Peter M. Groen / oletools

Commit 836b1915fd0e5e782a56d326d457c0f82debd775

Authored by Philippe Lagadec
1 parent e707b49e

updated doc for oletools 0.44

Inline Side-by-side
Showing 24 changed files with 1321 additions and 1609 deletions
README.md
  View file @836b191
1 -python-oletools  
2 -===============  
3 -  
4 -[python-oletools](http://www.decalage.info/python/oletools) is a package of python tools to analyze  
5 -[Microsoft OLE2 files](http://en.wikipedia.org/wiki/Compound_File_Binary_Format)  
6 -(also called Structured Storage, Compound File Binary Format or Compound Document File Format),  
7 -such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging.  
8 -It is based on the [olefile](http://www.decalage.info/olefile) parser.  
9 -See [http://www.decalage.info/python/oletools](http://www.decalage.info/python/oletools) for more info.  
10 -  
11 -**Quick links:**  
12 -[Home page](http://www.decalage.info/python/oletools) -  
13 -[Download/Install](https://bitbucket.org/decalage/oletools/wiki/Install) -  
14 -[Documentation](https://bitbucket.org/decalage/oletools/wiki) -  
15 -[Report Issues/Suggestions/Questions](https://bitbucket.org/decalage/oletools/issues?status=new&status=open) -  
16 -[Contact the Author](http://decalage.info/contact) -  
17 -[Repository](https://bitbucket.org/decalage/oletools) -  
18 -[Updates on Twitter](https://twitter.com/decalage2)  
19 -  
20 -Note: python-oletools is not related to OLETools published by BeCubed Software.  
21 -  
22 -News  
23 -----  
24 -  
25 -- **2016-03-11 v0.44**: improved [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba)  
26 -to extract and analyse strings from VBA Forms.  
27 -- 2016-03-04 v0.43: added new tool MacroRaptor (mraptor) to detect malicious macros, bugfix  
28 -and slight improvements in [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba).  
29 -- 2016-02-07 v0.42: added two new tools oledir and olemap, better handling of malformed  
30 -files and several bugfixes in [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba),  
31 -improved display for [olemeta](https://bitbucket.org/decalage/oletools/wiki/olemeta).  
32 -- 2015-09-22 v0.41: added new --reveal option to [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba),  
33 -to show the macro code with VBA strings deobfuscated.  
34 -- 2015-09-17 v0.40: Improved macro deobfuscation in [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba),  
35 -to decode Hex and Base64 within VBA expressions. Display printable deobfuscated strings by  
36 -default. Improved the VBA_Parser API. Improved performance.  
37 -Fixed [issue #23](https://bitbucket.org/decalage/oletools/issue/23) with sys.stderr.  
38 -- 2015-06-19 v0.12: [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba) can now deobfuscate VBA  
39 -expressions with any combination of Chr, Asc, Val, StrReverse, Environ, +, &, using a VBA parser built with  
40 -[pyparsing](http://pyparsing.wikispaces.com). New options to display only the analysis results or only the macros source code.  
41 -The analysis is now done on all the VBA modules at once.  
42 -- 2015-05-29 v0.11: Improved parsing of MHTML and ActiveMime/MSO files in  
43 -[olevba](https://bitbucket.org/decalage/oletools/wiki/olevba), added several suspicious keywords to VBA scanner  
44 -(thanks to @ozhermit and Davy Douhine for the suggestions)  
45 -- 2015-05-06 v0.10: [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba) now supports Word MHTML files  
46 -with macros, aka "Single File Web Page" (.mht) - see [issue #10](https://bitbucket.org/decalage/oletools/issue/10) for more info  
47 -- 2015-03-23 v0.09: [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba) now supports Word 2003 XML files,  
48 -added anti-sandboxing/VM detection  
49 -- 2015-02-08 v0.08: [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba) can now decode strings  
50 -obfuscated with Hex/StrReverse/Base64/Dridex and extract IOCs. Added new triage mode, support for non-western  
51 -codepages with olefile 0.42, improved API and display, several bugfixes.  
52 -- 2015-01-05 v0.07: improved [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba) to detect suspicious  
53 -keywords and IOCs in VBA macros, can now scan several files and open password-protected zip archives, added a Python API,  
54 -upgraded OleFileIO_PL to olefile v0.41  
55 -- 2014-08-28 v0.06: added [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba), a new tool to extract VBA Macro  
56 -source code from MS Office documents (97-2003 and 2007+). Improved [documentation](https://bitbucket.org/decalage/oletools/wiki)  
57 -- 2013-07-24 v0.05: added new tools [olemeta](https://bitbucket.org/decalage/oletools/wiki/olemeta) and  
58 -[oletimes](https://bitbucket.org/decalage/oletools/wiki/oletimes)  
59 -- 2013-04-18 v0.04: fixed bug in rtfobj, added documentation for [rtfobj](https://bitbucket.org/decalage/oletools/wiki/rtfobj)  
60 -- 2012-11-09 v0.03: Improved [pyxswf](https://bitbucket.org/decalage/oletools/wiki/pyxswf) to extract Flash objects from RTF  
61 -- 2012-10-29 v0.02: Added [oleid](https://bitbucket.org/decalage/oletools/wiki/oleid)  
62 -- 2012-10-09 v0.01: Initial version of [olebrowse](https://bitbucket.org/decalage/oletools/wiki/olebrowse) and pyxswf  
63 -- see changelog in source code for more info.  
64 -  
65 -  
66 -Tools in python-oletools:  
67 --------------------------  
68 -  
69 -- [olebrowse](https://bitbucket.org/decalage/oletools/wiki/olebrowse): A simple GUI to browse OLE files (e.g. MS Word, Excel, Powerpoint documents), to  
70 - view and extract individual data streams.  
71 -- [oleid](https://bitbucket.org/decalage/oletools/wiki/oleid): to analyze OLE files to detect specific characteristics usually found in malicious files.  
72 -- [olemeta](https://bitbucket.org/decalage/oletools/wiki/olemeta): to extract all standard properties (metadata) from OLE files.  
73 -- [oletimes](https://bitbucket.org/decalage/oletools/wiki/oletimes): to extract creation and modification timestamps of all streams and storages.  
74 -- [oledir](https://bitbucket.org/decalage/oletools/wiki/oledir): to display all the directory entries of an OLE file, including free and orphaned entries.  
75 -- [olemap](https://bitbucket.org/decalage/oletools/wiki/olemap): to display a map of all the sectors in an OLE file.  
76 -- [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba): to extract and analyze VBA Macro source code from MS Office documents (OLE and OpenXML).  
77 -- [MacroRaptor](https://bitbucket.org/decalage/oletools/wiki/mraptor): to detect malicious VBA Macros  
78 -- [pyxswf](https://bitbucket.org/decalage/oletools/wiki/pyxswf): to detect, extract and analyze Flash objects (SWF) that may  
79 - be embedded in files such as MS Office documents (e.g. Word, Excel) and RTF,  
80 - which is especially useful for malware analysis.  
81 -- [oleobj](https://bitbucket.org/decalage/oletools/wiki/oleobj): to extract embedded objects from OLE files.  
82 -- [rtfobj](https://bitbucket.org/decalage/oletools/wiki/rtfobj): to extract embedded objects from RTF files.  
83 -- and a few others (coming soon)  
84 -  
85 -Download and Install:  
86 ----------------------  
87 -  
88 -To use python-oletools from the command line as analysis tools, you may simply  
89 -[download the zip archive](https://bitbucket.org/decalage/oletools/downloads)  
90 -and extract the files in the directory of your choice.  
91 -  
92 -To get the latest development version, click on "Download repository" on the  
93 -[downloads page](https://bitbucket.org/decalage/oletools/downloads), or use mercurial to clone the repository.  
94 -  
95 -If you plan to use python-oletools with other Python applications or your own scripts, then the simplest solution is to  
96 -use "**pip install oletools**" or "**easy_install oletools**" to download and install in one go. Otherwise you may  
97 -download/extract the zip archive and run "**setup.py install**".  
98 -  
99 -**Important: to update oletools** if it is already installed, you must run **"pip install -U oletools"**, otherwise pip  
100 -will not update it.  
101 -  
102 -Documentation:  
103 ---------------  
104 -  
105 -The latest version of the documentation can be found [online](https://bitbucket.org/decalage/oletools/wiki), otherwise  
106 -a copy is provided in the doc subfolder of the package.  
107 -  
108 -  
109 -How to Suggest Improvements, Report Issues or Contribute:  
110 ----------------------------------------------------------  
111 -  
112 -This is a personal open-source project, developed on my spare time. Any contribution, suggestion, feedback or bug  
113 -report is welcome.  
114 -  
115 -To suggest improvements, report a bug or any issue, please use the  
116 -[issue reporting page](https://bitbucket.org/decalage/olefileio_pl/issues?status=new&status=open), providing all the  
117 -information and files to reproduce the problem.  
118 -  
119 -You may also [contact the author](http://decalage.info/contact) directly to provide feedback.  
120 -  
121 -The code is available in [a Mercurial repository on Bitbucket](https://bitbucket.org/decalage/oletools). You may use it  
122 -to submit enhancements using forks and pull requests.  
123 -  
124 -License  
125 --------  
126 -  
127 -This license applies to the python-oletools package, apart from the thirdparty folder which contains third-party files  
128 -published with their own license.  
129 -  
130 -The python-oletools package is copyright (c) 2012-2016 Philippe Lagadec (http://www.decalage.info)  
131 -  
132 -All rights reserved.  
133 -  
134 -Redistribution and use in source and binary forms, with or without modification,  
135 -are permitted provided that the following conditions are met:  
136 -  
137 - * Redistributions of source code must retain the above copyright notice, this  
138 - list of conditions and the following disclaimer.  
