + +-------------------------------------------------------------------------- + +python-oletools documentation +----------------------------- + +- [[Home]] +- [[License]] +- [[Install]] +- [[Contribute]], Suggest Improvements or Report Issues +- Tools: + - [[olebrowse]] + - [[oleid]] + - [[olemeta]] + - [[oletimes]] + - [[oledir]] + - [[olemap]] + - [[olevba]] + - [[mraptor]] + - [[pyxswf]] + - [[oleobj]] + - [[rtfobj]] diff --git a/oletools/doc/pyxswf.html b/oletools/doc/pyxswf.html index 546f014..d2f561a 100644 --- a/oletools/doc/pyxswf.html +++ b/oletools/doc/pyxswf.html @@ -1,108 +1,84 @@ -

pyxswf

-

======

-

pyxswf is a script to detect, extract and analyze Flash objects (SWF files) that may

-

be embedded in files such as MS Office documents (e.g. Word, Excel),

-

which is especially useful for malware analysis.

+ + + + + + + + + + +

pyxswf

+

pyxswf is a script to detect, extract and analyze Flash objects (SWF files) that may be embedded in files such as MS Office documents (e.g. Word, Excel), which is especially useful for malware analysis.

It is part of the python-oletools package.

pyxswf is an extension to xxxswf.py published by Alexander Hanel.

-

Compared to xxxswf, it can extract streams from MS Office documents by parsing

-

their OLE structure properly, which is necessary when streams are fragmented.

-

Stream fragmentation is a known obfuscation technique, as explained on

-

http://www.breakingpointsystems.com/resources/blog/evasion-with-ole2-fragmentation/

+

Compared to xxxswf, it can extract streams from MS Office documents by parsing their OLE structure properly, which is necessary when streams are fragmented. Stream fragmentation is a known obfuscation technique, as explained on http://www.breakingpointsystems.com/resources/blog/evasion-with-ole2-fragmentation/

It can also extract Flash objects from RTF documents, by parsing embedded objects encoded in hexadecimal format (-f option).

For this, simply add the -o option to work on OLE streams rather than raw files, or the -f option to work on RTF files.

Usage

Usage: pyxswf.py [options] <file.bad>
 
-
-
 Options:
-
   -o, --ole             Parse an OLE file (e.g. Word, Excel) to look for SWF
-
                         in each stream
-
   -f, --rtf             Parse an RTF file to look for SWF in each embedded
-
                         object
-
   -x, --extract         Extracts the embedded SWF(s), names it MD5HASH.swf &
-
                         saves it in the working dir. No addition args needed
-
   -h, --help            show this help message and exit
-
   -y, --yara            Scans the SWF(s) with yara. If the SWF(s) is
-
                         compressed it will be deflated. No addition args
-
                         needed
-
   -s, --md5scan         Scans the SWF(s) for MD5 signatures. Please see func
-
                         checkMD5 to define hashes. No addition args needed
-
   -H, --header          Displays the SWFs file header. No addition args needed
-
   -d, --decompress      Deflates compressed SWFS(s)
-
   -r PATH, --recdir=PATH
-
                         Will recursively scan a directory for files that
-
                         contain SWFs. Must provide path in quotes
-
   -c, --compress        Compresses the SWF using Zlib

Example 1 - detecting and extracting a SWF file from a Word document on Windows:

C:\oletools>pyxswf.py -o word_flash.doc
-
 OLE stream: 'Contents'
-
 [SUMMARY] 1 SWF(s) in MD5:993664cc86f60d52d671b6610813cfd1:Contents
-
         [ADDR] SWF 1 at 0x8  - FWS Header
 
-
-
 C:\oletools>pyxswf.py -xo word_flash.doc
-
 OLE stream: 'Contents'
-
 [SUMMARY] 1 SWF(s) in MD5:993664cc86f60d52d671b6610813cfd1:Contents
-
         [ADDR] SWF 1 at 0x8  - FWS Header
-
                 [FILE] Carved SWF MD5: 2498e9c0701dc0e461ab4358f9102bc5.swf

Example 2 - detecting and extracting a SWF file from a RTF document on Windows:

C:\oletools>pyxswf.py -xf "rtf_flash.rtf"
-
 RTF embedded object size 1498557 at index 000036DD
-
 [SUMMARY] 1 SWF(s) in MD5:46a110548007e04f4043785ac4184558:RTF_embedded_object_0
-
 00036DD
-
         [ADDR] SWF 1 at 0xc40  - FWS Header
-
-                [FILE] Carved SWF MD5: 2498e9c0701dc0e461ab4358f9102bc5.swf
+ [FILE] Carved SWF MD5: 2498e9c0701dc0e461ab4358f9102bc5.swf +

How to use pyxswf in Python applications

TODO

-

python-oletools documentation

-
+

python-oletools documentation

+ + diff --git a/oletools/doc/pyxswf.md b/oletools/doc/pyxswf.md index 8f2e331..c11864f 100644 --- a/oletools/doc/pyxswf.md +++ b/oletools/doc/pyxswf.md @@ -87,6 +87,10 @@ python-oletools documentation - [[oleid]] - [[olemeta]] - [[oletimes]] + - [[oledir]] + - [[olemap]] - [[olevba]] + - [[mraptor]] - [[pyxswf]] - - [[rtfobj]] \ No newline at end of file + - [[oleobj]] + - [[rtfobj]] diff --git a/oletools/doc/rtfobj.html b/oletools/doc/rtfobj.html index e87f7cc..bf12c36 100644 --- a/oletools/doc/rtfobj.html +++ b/oletools/doc/rtfobj.html @@ -1,7 +1,15 @@ -

rtfobj

-

======

-

rtfobj is a Python module to extract embedded objects from RTF files, such as

-

OLE ojects. It can be used as a Python library or a command-line tool.

+ + + + + + + + + + +

rtfobj

+

rtfobj is a Python module to extract embedded objects from RTF files, such as OLE ojects. It can be used as a Python library or a command-line tool.

It is part of the python-oletools package.

Usage

rtfobj.py <file.rtf>
@@ -11,26 +19,29 @@

rtf_iter_objects(filename) is an iterator which yields a tuple (index, object) providing the index of each hexadecimal stream in the RTF file, and the corresponding decoded object.

Example:

import rtfobj    
-
 for index, data in rtfobj.rtf_iter_objects("myfile.rtf"):
-
     print 'found object size %d at index %08X' % (len(data), index)
-

python-oletools documentation

-
+

python-oletools documentation

+ + diff --git a/oletools/doc/rtfobj.md b/oletools/doc/rtfobj.md index 4e002ea..cf77314 100644 --- a/oletools/doc/rtfobj.md +++ b/oletools/doc/rtfobj.md @@ -42,6 +42,10 @@ python-oletools documentation - [[oleid]] - [[olemeta]] - [[oletimes]] + - [[oledir]] + - [[olemap]] - [[olevba]] + - [[mraptor]] - [[pyxswf]] - - [[rtfobj]] \ No newline at end of file + - [[oleobj]] + - [[rtfobj]]