139 - * Redistributions in binary form must reproduce the above copyright notice,  
140 - this list of conditions and the following disclaimer in the documentation  
141 - and/or other materials provided with the distribution.  
142 -  
143 -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND  
144 -ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED  
145 -WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE  
146 -DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE  
147 -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL  
148 -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR  
149 -SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER  
150 -CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,  
151 -OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE  
152 -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.  
153 -  
154 -  
155 -----------  
156 -  
157 -olevba contains modified source code from the officeparser project, published  
158 -under the following MIT License (MIT):  
159 -  
160 -officeparser is copyright (c) 2014 John William Davison  
161 -  
162 -Permission is hereby granted, free of charge, to any person obtaining a copy  
163 -of this software and associated documentation files (the "Software"), to deal  
164 -in the Software without restriction, including without limitation the rights  
165 -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell  
166 -copies of the Software, and to permit persons to whom the Software is  
167 -furnished to do so, subject to the following conditions:  
168 -  
169 -The above copyright notice and this permission notice shall be included in all  
170 -copies or substantial portions of the Software.  
171 -  
172 -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR  
173 -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,  
174 -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE  
175 -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER  
176 -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,  
177 -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE  
178 -SOFTWARE. 1 +python-oletools
  2 +===============
  3 +
  4 +[python-oletools](http://www.decalage.info/python/oletools) is a package of python tools to analyze
  5 +[Microsoft OLE2 files](http://en.wikipedia.org/wiki/Compound_File_Binary_Format)
  6 +(also called Structured Storage, Compound File Binary Format or Compound Document File Format),
  7 +such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging.
  8 +It is based on the [olefile](http://www.decalage.info/olefile) parser.
  9 +See [http://www.decalage.info/python/oletools](http://www.decalage.info/python/oletools) for more info.
  10 +
  11 +**Quick links:**
  12 +[Home page](http://www.decalage.info/python/oletools) -
  13 +[Download/Install](https://bitbucket.org/decalage/oletools/wiki/Install) -
  14 +[Documentation](https://bitbucket.org/decalage/oletools/wiki) -
  15 +[Report Issues/Suggestions/Questions](https://bitbucket.org/decalage/oletools/issues?status=new&status=open) -
  16 +[Contact the Author](http://decalage.info/contact) -
  17 +[Repository](https://bitbucket.org/decalage/oletools) -
  18 +[Updates on Twitter](https://twitter.com/decalage2)
  19 +
  20 +Note: python-oletools is not related to OLETools published by BeCubed Software.
  21 +
  22 +News
  23 +----
  24 +
  25 +- **2016-03-11 v0.44**: improved [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba)
  26 +to extract and analyse strings from VBA Forms.
  27 +- 2016-03-04 v0.43: added new tool MacroRaptor (mraptor) to detect malicious macros, bugfix
  28 +and slight improvements in [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba).
  29 +- 2016-02-07 v0.42: added two new tools oledir and olemap, better handling of malformed
  30 +files and several bugfixes in [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba),
  31 +improved display for [olemeta](https://bitbucket.org/decalage/oletools/wiki/olemeta).
  32 +- 2015-09-22 v0.41: added new --reveal option to [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba),
  33 +to show the macro code with VBA strings deobfuscated.
  34 +- 2015-09-17 v0.40: Improved macro deobfuscation in [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba),
  35 +to decode Hex and Base64 within VBA expressions. Display printable deobfuscated strings by
  36 +default. Improved the VBA_Parser API. Improved performance.
  37 +Fixed [issue #23](https://bitbucket.org/decalage/oletools/issue/23) with sys.stderr.
  38 +- 2015-06-19 v0.12: [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba) can now deobfuscate VBA
  39 +expressions with any combination of Chr, Asc, Val, StrReverse, Environ, +, &, using a VBA parser built with
  40 +[pyparsing](http://pyparsing.wikispaces.com). New options to display only the analysis results or only the macros source code.
  41 +The analysis is now done on all the VBA modules at once.
  42 +- 2015-05-29 v0.11: Improved parsing of MHTML and ActiveMime/MSO files in
  43 +[olevba](https://bitbucket.org/decalage/oletools/wiki/olevba), added several suspicious keywords to VBA scanner
  44 +(thanks to @ozhermit and Davy Douhine for the suggestions)
  45 +- 2015-05-06 v0.10: [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba) now supports Word MHTML files
  46 +with macros, aka "Single File Web Page" (.mht) - see [issue #10](https://bitbucket.org/decalage/oletools/issue/10) for more info
  47 +- 2015-03-23 v0.09: [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba) now supports Word 2003 XML files,
  48 +added anti-sandboxing/VM detection
  49 +- 2015-02-08 v0.08: [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba) can now decode strings
  50 +obfuscated with Hex/StrReverse/Base64/Dridex and extract IOCs. Added new triage mode, support for non-western
  51 +codepages with olefile 0.42, improved API and display, several bugfixes.
  52 +- 2015-01-05 v0.07: improved [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba) to detect suspicious
  53 +keywords and IOCs in VBA macros, can now scan several files and open password-protected zip archives, added a Python API,
  54 +upgraded OleFileIO_PL to olefile v0.41
  55 +- 2014-08-28 v0.06: added [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba), a new tool to extract VBA Macro
  56 +source code from MS Office documents (97-2003 and 2007+). Improved [documentation](https://bitbucket.org/decalage/oletools/wiki)
  57 +- 2013-07-24 v0.05: added new tools [olemeta](https://bitbucket.org/decalage/oletools/wiki/olemeta) and
  58 +[oletimes](https://bitbucket.org/decalage/oletools/wiki/oletimes)
  59 +- 2013-04-18 v0.04: fixed bug in rtfobj, added documentation for [rtfobj](https://bitbucket.org/decalage/oletools/wiki/rtfobj)
  60 +- 2012-11-09 v0.03: Improved [pyxswf](https://bitbucket.org/decalage/oletools/wiki/pyxswf) to extract Flash objects from RTF
  61 +- 2012-10-29 v0.02: Added [oleid](https://bitbucket.org/decalage/oletools/wiki/oleid)
  62 +- 2012-10-09 v0.01: Initial version of [olebrowse](https://bitbucket.org/decalage/oletools/wiki/olebrowse) and pyxswf
  63 +- see changelog in source code for more info.
  64 +
  65 +
  66 +Tools in python-oletools:
  67 +-------------------------
  68 +
  69 +- [olebrowse](https://bitbucket.org/decalage/oletools/wiki/olebrowse): A simple GUI to browse OLE files (e.g. MS Word, Excel, Powerpoint documents), to
  70 + view and extract individual data streams.
  71 +- [oleid](https://bitbucket.org/decalage/oletools/wiki/oleid): to analyze OLE files to detect specific characteristics usually found in malicious files.
  72 +- [olemeta](https://bitbucket.org/decalage/oletools/wiki/olemeta): to extract all standard properties (metadata) from OLE files.
  73 +- [oletimes](https://bitbucket.org/decalage/oletools/wiki/oletimes): to extract creation and modification timestamps of all streams and storages.
  74 +- [oledir](https://bitbucket.org/decalage/oletools/wiki/oledir): to display all the directory entries of an OLE file, including free and orphaned entries.
  75 +- [olemap](https://bitbucket.org/decalage/oletools/wiki/olemap): to display a map of all the sectors in an OLE file.
  76 +- [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba): to extract and analyze VBA Macro source code from MS Office documents (OLE and OpenXML).
  77 +- [MacroRaptor](https://bitbucket.org/decalage/oletools/wiki/mraptor): to detect malicious VBA Macros
  78 +- [pyxswf](https://bitbucket.org/decalage/oletools/wiki/pyxswf): to detect, extract and analyze Flash objects (SWF) that may
  79 + be embedded in files such as MS Office documents (e.g. Word, Excel) and RTF,
  80 + which is especially useful for malware analysis.
  81 +- [oleobj](https://bitbucket.org/decalage/oletools/wiki/oleobj): to extract embedded objects from OLE files.
  82 +- [rtfobj](https://bitbucket.org/decalage/oletools/wiki/rtfobj): to extract embedded objects from RTF files.
  83 +- and a few others (coming soon)
  84 +
  85 +Download and Install:
  86 +---------------------
  87 +
  88 +To use python-oletools from the command line as analysis tools, you may simply
  89 +[download the zip archive](https://bitbucket.org/decalage/oletools/downloads)
  90 +and extract the files in the directory of your choice.
  91 +
  92 +To get the latest development version, click on "Download repository" on the
  93 +[downloads page](https://bitbucket.org/decalage/oletools/downloads), or use mercurial to clone the repository.
  94 +
  95 +If you plan to use python-oletools with other Python applications or your own scripts, then the simplest solution is to
  96 +use "**pip install oletools**" or "**easy_install oletools**" to download and install in one go. Otherwise you may
  97 +download/extract the zip archive and run "**setup.py install**".
  98 +
  99 +**Important: to update oletools** if it is already installed, you must run **"pip install -U oletools"**, otherwise pip
  100 +will not update it.
  101 +
  102 +Documentation:
  103 +--------------
  104 +
  105 +The latest version of the documentation can be found [online](https://bitbucket.org/decalage/oletools/wiki), otherwise
  106 +a copy is provided in the doc subfolder of the package.
  107 +
  108 +
  109 +How to Suggest Improvements, Report Issues or Contribute:
  110 +---------------------------------------------------------
  111 +
  112 +This is a personal open-source project, developed on my spare time. Any contribution, suggestion, feedback or bug
  113 +report is welcome.
  114 +
  115 +To suggest improvements, report a bug or any issue, please use the
  116 +[issue reporting page](https://bitbucket.org/decalage/olefileio_pl/issues?status=new&status=open), providing all the
  117 +information and files to reproduce the problem.
  118 +
  119 +You may also [contact the author](http://decalage.info/contact) directly to provide feedback.
  120 +
  121 +The code is available in [a Mercurial repository on Bitbucket](https://bitbucket.org/decalage/oletools). You may use it
  122 +to submit enhancements using forks and pull requests.
  123 +
  124 +License
  125 +-------
  126 +
  127 +This license applies to the python-oletools package, apart from the thirdparty folder which contains third-party files
  128 +published with their own license.
  129 +
  130 +The python-oletools package is copyright (c) 2012-2016 Philippe Lagadec (http://www.decalage.info)
  131 +
  132 +All rights reserved.
  133 +
  134 +Redistribution and use in source and binary forms, with or without modification,
  135 +are permitted provided that the following conditions are met:
  136 +
  137 + * Redistributions of source code must retain the above copyright notice, this
  138 + list of conditions and the following disclaimer.
  139 + * Redistributions in binary form must reproduce the above copyright notice,
  140 + this list of conditions and the following disclaimer in the documentation
  141 + and/or other materials provided with the distribution.
  142 +
  143 +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
  144 +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
  145 +WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
  146 +DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
  147 +FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  148 +DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
  149 +SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
  150 +CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
  151 +OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
  152 +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  153 +
  154 +
  155 +----------
  156 +
  157 +olevba contains modified source code from the officeparser project, published
  158 +under the following MIT License (MIT):
  159 +
  160 +officeparser is copyright (c) 2014 John William Davison
  161 +
  162 +Permission is hereby granted, free of charge, to any person obtaining a copy
  163 +of this software and associated documentation files (the "Software"), to deal
  164 +in the Software without restriction, including without limitation the rights
  165 +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
  166 +copies of the Software, and to permit persons to whom the Software is
  167 +furnished to do so, subject to the following conditions:
  168 +
  169 +The above copyright notice and this permission notice shall be included in all
  170 +copies or substantial portions of the Software.
  171 +
  172 +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  173 +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  174 +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
  175 +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
  176 +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
  177 +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
  178 +SOFTWARE.
oletools/README.html
  View file @836b191
  1 +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  2 +<html xmlns="http://www.w3.org/1999/xhtml">
  3 +<head>
  4 + <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
  5 + <meta http-equiv="Content-Style-Type" content="text/css" />
  6 + <meta name="generator" content="pandoc" />
  7 + <title></title>
  8 + <style type="text/css">code{white-space: pre;}</style>
  9 +</head>
  10 +<body>
1 <h1 id="python-oletools">python-oletools</h1> 11 <h1 id="python-oletools">python-oletools</h1>
2 <p><a href="http://www.decalage.info/python/oletools">python-oletools</a> is a package of python tools to analyze <a href="http://en.wikipedia.org/wiki/Compound_File_Binary_Format">Microsoft OLE2 files</a> (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging. It is based on the <a href="http://www.decalage.info/olefile">olefile</a> parser. See <a href="http://www.decalage.info/python/oletools">http://www.decalage.info/python/oletools</a> for more info.</p> 12 <p><a href="http://www.decalage.info/python/oletools">python-oletools</a> is a package of python tools to analyze <a href="http://en.wikipedia.org/wiki/Compound_File_Binary_Format">Microsoft OLE2 files</a> (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging. It is based on the <a href="http://www.decalage.info/olefile">olefile</a> parser. See <a href="http://www.decalage.info/python/oletools">http://www.decalage.info/python/oletools</a> for more info.</p>
3 <p><strong>Quick links:</strong> <a href="http://www.decalage.info/python/oletools">Home page</a> - <a href="https://bitbucket.org/decalage/oletools/wiki/Install">Download/Install</a> - <a href="https://bitbucket.org/decalage/oletools/wiki">Documentation</a> - <a href="https://bitbucket.org/decalage/oletools/issues?status=new&amp;status=open">Report Issues/Suggestions/Questions</a> - <a href="http://decalage.info/contact">Contact the Author</a> - <a href="https://bitbucket.org/decalage/oletools">Repository</a> - <a href="https://twitter.com/decalage2">Updates on Twitter</a></p> 13 <p><strong>Quick links:</strong> <a href="http://www.decalage.info/python/oletools">Home page</a> - <a href="https://bitbucket.org/decalage/oletools/wiki/Install">Download/Install</a> - <a href="https://bitbucket.org/decalage/oletools/wiki">Documentation</a> - <a href="https://bitbucket.org/decalage/oletools/issues?status=new&amp;status=open">Report Issues/Suggestions/Questions</a> - <a href="http://decalage.info/contact">Contact the Author</a> - <a href="https://bitbucket.org/decalage/oletools">Repository</a> - <a href="https://twitter.com/decalage2">Updates on Twitter</a></p>
@@ -66,3 +76,5 @@ @@ -66,3 +76,5 @@
66 <p>Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the &quot;Software&quot;), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:</p> 76 <p>Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the &quot;Software&quot;), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:</p>
67 <p>The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.</p> 77 <p>The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.</p>
68 <p>THE SOFTWARE IS PROVIDED &quot;AS IS&quot;, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.</p> 78 <p>THE SOFTWARE IS PROVIDED &quot;AS IS&quot;, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.</p>
  79 +</body>
  80 +</html>
oletools/doc/Contribute.html
  View file @836b191
1 -<p>How to Suggest Improvements, Report Issues or Contribute</p>  
2 -<p>========================================================</p> 1 +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  2 +<html xmlns="http://www.w3.org/1999/xhtml">
  3 +<head>
  4 + <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
  5 + <meta http-equiv="Content-Style-Type" content="text/css" />
  6 + <meta name="generator" content="pandoc" />
  7 + <title></title>
  8 + <style type="text/css">code{white-space: pre;}</style>
  9 +</head>
  10 +<body>
  11 +<h1 id="how-to-suggest-improvements-report-issues-or-contribute">How to Suggest Improvements, Report Issues or Contribute</h1>
3 <p>This is a personal open-source project, developed on my spare time. Any contribution, suggestion, feedback or bug report is welcome.</p> 12 <p>This is a personal open-source project, developed on my spare time. Any contribution, suggestion, feedback or bug report is welcome.</p>
4 -<p>To <strong>suggest improvements, report a bug or any issue</strong>, please use the <a href="https://bitbucket.org/decalage/oletools/issues?status=new&amp;status=open">issue reporting page</a>,</p>  
5 -<p>providing all the information and files to reproduce the problem.</p> 13 +<p>To <strong>suggest improvements, report a bug or any issue</strong>, please use the <a href="https://bitbucket.org/decalage/oletools/issues?status=new&amp;status=open">issue reporting page</a>, providing all the information and files to reproduce the problem.</p>
6 <p>You may also <a href="http://decalage.info/contact">contact the author</a> directly to <strong>provide feedback</strong>.</p> 14 <p>You may also <a href="http://decalage.info/contact">contact the author</a> directly to <strong>provide feedback</strong>.</p>
7 -<p>The code is available in <a href="https://bitbucket.org/decalage/oletools">a Mercurial repository on Bitbucket</a>.</p>  
8 -<p>You may use it to <strong>submit enhancements</strong> using forks and pull requests.</p>  
9 -<hr />  
10 -<p>python-oletools documentation</p> 15 +<p>The code is available in <a href="https://bitbucket.org/decalage/oletools">a Mercurial repository on Bitbucket</a>. You may use it to <strong>submit enhancements</strong> using forks and pull requests.</p>
11 <hr /> 16 <hr />
  17 +<h2 id="python-oletools-documentation">python-oletools documentation</h2>
12 <ul> 18 <ul>
13 -<li><p><a href="Home.html">Home</a></p></li>  
14 -<li><p><a href="License.html">License</a></p></li>  
15 -<li><p><a href="Install.html">Install</a></p></li>  
16 -<li><p><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</p></li>  
17 -<li><p>Tools:</p> 19 +<li><a href="Home.html">Home</a></li>
  20 +<li><a href="License.html">License</a></li>
  21 +<li><a href="Install.html">Install</a></li>
  22 +<li><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</li>
  23 +<li>Tools:
18 <ul> 24 <ul>
19 -<li><p><a href="olebrowse.html">olebrowse</a></p></li>  
20 -<li><p><a href="oleid.html">oleid</a></p></li>  
21 -<li><p><a href="olemeta.html">olemeta</a></p></li>  
22 -<li><p><a href="oletimes.html">oletimes</a></p></li>  
23 -<li><p><a href="olevba.html">olevba</a></p></li>  
24 -<li><p><a href="pyxswf.html">pyxswf</a></p></li>  
25 -<li><p><a href="rtfobj.html">rtfobj</a></p></li> 25 +<li><a href="olebrowse.html">olebrowse</a></li>
  26 +<li><a href="oleid.html">oleid</a></li>
  27 +<li><a href="olemeta.html">olemeta</a></li>
  28 +<li><a href="oletimes.html">oletimes</a></li>
  29 +<li><a href="oledir.html">oledir</a></li>
  30 +<li><a href="olemap.html">olemap</a></li>
  31 +<li><a href="olevba.html">olevba</a></li>
  32 +<li><a href="mraptor.html">mraptor</a></li>
  33 +<li><a href="pyxswf.html">pyxswf</a></li>
  34 +<li><a href="oleobj.html">oleobj</a></li>
  35 +<li><a href="rtfobj.html">rtfobj</a></li>
26 </ul></li> 36 </ul></li>
27 </ul> 37 </ul>
  38 +</body>
  39 +</html>
oletools/doc/Contribute.md
  View file @836b191
@@ -25,6 +25,10 @@ python-oletools documentation @@ -25,6 +25,10 @@ python-oletools documentation
25 - [[oleid]] 25 - [[oleid]]
26 - [[olemeta]] 26 - [[olemeta]]
27 - [[oletimes]] 27 - [[oletimes]]
  28 + - [[oledir]]
  29 + - [[olemap]]
28 - [[olevba]] 30 - [[olevba]]
  31 + - [[mraptor]]
29 - [[pyxswf]] 32 - [[pyxswf]]
30 - - [[rtfobj]]  
31 \ No newline at end of file 33 \ No newline at end of file
  34 + - [[oleobj]]
  35 + - [[rtfobj]]
oletools/doc/Home.html
  View file @836b191
1 -<p>python-oletools v0.41 documentation</p>  
2 -<p>===================================</p>  
3 -<p>This is the home page of the documentation for python-oletools. The latest version can be found</p>  
4 -<p><a href="https://bitbucket.org/decalage/oletools/wiki">online</a>, otherwise a copy is provided in the doc subfolder of the package.</p>  
5 -<p><a href="http://www.decalage.info/python/oletools">python-oletools</a> is a package of python tools to analyze</p>  
6 -<p><a href="http://en.wikipedia.org/wiki/Compound_File_Binary_Format">Microsoft OLE2 files</a></p>  
7 -<p>(also called Structured Storage, Compound File Binary Format or Compound Document File Format),</p>  
8 -<p>such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging.</p>  
9 -<p>It is based on the <a href="http://www.decalage.info/olefile">olefile</a> parser.</p>  
10 -<p>See <a href="http://www.decalage.info/python/oletools">http://www.decalage.info/python/oletools</a> for more info.</p>  
11 -<p><strong>Quick links:</strong> <a href="http://www.decalage.info/python/oletools">Home page</a> -</p>  
12 -<p><a href="https://bitbucket.org/decalage/oletools/wiki/Install">Download/Install</a> -</p>  
13 -<p><a href="https://bitbucket.org/decalage/oletools/wiki">Documentation</a> -</p>  
14 -<p><a href="https://bitbucket.org/decalage/oletools/issues?status=new&amp;status=open">Report Issues/Suggestions/Questions</a> -</p>  
15 -<p><a href="http://decalage.info/contact">Contact the author</a> -</p>  
16 -<p><a href="https://bitbucket.org/decalage/oletools">Repository</a> -</p>  
17 -<p><a href="https://twitter.com/decalage2">Updates on Twitter</a></p> 1 +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  2 +<html xmlns="http://www.w3.org/1999/xhtml">
  3 +<head>
  4 + <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
  5 + <meta http-equiv="Content-Style-Type" content="text/css" />
  6 + <meta name="generator" content="pandoc" />
  7 + <title></title>
  8 + <style type="text/css">code{white-space: pre;}</style>
  9 +</head>
  10 +<body>
  11 +<h1 id="python-oletools-v0.44-documentation">python-oletools v0.44 documentation</h1>
  12 +<p>This is the home page of the documentation for python-oletools. The latest version can be found <a href="https://bitbucket.org/decalage/oletools/wiki">online</a>, otherwise a copy is provided in the doc subfolder of the package.</p>
  13 +<p><a href="http://www.decalage.info/python/oletools">python-oletools</a> is a package of python tools to analyze <a href="http://en.wikipedia.org/wiki/Compound_File_Binary_Format">Microsoft OLE2 files</a> (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging. It is based on the <a href="http://www.decalage.info/olefile">olefile</a> parser. See <a href="http://www.decalage.info/python/oletools">http://www.decalage.info/python/oletools</a> for more info.</p>
  14 +<p><strong>Quick links:</strong> <a href="http://www.decalage.info/python/oletools">Home page</a> - <a href="https://bitbucket.org/decalage/oletools/wiki/Install">Download/Install</a> - <a href="https://bitbucket.org/decalage/oletools/wiki">Documentation</a> - <a href="https://bitbucket.org/decalage/oletools/issues?status=new&amp;status=open">Report Issues/Suggestions/Questions</a> - <a href="http://decalage.info/contact">Contact the author</a> - <a href="https://bitbucket.org/decalage/oletools">Repository</a> - <a href="https://twitter.com/decalage2">Updates on Twitter</a></p>
18 <p>Note: python-oletools is not related to OLETools published by BeCubed Software.</p> 15 <p>Note: python-oletools is not related to OLETools published by BeCubed Software.</p>
19 -<p>Tools in python-oletools:</p>  
20 -<hr />  
21 -<ul>  
22 -<li><strong><a href="olebrowse.html">olebrowse</a></strong>: A simple GUI to browse OLE files (e.g. MS Word, Excel, Powerpoint documents), to</li>  
23 -</ul>  
24 -<p>view and extract individual data streams.</p> 16 +<h2 id="tools-in-python-oletools">Tools in python-oletools:</h2>
25 <ul> 17 <ul>
26 -<li><p><strong><a href="oleid.html">oleid</a></strong>: a tool to analyze OLE files to detect specific characteristics usually found in malicious files.</p></li>  
27 -<li><p><strong><a href="olemeta.html">olemeta</a></strong>: a tool to extract all standard properties (metadata) from OLE files.</p></li>  
28 -<li><p><strong><a href="oletimes.html">oletimes</a></strong>: a tool to extract creation and modification timestamps of all streams and storages.</p></li>  
29 -<li><p><strong><a href="olevba.html">olevba</a></strong>: a tool to extract and analyze VBA Macro source code from MS Office documents (OLE and OpenXML).</p></li>  
30 -<li><p><strong><a href="pyxswf.html">pyxswf</a></strong>: a tool to detect, extract and analyze Flash objects (SWF) that may</p></li> 18 +<li><strong><a href="olebrowse.html">olebrowse</a></strong>: A simple GUI to browse OLE files (e.g. MS Word, Excel, Powerpoint documents), to view and extract individual data streams.</li>
  19 +<li><strong><a href="oleid.html">oleid</a></strong>: to analyze OLE files to detect specific characteristics usually found in malicious files.</li>
  20 +<li><strong><a href="olemeta.html">olemeta</a></strong>: to extract all standard properties (metadata) from OLE files.</li>
  21 +<li><strong><a href="oletimes.html">oletimes</a></strong>: to extract creation and modification timestamps of all streams and storages.</li>
  22 +<li><strong><a href="oledir.html">oledir</a></strong>: to display all the directory entries of an OLE file, including free and orphaned entries.</li>
  23 +<li><strong><a href="olemap.html">olemap</a></strong>: to display a map of all the sectors in an OLE file.</li>
  24 +<li><strong><a href="olevba.html">olevba</a></strong>: to extract and analyze VBA Macro source code from MS Office documents (OLE and OpenXML).</li>
  25 +<li><strong><a href="mraptor.html">mraptor</a></strong>: to detect malicious VBA Macros</li>
  26 +<li><strong><a href="pyxswf.html">pyxswf</a></strong>: to detect, extract and analyze Flash objects (SWF) that may be embedded in files such as MS Office documents (e.g. Word, Excel) and RTF, which is especially useful for malware analysis.</li>
  27 +<li><strong><a href="oleobj.html">oleobj</a></strong>: to extract embedded objects from OLE files.</li>
  28 +<li><strong><a href="rtfobj.html">rtfobj</a></strong>: to extract embedded objects from RTF files.</li>
  29 +<li>and a few others (coming soon)</li>
31 </ul> 30 </ul>
32 -<p>be embedded in files such as MS Office documents (e.g. Word, Excel) and RTF,</p>  
33 -<p>which is especially useful for malware analysis.</p>  
34 -<ul>  
35 -<li><p><strong><a href="rtfobj.html">rtfobj</a></strong>: a tool and python module to extract embedded objects from RTF files.</p></li>  
36 -<li><p>and a few others (coming soon)</p></li>  
37 -</ul>  
38 -<hr />  
39 -<p>python-oletools documentation</p>  
40 <hr /> 31 <hr />
  32 +<h2 id="python-oletools-documentation">python-oletools documentation</h2>
41 <ul> 33 <ul>
42 -<li><p><a href="Home.html">Home</a></p></li>  
43 -<li><p><a href="License.html">License</a></p></li>  
44 -<li><p><a href="Install.html">Install</a></p></li>  
45 -<li><p><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</p></li>  
46 -<li><p>Tools:</p> 34 +<li><a href="Home.html">Home</a></li>
  35 +<li><a href="License.html">License</a></li>
  36 +<li><a href="Install.html">Install</a></li>
  37 +<li><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</li>
  38 +<li>Tools:
47 <ul> 39 <ul>
48 -<li><p><a href="olebrowse.html">olebrowse</a></p></li>  
49 -<li><p><a href="oleid.html">oleid</a></p></li>  
50 -<li><p><a href="olemeta.html">olemeta</a></p></li>  
51 -<li><p><a href="oletimes.html">oletimes</a></p></li>  
52 -<li><p><a href="olevba.html">olevba</a></p></li>  
53 -<li><p><a href="pyxswf.html">pyxswf</a></p></li>  
54 -<li><p><a href="rtfobj.html">rtfobj</a></p></li> 40 +<li><a href="olebrowse.html">olebrowse</a></li>
  41 +<li><a href="oleid.html">oleid</a></li>
  42 +<li><a href="olemeta.html">olemeta</a></li>
  43 +<li><a href="oletimes.html">oletimes</a></li>
  44 +<li><a href="oledir.html">oledir</a></li>
  45 +<li><a href="olemap.html">olemap</a></li>
  46 +<li><a href="olevba.html">olevba</a></li>
  47 +<li><a href="mraptor.html">mraptor</a></li>
  48 +<li><a href="pyxswf.html">pyxswf</a></li>
  49 +<li><a href="oleobj.html">oleobj</a></li>
  50 +<li><a href="rtfobj.html">rtfobj</a></li>
55 </ul></li> 51 </ul></li>
56 </ul> 52 </ul>
  53 +</body>
  54 +</html>
oletools/doc/Home.md
  View file @836b191
1 -python-oletools v0.41 documentation  
2 -===================================  
3 -  
4 -This is the home page of the documentation for python-oletools. The latest version can be found  
5 -[online](https://bitbucket.org/decalage/oletools/wiki), otherwise a copy is provided in the doc subfolder of the package.  
6 -  
7 -[python-oletools](http://www.decalage.info/python/oletools) is a package of python tools to analyze  
8 -[Microsoft OLE2 files](http://en.wikipedia.org/wiki/Compound_File_Binary_Format)  
9 -(also called Structured Storage, Compound File Binary Format or Compound Document File Format),  
10 -such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging.  
11 -It is based on the [olefile](http://www.decalage.info/olefile) parser.  
12 -See [http://www.decalage.info/python/oletools](http://www.decalage.info/python/oletools) for more info.  
13 -  
14 -**Quick links:** [Home page](http://www.decalage.info/python/oletools) -  
15 -[Download/Install](https://bitbucket.org/decalage/oletools/wiki/Install) -  
16 -[Documentation](https://bitbucket.org/decalage/oletools/wiki) -  
17 -[Report Issues/Suggestions/Questions](https://bitbucket.org/decalage/oletools/issues?status=new&status=open) -  
18 -[Contact the author](http://decalage.info/contact) -  
19 -[Repository](https://bitbucket.org/decalage/oletools) -  
20 -[Updates on Twitter](https://twitter.com/decalage2)  
21 -  
22 -Note: python-oletools is not related to OLETools published by BeCubed Software.  
23 -  
24 -Tools in python-oletools:  
25 --------------------------  
26 -  
27 -- **[[olebrowse]]**: A simple GUI to browse OLE files (e.g. MS Word, Excel, Powerpoint documents), to  
28 - view and extract individual data streams.  
29 -- **[[oleid]]**: a tool to analyze OLE files to detect specific characteristics usually found in malicious files.  
30 -- **[[olemeta]]**: a tool to extract all standard properties (metadata) from OLE files.  
31 -- **[[oletimes]]**: a tool to extract creation and modification timestamps of all streams and storages.  
32 -- **[[olevba]]**: a tool to extract and analyze VBA Macro source code from MS Office documents (OLE and OpenXML).  
33 -- **[[pyxswf]]**: a tool to detect, extract and analyze Flash objects (SWF) that may  
34 - be embedded in files such as MS Office documents (e.g. Word, Excel) and RTF,  
35 - which is especially useful for malware analysis.  
36 -- **[[rtfobj]]**: a tool and python module to extract embedded objects from RTF files.  
37 -- and a few others (coming soon)  
38 -  
39 ---------------------------------------------------------------------------  
40 -  
41 -python-oletools documentation  
42 ------------------------------  
43 -  
44 -- [[Home]]  
45 -- [[License]]  
46 -- [[Install]]  
47 -- [[Contribute]], Suggest Improvements or Report Issues  
48 -- Tools:  
49 - - [[olebrowse]]  
50 - - [[oleid]]  
51 - - [[olemeta]]  
52 - - [[oletimes]]  
53 - - [[olevba]]  
54 - - [[pyxswf]]  
55 - - [[rtfobj]]  
56 \ No newline at end of file 1 \ No newline at end of file
  2 +python-oletools v0.44 documentation
  3 +===================================
  4 +
  5 +This is the home page of the documentation for python-oletools. The latest version can be found
  6 +[online](https://bitbucket.org/decalage/oletools/wiki), otherwise a copy is provided in the doc subfolder of the package.
  7 +
  8 +[python-oletools](http://www.decalage.info/python/oletools) is a package of python tools to analyze
  9 +[Microsoft OLE2 files](http://en.wikipedia.org/wiki/Compound_File_Binary_Format)
  10 +(also called Structured Storage, Compound File Binary Format or Compound Document File Format),
  11 +such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging.
  12 +It is based on the [olefile](http://www.decalage.info/olefile) parser.
  13 +See [http://www.decalage.info/python/oletools](http://www.decalage.info/python/oletools) for more info.
  14 +
  15 +**Quick links:** [Home page](http://www.decalage.info/python/oletools) -
  16 +[Download/Install](https://bitbucket.org/decalage/oletools/wiki/Install) -
  17 +[Documentation](https://bitbucket.org/decalage/oletools/wiki) -
  18 +[Report Issues/Suggestions/Questions](https://bitbucket.org/decalage/oletools/issues?status=new&status=open) -
  19 +[Contact the author](http://decalage.info/contact) -
  20 +[Repository](https://bitbucket.org/decalage/oletools) -
  21 +[Updates on Twitter](https://twitter.com/decalage2)
  22 +
  23 +Note: python-oletools is not related to OLETools published by BeCubed Software.
  24 +
  25 +Tools in python-oletools:
  26 +-------------------------
  27 +
  28 +- **[[olebrowse]]**: A simple GUI to browse OLE files (e.g. MS Word, Excel, Powerpoint documents), to
  29 + view and extract individual data streams.
  30 +- **[[oleid]]**: to analyze OLE files to detect specific characteristics usually found in malicious files.
  31 +- **[[olemeta]]**: to extract all standard properties (metadata) from OLE files.
  32 +- **[[oletimes]]**: to extract creation and modification timestamps of all streams and storages.
  33 +- **[[oledir]]**: to display all the directory entries of an OLE file, including free and orphaned entries.
  34 +- **[[olemap]]**: to display a map of all the sectors in an OLE file.
  35 +- **[[olevba]]**: to extract and analyze VBA Macro source code from MS Office documents (OLE and OpenXML).
  36 +- **[[mraptor]]**: to detect malicious VBA Macros
  37 +- **[[pyxswf]]**: to detect, extract and analyze Flash objects (SWF) that may
  38 + be embedded in files such as MS Office documents (e.g. Word, Excel) and RTF,
  39 + which is especially useful for malware analysis.
  40 +- **[[oleobj]]**: to extract embedded objects from OLE files.
  41 +- **[[rtfobj]]**: to extract embedded objects from RTF files.
  42 +- and a few others (coming soon)
  43 +
  44 +--------------------------------------------------------------------------
  45 +
  46 +python-oletools documentation
  47 +-----------------------------
  48 +
  49 +- [[Home]]
  50 +- [[License]]
  51 +- [[Install]]
  52 +- [[Contribute]], Suggest Improvements or Report Issues
  53 +- Tools:
  54 + - [[olebrowse]]
  55 + - [[oleid]]
  56 + - [[olemeta]]
  57 + - [[oletimes]]
  58 + - [[oledir]]
  59 + - [[olemap]]
  60 + - [[olevba]]
  61 + - [[mraptor]]
  62 + - [[pyxswf]]
  63 + - [[oleobj]]
  64 + - [[rtfobj]]
oletools/doc/Install.html
  View file @836b191
1 -<p>How to Download and Install python-oletools</p>  
2 -<p>===========================================</p>  
3 -<p>Pre-requisites</p>  
4 -<hr /> 1 +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  2 +<html xmlns="http://www.w3.org/1999/xhtml">
  3 +<head>
  4 + <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
  5 + <meta http-equiv="Content-Style-Type" content="text/css" />
  6 + <meta name="generator" content="pandoc" />
  7 + <title></title>
  8 + <style type="text/css">code{white-space: pre;}</style>
  9 +</head>
  10 +<body>
  11 +<h1 id="how-to-download-and-install-python-oletools">How to Download and Install python-oletools</h1>
  12 +<h2 id="pre-requisites">Pre-requisites</h2>
5 <p>For now, python-oletools require <strong>Python 2.x</strong>, if possible 2.7 or 2.6 to enable all features.</p> 13 <p>For now, python-oletools require <strong>Python 2.x</strong>, if possible 2.7 or 2.6 to enable all features.</p>
6 <p>They are not compatible with Python 3.x yet. (Please contact me if that is a strong requirement)</p> 14 <p>They are not compatible with Python 3.x yet. (Please contact me if that is a strong requirement)</p>
7 -<p>To use oletools as command-line tools</p>  
8 -<hr />  
9 -<p>To use python-oletools from the command line as analysis tools, you may simply</p>  
10 -<p><a href="https://bitbucket.org/decalage/oletools/downloads">download the zip archive</a></p>  
11 -<p>and extract the files into the directory of your choice. Pick the latest release version, or click on</p>  
12 -<p><strong>&quot;Download Repository&quot;</strong> to get the latest development version with the most recent features.</p>  
13 -<p>Another possibility is to use a Mercurial client (hg) to clone the repository into a folder. You can then update it easily</p>  
14 -<p>in the future.</p> 15 +<h2 id="to-use-oletools-as-command-line-tools">To use oletools as command-line tools</h2>
  16 +<p>To use python-oletools from the command line as analysis tools, you may simply <a href="https://bitbucket.org/decalage/oletools/downloads">download the zip archive</a> and extract the files into the directory of your choice. Pick the latest release version, or click on <strong>&quot;Download Repository&quot;</strong> to get the latest development version with the most recent features.</p>
  17 +<p>Another possibility is to use a Mercurial client (hg) to clone the repository into a folder. You can then update it easily in the future.</p>
15 <h3 id="windows">Windows</h3> 18 <h3 id="windows">Windows</h3>
16 <p>You may add the oletools directory to your PATH environment variable to access the tools from anywhere.</p> 19 <p>You may add the oletools directory to your PATH environment variable to access the tools from anywhere.</p>
17 <h3 id="linux-mac-osx-unix">Linux, Mac OSX, Unix</h3> 20 <h3 id="linux-mac-osx-unix">Linux, Mac OSX, Unix</h3>
18 -<p>It is very convenient to create symbolic links to each tool in one of the bin directories in order to run them as shell</p>  
19 -<p>commands from anywhere. For example, here is how to create an executable link &quot;olevba&quot; in /usr/local/bin pointing to</p>  
20 -<p>olevba.py, assuming oletools was unzipped into /opt/oletools:</p> 21 +<p>It is very convenient to create symbolic links to each tool in one of the bin directories in order to run them as shell commands from anywhere. For example, here is how to create an executable link &quot;olevba&quot; in /usr/local/bin pointing to olevba.py, assuming oletools was unzipped into /opt/oletools:</p>
21 <pre><code>chmod +x /opt/oletools/oletools/olevba.py 22 <pre><code>chmod +x /opt/oletools/oletools/olevba.py
22 -  
23 ln -s /opt/oletools/oletools/olevba.py /usr/local/bin/olevba</code></pre> 23 ln -s /opt/oletools/oletools/olevba.py /usr/local/bin/olevba</code></pre>
24 <p>Then the olevba command can be used from any directory:</p> 24 <p>Then the olevba command can be used from any directory:</p>
25 <pre><code>user@remnux:~/MalwareZoo/VBA$ olevba dridex427.xls |less</code></pre> 25 <pre><code>user@remnux:~/MalwareZoo/VBA$ olevba dridex427.xls |less</code></pre>
26 -<p>For python applications</p>  
27 -<hr />  
28 -<p>If you plan to use python-oletools with other Python applications or your own scripts, the simplest solution is to use</p>  
29 -<p><strong>&quot;pip install oletools&quot;</strong> or <strong>&quot;easy_install oletools&quot;</strong> to download and install the package in one go. Pip is included</p>  
30 -<p>with Python since version 2.7.9.</p>  
31 -<p><strong>Important: to update oletools</strong> if it is already installed, you must run <strong>&quot;pip install -U oletools&quot;</strong>, otherwise pip</p>  
32 -<p>will not update it.</p>  
33 -<p>Alternatively if you prefer the old school way, you may download the</p>  
34 -<p><a href="https://bitbucket.org/decalage/oletools/downloads">zip archive</a>, extract it into</p>  
35 -<p>a temporary directory and run <strong>&quot;python setup.py install&quot;</strong>.</p>  
36 -<hr />  
37 -<p>python-oletools documentation</p> 26 +<h2 id="for-python-applications">For python applications</h2>
  27 +<p>If you plan to use python-oletools with other Python applications or your own scripts, the simplest solution is to use <strong>&quot;pip install oletools&quot;</strong> or <strong>&quot;easy_install oletools&quot;</strong> to download and install the package in one go. Pip is included with Python since version 2.7.9.</p>
  28 +<p><strong>Important: to update oletools</strong> if it is already installed, you must run <strong>&quot;pip install -U oletools&quot;</strong>, otherwise pip will not update it.</p>
  29 +<p>Alternatively if you prefer the old school way, you may download the <a href="https://bitbucket.org/decalage/oletools/downloads">zip archive</a>, extract it into a temporary directory and run <strong>&quot;python setup.py install&quot;</strong>.</p>
38 <hr /> 30 <hr />
  31 +<h2 id="python-oletools-documentation">python-oletools documentation</h2>
39 <ul> 32 <ul>
40 -<li><p><a href="Home.html">Home</a></p></li>  
41 -<li><p><a href="License.html">License</a></p></li>  
42 -<li><p><a href="Install.html">Install</a></p></li>  
43 -<li><p><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</p></li>  
44 -<li><p>Tools:</p> 33 +<li><a href="Home.html">Home</a></li>
  34 +<li><a href="License.html">License</a></li>
  35 +<li><a href="Install.html">Install</a></li>
  36 +<li><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</li>
  37 +<li>Tools:
45 <ul> 38 <ul>
46 -<li><p><a href="olebrowse.html">olebrowse</a></p></li>  
47 -<li><p><a href="oleid.html">oleid</a></p></li>  
48 -<li><p><a href="olemeta.html">olemeta</a></p></li>  
49 -<li><p><a href="oletimes.html">oletimes</a></p></li>  
50 -<li><p><a href="olevba.html">olevba</a></p></li>  
51 -<li><p><a href="pyxswf.html">pyxswf</a></p></li>  
52 -<li><p><a href="rtfobj.html">rtfobj</a></p></li> 39 +<li><a href="olebrowse.html">olebrowse</a></li>
  40 +<li><a href="oleid.html">oleid</a></li>
  41 +<li><a href="olemeta.html">olemeta</a></li>
  42 +<li><a href="oletimes.html">oletimes</a></li>
  43 +<li><a href="oledir.html">oledir</a></li>
  44 +<li><a href="olemap.html">olemap</a></li>
  45 +<li><a href="olevba.html">olevba</a></li>
  46 +<li><a href="mraptor.html">mraptor</a></li>
  47 +<li><a href="pyxswf.html">pyxswf</a></li>
  48 +<li><a href="oleobj.html">oleobj</a></li>
  49 +<li><a href="rtfobj.html">rtfobj</a></li>
53 </ul></li> 50 </ul></li>
54 </ul> 51 </ul>
  52 +</body>
  53 +</html>
oletools/doc/Install.md
  View file @836b191
@@ -68,6 +68,10 @@ python-oletools documentation @@ -68,6 +68,10 @@ python-oletools documentation
68 - [[oleid]] 68 - [[oleid]]
69 - [[olemeta]] 69 - [[olemeta]]
70 - [[oletimes]] 70 - [[oletimes]]
  71 + - [[oledir]]
  72 + - [[olemap]]
71 - [[olevba]] 73 - [[olevba]]
  74 + - [[mraptor]]
72 - [[pyxswf]] 75 - [[pyxswf]]
73 - - [[rtfobj]]  
74 \ No newline at end of file 76 \ No newline at end of file
  77 + - [[oleobj]]
  78 + - [[rtfobj]]
oletools/doc/License.html
  View file @836b191
1 -<p>License for python-oletools</p>  
2 -<p>===========================</p>  
3 -<p>This license applies to the <a href="http://www.decalage.info/python/oletools">python-oletools</a> package, apart from the</p>  
4 -<p>thirdparty folder which contains third-party files published with their own license.</p>  
5 -<p>The python-oletools package is copyright (c) 2012-2015 Philippe Lagadec (<a href="http://www.decalage.info">http://www.decalage.info</a>)</p> 1 +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  2 +<html xmlns="http://www.w3.org/1999/xhtml">
  3 +<head>
  4 + <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
  5 + <meta http-equiv="Content-Style-Type" content="text/css" />
  6 + <meta name="generator" content="pandoc" />
  7 + <title></title>
  8 + <style type="text/css">code{white-space: pre;}</style>
  9 +</head>
  10 +<body>
  11 +<h1 id="license-for-python-oletools">License for python-oletools</h1>
  12 +<p>This license applies to the <a href="http://www.decalage.info/python/oletools">python-oletools</a> package, apart from the thirdparty folder which contains third-party files published with their own license.</p>
  13 +<p>The python-oletools package is copyright (c) 2012-2016 Philippe Lagadec (<a href="http://www.decalage.info">http://www.decalage.info</a>)</p>
6 <p>All rights reserved.</p> 14 <p>All rights reserved.</p>
7 -<p>Redistribution and use in source and binary forms, with or without modification,</p>  
8 -<p>are permitted provided that the following conditions are met:</p> 15 +<p>Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:</p>
9 <ul> 16 <ul>
10 -<li>Redistributions of source code must retain the above copyright notice, this</li> 17 +<li>Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.</li>
  18 +<li>Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.</li>
11 </ul> 19 </ul>
12 -<p>list of conditions and the following disclaimer.</p>  
13 -<ul>  
14 -<li>Redistributions in binary form must reproduce the above copyright notice,</li>  
15 -</ul>  
16 -<p>this list of conditions and the following disclaimer in the documentation</p>  
17 -<p>and/or other materials provided with the distribution.</p>  
18 -<p>THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS &quot;AS IS&quot; AND</p>  
19 -<p>ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED</p>  
20 -<p>WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE</p>  
21 -<p>DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE</p>  
22 -<p>FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL</p>  
23 -<p>DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR</p>  
24 -<p>SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER</p>  
25 -<p>CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,</p>  
26 -<p>OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE</p>  
27 -<p>OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.</p>  
28 -<hr />  
29 -<p>License for officeparser</p>  
30 -<hr />  
31 -<p>olevba contains modified source code from the <a href="https://github.com/unixfreak0037/officeparser">officeparser</a> project, published</p>  
32 -<p>under the following MIT License (MIT):</p> 20 +<p>THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS &quot;AS IS&quot; AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.</p>
  21 +<table>
  22 +<tbody>
  23 +<tr class="odd">
  24 +<td align="left">License for officeparser</td>
  25 +</tr>
  26 +</tbody>
  27 +</table>
  28 +<p>olevba contains modified source code from the <a href="https://github.com/unixfreak0037/officeparser">officeparser</a> project, published under the following MIT License (MIT):</p>
33 <p>officeparser is copyright (c) 2014 John William Davison</p> 29 <p>officeparser is copyright (c) 2014 John William Davison</p>
34 -<p>Permission is hereby granted, free of charge, to any person obtaining a copy</p>  
35 -<p>of this software and associated documentation files (the &quot;Software&quot;), to deal</p>  
36 -<p>in the Software without restriction, including without limitation the rights</p>  
37 -<p>to use, copy, modify, merge, publish, distribute, sublicense, and/or sell</p>  
38 -<p>copies of the Software, and to permit persons to whom the Software is</p>  
39 -<p>furnished to do so, subject to the following conditions:</p>  
40 -<p>The above copyright notice and this permission notice shall be included in all</p>  
41 -<p>copies or substantial portions of the Software.</p>  
42 -<p>THE SOFTWARE IS PROVIDED &quot;AS IS&quot;, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR</p>  
43 -<p>IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,</p>  
44 -<p>FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE</p>  
45 -<p>AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER</p>  
46 -<p>LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,</p>  
47 -<p>OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE</p>  
48 -<p>SOFTWARE.</p>  
49 -<hr />  
50 -<p>python-oletools documentation</p> 30 +<p>Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the &quot;Software&quot;), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:</p>
  31 +<p>The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.</p>
  32 +<p>THE SOFTWARE IS PROVIDED &quot;AS IS&quot;, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.</p>
51 <hr /> 33 <hr />
  34 +<h2 id="python-oletools-documentation">python-oletools documentation</h2>
52 <ul> 35 <ul>
53 -<li><p><a href="Home.html">Home</a></p></li>  
54 -<li><p><a href="License.html">License</a></p></li>  
55 -<li><p><a href="Install.html">Install</a></p></li>  
56 -<li><p><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</p></li>  
57 -<li><p>Tools:</p> 36 +<li><a href="Home.html">Home</a></li>
  37 +<li><a href="License.html">License</a></li>
  38 +<li><a href="Install.html">Install</a></li>
  39 +<li><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</li>
  40 +<li>Tools:
58 <ul> 41 <ul>
59 -<li><p><a href="olebrowse.html">olebrowse</a></p></li>  
60 -<li><p><a href="oleid.html">oleid</a></p></li>  
61 -<li><p><a href="olemeta.html">olemeta</a></p></li>  
62 -<li><p><a href="oletimes.html">oletimes</a></p></li>  
63 -<li><p><a href="olevba.html">olevba</a></p></li>  
64 -<li><p><a href="pyxswf.html">pyxswf</a></p></li>  
65 -<li><p><a href="rtfobj.html">rtfobj</a></p></li> 42 +<li><a href="olebrowse.html">olebrowse</a></li>
  43 +<li><a href="oleid.html">oleid</a></li>
  44 +<li><a href="olemeta.html">olemeta</a></li>
  45 +<li><a href="oletimes.html">oletimes</a></li>
  46 +<li><a href="oledir.html">oledir</a></li>
  47 +<li><a href="olemap.html">olemap</a></li>
  48 +<li><a href="olevba.html">olevba</a></li>
  49 +<li><a href="mraptor.html">mraptor</a></li>
  50 +<li><a href="pyxswf.html">pyxswf</a></li>
  51 +<li><a href="oleobj.html">oleobj</a></li>
  52 +<li><a href="rtfobj.html">rtfobj</a></li>
66 </ul></li> 53 </ul></li>
67 </ul> 54 </ul>
  55 +</body>
  56 +</html>
oletools/doc/License.md
  View file @836b191
@@ -4,7 +4,7 @@ License for python-oletools @@ -4,7 +4,7 @@ License for python-oletools
4 This license applies to the [python-oletools](http://www.decalage.info/python/oletools) package, apart from the 4 This license applies to the [python-oletools](http://www.decalage.info/python/oletools) package, apart from the
5 thirdparty folder which contains third-party files published with their own license. 5 thirdparty folder which contains third-party files published with their own license.
6 6
7 -The python-oletools package is copyright (c) 2012-2015 Philippe Lagadec ([http://www.decalage.info](http://www.decalage.info)) 7 +The python-oletools package is copyright (c) 2012-2016 Philippe Lagadec ([http://www.decalage.info](http://www.decalage.info))
8 8
9 All rights reserved. 9 All rights reserved.
10 10
@@ -70,6 +70,10 @@ python-oletools documentation @@ -70,6 +70,10 @@ python-oletools documentation
70 - [[oleid]] 70 - [[oleid]]
71 - [[olemeta]] 71 - [[olemeta]]
72 - [[oletimes]] 72 - [[oletimes]]
  73 + - [[oledir]]
  74 + - [[olemap]]
73 - [[olevba]] 75 - [[olevba]]
  76 + - [[mraptor]]
74 - [[pyxswf]] 77 - [[pyxswf]]
75 - - [[rtfobj]]  
76 \ No newline at end of file 78 \ No newline at end of file
  79 + - [[oleobj]]
  80 + - [[rtfobj]]
oletools/doc/olebrowse.html
  View file @836b191
1 -<p>olebrowse</p>  
2 -<p>=========</p>  
3 -<p>olebrowse is a simple GUI to browse OLE files (e.g. MS Word, Excel, Powerpoint documents), to</p>  
4 -<p>view and extract individual data streams.</p> 1 +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  2 +<html xmlns="http://www.w3.org/1999/xhtml">
  3 +<head>
  4 + <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
  5 + <meta http-equiv="Content-Style-Type" content="text/css" />
  6 + <meta name="generator" content="pandoc" />
  7 + <title></title>
  8 + <style type="text/css">code{white-space: pre;}</style>
  9 +</head>
  10 +<body>
  11 +<h1 id="olebrowse">olebrowse</h1>
  12 +<p>olebrowse is a simple GUI to browse OLE files (e.g. MS Word, Excel, Powerpoint documents), to view and extract individual data streams.</p>
5 <p>It is part of the <a href="http://www.decalage.info/python/oletools">python-oletools</a> package.</p> 13 <p>It is part of the <a href="http://www.decalage.info/python/oletools">python-oletools</a> package.</p>
6 -<p>Usage</p>  
7 -<hr /> 14 +<h2 id="usage">Usage</h2>
8 <pre><code>olebrowse.py [file]</code></pre> 15 <pre><code>olebrowse.py [file]</code></pre>
9 <p>If you provide a file it will be opened, else a dialog will allow you to browse folders to open a file. Then if it is a valid OLE file, the list of data streams will be displayed. You can select a stream, and then either view its content in a builtin hexadecimal viewer, or save it to a file for further analysis.</p> 16 <p>If you provide a file it will be opened, else a dialog will allow you to browse folders to open a file. Then if it is a valid OLE file, the list of data streams will be displayed. You can select a stream, and then either view its content in a builtin hexadecimal viewer, or save it to a file for further analysis.</p>
10 -<p>Screenshots</p>  
11 -<hr /> 17 +<h2 id="screenshots">Screenshots</h2>
12 <p>Main menu, showing all streams in the OLE file:</p> 18 <p>Main menu, showing all streams in the OLE file:</p>
13 <div class="figure"> 19 <div class="figure">
14 <img src="olebrowse1_menu.png" /> 20 <img src="olebrowse1_menu.png" />
@@ -22,21 +28,26 @@ @@ -22,21 +28,26 @@
22 <img src="olebrowse3_hexview.png" /> 28 <img src="olebrowse3_hexview.png" />
23 </div> 29 </div>
24 <hr /> 30 <hr />
25 -<p>python-oletools documentation</p>  
26 -<hr /> 31 +<h2 id="python-oletools-documentation">python-oletools documentation</h2>
27 <ul> 32 <ul>
28 -<li><p><a href="Home.html">Home</a></p></li>  
29 -<li><p><a href="License.html">License</a></p></li>  
30 -<li><p><a href="Install.html">Install</a></p></li>  
31 -<li><p><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</p></li>  
32 -<li><p>Tools:</p> 33 +<li><a href="Home.html">Home</a></li>
  34 +<li><a href="License.html">License</a></li>
  35 +<li><a href="Install.html">Install</a></li>
  36 +<li><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</li>
  37 +<li>Tools:
33 <ul> 38 <ul>
34 -<li><p><a href="olebrowse.html">olebrowse</a></p></li>  
35 -<li><p><a href="oleid.html">oleid</a></p></li>  
36 -<li><p><a href="olemeta.html">olemeta</a></p></li>  
37 -<li><p><a href="oletimes.html">oletimes</a></p></li>  
38 -<li><p><a href="olevba.html">olevba</a></p></li>  
39 -<li><p><a href="pyxswf.html">pyxswf</a></p></li>  
40 -<li><p><a href="rtfobj.html">rtfobj</a></p></li> 39 +<li><a href="olebrowse.html">olebrowse</a></li>
  40 +<li><a href="oleid.html">oleid</a></li>
  41 +<li><a href="olemeta.html">olemeta</a></li>
  42 +<li><a href="oletimes.html">oletimes</a></li>
  43 +<li><a href="oledir.html">oledir</a></li>
  44 +<li><a href="olemap.html">olemap</a></li>
  45 +<li><a href="olevba.html">olevba</a></li>
  46 +<li><a href="mraptor.html">mraptor</a></li>
  47 +<li><a href="pyxswf.html">pyxswf</a></li>
  48 +<li><a href="oleobj.html">oleobj</a></li>
  49 +<li><a href="rtfobj.html">rtfobj</a></li>
41 </ul></li> 50 </ul></li>
42 </ul> 51 </ul>
  52 +</body>
  53 +</html>
oletools/doc/olebrowse.md
  View file @836b191
@@ -42,6 +42,10 @@ python-oletools documentation @@ -42,6 +42,10 @@ python-oletools documentation
42 - [[oleid]] 42 - [[oleid]]
43 - [[olemeta]] 43 - [[olemeta]]
44 - [[oletimes]] 44 - [[oletimes]]
  45 + - [[oledir]]
  46 + - [[olemap]]
45 - [[olevba]] 47 - [[olevba]]
  48 + - [[mraptor]]
46 - [[pyxswf]] 49 - [[pyxswf]]
47 - - [[rtfobj]]  
48 \ No newline at end of file 50 \ No newline at end of file
  51 + - [[oleobj]]
  52 + - [[rtfobj]]
oletools/doc/oleid.html
  View file @836b191
1 -<p>oleid</p>  
2 -<p>=====</p>  
3 -<p>oleid is a script to analyze OLE files such as MS Office documents (e.g. Word,</p>  
4 -<p>Excel), to detect specific characteristics usually found in malicious files (e.g. malware).</p>  
5 -<p>For example it can detect VBA macros and embedded Flash objects.</p> 1 +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  2 +<html xmlns="http://www.w3.org/1999/xhtml">
  3 +<head>
  4 + <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
  5 + <meta http-equiv="Content-Style-Type" content="text/css" />
  6 + <meta name="generator" content="pandoc" />
  7 + <title></title>
  8 + <style type="text/css">code{white-space: pre;}</style>
  9 +</head>
  10 +<body>
  11 +<h1 id="oleid">oleid</h1>
  12 +<p>oleid is a script to analyze OLE files such as MS Office documents (e.g. Word, Excel), to detect specific characteristics usually found in malicious files (e.g. malware). For example it can detect VBA macros and embedded Flash objects.</p>
6 <p>It is part of the <a href="http://www.decalage.info/python/oletools">python-oletools</a> package.</p> 13 <p>It is part of the <a href="http://www.decalage.info/python/oletools">python-oletools</a> package.</p>
7 <h2 id="main-features">Main Features</h2> 14 <h2 id="main-features">Main Features</h2>
8 <ul> 15 <ul>
9 -<li><p>Detect OLE file type from its internal structure (e.g. MS Word, Excel, PowerPoint, ...)</p></li>  
10 -<li><p>Detect VBA Macros</p></li>  
11 -<li><p>Detect embedded Flash objects</p></li>  
12 -<li><p>Detect embedded OLE objects</p></li>  
13 -<li><p>Detect MS Office encryption</p></li>  
14 -<li><p>Can be used as a command-line tool</p></li>  
15 -<li><p>Python API to integrate it in your applications</p></li> 16 +<li>Detect OLE file type from its internal structure (e.g. MS Word, Excel, PowerPoint, ...)</li>
  17 +<li>Detect VBA Macros</li>
  18 +<li>Detect embedded Flash objects</li>
  19 +<li>Detect embedded OLE objects</li>
  20 +<li>Detect MS Office encryption</li>
  21 +<li>Can be used as a command-line tool</li>
  22 +<li>Python API to integrate it in your applications</li>
16 </ul> 23 </ul>
17 <p>Planned improvements:</p> 24 <p>Planned improvements:</p>
18 <ul> 25 <ul>
19 -<li><p>Extract the most important metadata fields</p></li>  
20 -<li><p>Support for OpenXML files and embedded OLE files</p></li>  
21 -<li><p>Generic VBA macros detection</p></li>  
22 -<li><p>Detect auto-executable VBA macros</p></li>  
23 -<li><p>Extended OLE file types detection</p></li>  
24 -<li><p>Detect unusual OLE structures (fragmentation, unused sectors, etc)</p></li>  
25 -<li><p>Options to scan multiple files</p></li>  
26 -<li><p>Options to scan files from encrypted zip archives</p></li>  
27 -<li><p>CSV output</p></li> 26 +<li>Extract the most important metadata fields</li>
  27 +<li>Support for OpenXML files and embedded OLE files</li>
  28 +<li>Generic VBA macros detection</li>
  29 +<li>Detect auto-executable VBA macros</li>
  30 +<li>Extended OLE file types detection</li>
  31 +<li>Detect unusual OLE structures (fragmentation, unused sectors, etc)</li>
  32 +<li>Options to scan multiple files</li>
  33 +<li>Options to scan files from encrypted zip archives</li>
  34 +<li>CSV output</li>
28 </ul> 35 </ul>
29 <h2 id="usage">Usage</h2> 36 <h2 id="usage">Usage</h2>
30 <pre><code>oleid.py &lt;file&gt;</code></pre> 37 <pre><code>oleid.py &lt;file&gt;</code></pre>
@@ -32,83 +39,65 @@ @@ -32,83 +39,65 @@
32 <p>Analyzing a Word document containing a Flash object and VBA macros:</p> 39 <p>Analyzing a Word document containing a Flash object and VBA macros:</p>
33 <pre><code>C:\oletools&gt;oleid.py word_flash_vba.doc 40 <pre><code>C:\oletools&gt;oleid.py word_flash_vba.doc
34 41
35 -  
36 -  
37 Filename: word_flash_vba.doc 42 Filename: word_flash_vba.doc
38 -  
39 +-------------------------------+-----------------------+ 43 +-------------------------------+-----------------------+
40 -  
41 | Indicator | Value | 44 | Indicator | Value |
42 -  
43 +-------------------------------+-----------------------+ 45 +-------------------------------+-----------------------+
44 -  
45 | OLE format | True | 46 | OLE format | True |
46 -  
47 | Has SummaryInformation stream | True | 47 | Has SummaryInformation stream | True |
48 -  
49 | Application name | Microsoft Office Word | 48 | Application name | Microsoft Office Word |
50 -  
51 | Encrypted | False | 49 | Encrypted | False |
52 -  
53 | Word Document | True | 50 | Word Document | True |
54 -  
55 | VBA Macros | True | 51 | VBA Macros | True |
56 -  
57 | Excel Workbook | False | 52 | Excel Workbook | False |
58 -  
59 | PowerPoint Presentation | False | 53 | PowerPoint Presentation | False |
60 -  
61 | Visio Drawing | False | 54 | Visio Drawing | False |
62 -  
63 | ObjectPool | True | 55 | ObjectPool | True |
64 -  
65 | Flash objects | 1 | 56 | Flash objects | 1 |
66 -  
67 +-------------------------------+-----------------------+</code></pre> 57 +-------------------------------+-----------------------+</code></pre>
68 <h2 id="how-to-use-oleid-in-your-python-applications">How to use oleid in your Python applications</h2> 58 <h2 id="how-to-use-oleid-in-your-python-applications">How to use oleid in your Python applications</h2>
69 <p>First, import oletools.oleid, and create an <strong>OleID</strong> object to scan a file:</p> 59 <p>First, import oletools.oleid, and create an <strong>OleID</strong> object to scan a file:</p>
70 <pre><code>import oletools.oleid 60 <pre><code>import oletools.oleid
71 61
72 -  
73 -  
74 oid = oletools.oleid.OleID(filename)</code></pre> 62 oid = oletools.oleid.OleID(filename)</code></pre>
75 <p>Note: filename can be a filename, a file-like object, or a bytes string containing the file to be analyzed.</p> 63 <p>Note: filename can be a filename, a file-like object, or a bytes string containing the file to be analyzed.</p>
76 <p>Second, call the <strong>check()</strong> method. It returns a list of <strong>Indicator</strong> objects.</p> 64 <p>Second, call the <strong>check()</strong> method. It returns a list of <strong>Indicator</strong> objects.</p>
77 <p>Each Indicator object has the following attributes:</p> 65 <p>Each Indicator object has the following attributes:</p>
78 <ul> 66 <ul>
79 -<li><p><strong>id</strong>: str, identifier for the indicator</p></li>  
80 -<li><p><strong>name</strong>: str, name to display the indicator</p></li>  
81 -<li><p><strong>description</strong>: str, long description of the indicator</p></li>  
82 -<li><p><strong>type</strong>: class of the indicator (e.g. bool, str, int)</p></li>  
83 -<li><p><strong>value</strong>: value of the indicator</p></li> 67 +<li><strong>id</strong>: str, identifier for the indicator</li>
  68 +<li><strong>name</strong>: str, name to display the indicator</li>
  69 +<li><strong>description</strong>: str, long description of the indicator</li>
  70 +<li><strong>type</strong>: class of the indicator (e.g. bool, str, int)</li>
  71 +<li><strong>value</strong>: value of the indicator</li>
84 </ul> 72 </ul>
85 <p>For example, the following code displays all the indicators:</p> 73 <p>For example, the following code displays all the indicators:</p>
86 <pre><code>indicators = oid.check() 74 <pre><code>indicators = oid.check()
87 -  
88 for i in indicators: 75 for i in indicators:
89 -  
90 print &#39;Indicator id=%s name=&quot;%s&quot; type=%s value=%s&#39; % (i.id, i.name, i.type, repr(i.value)) 76 print &#39;Indicator id=%s name=&quot;%s&quot; type=%s value=%s&#39; % (i.id, i.name, i.type, repr(i.value))
91 -  
92 print &#39;description:&#39;, i.description 77 print &#39;description:&#39;, i.description
93 -  
94 print &#39;&#39;</code></pre> 78 print &#39;&#39;</code></pre>
95 <p>See the source code of oleid.py for more details.</p> 79 <p>See the source code of oleid.py for more details.</p>
96 <hr /> 80 <hr />
97 -<p>python-oletools documentation</p>  
98 -<hr /> 81 +<h2 id="python-oletools-documentation">python-oletools documentation</h2>
99 <ul> 82 <ul>
100 -<li><p><a href="Home.html">Home</a></p></li>  
101 -<li><p><a href="License.html">License</a></p></li>  
102 -<li><p><a href="Install.html">Install</a></p></li>  
103 -<li><p><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</p></li>  
104 -<li><p>Tools:</p> 83 +<li><a href="Home.html">Home</a></li>
  84 +<li><a href="License.html">License</a></li>
  85 +<li><a href="Install.html">Install</a></li>
  86 +<li><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</li>
  87 +<li>Tools:
105 <ul> 88 <ul>
106 -<li><p><a href="olebrowse.html">olebrowse</a></p></li>  
107 -<li><p><a href="oleid.html">oleid</a></p></li>  
108 -<li><p><a href="olemeta.html">olemeta</a></p></li>  
109 -<li><p><a href="oletimes.html">oletimes</a></p></li>  
110 -<li><p><a href="olevba.html">olevba</a></p></li>  
111 -<li><p><a href="pyxswf.html">pyxswf</a></p></li>  
112 -<li><p><a href="rtfobj.html">rtfobj</a></p></li> 89 +<li><a href="olebrowse.html">olebrowse</a></li>
  90 +<li><a href="oleid.html">oleid</a></li>
  91 +<li><a href="olemeta.html">olemeta</a></li>
  92 +<li><a href="oletimes.html">oletimes</a></li>
  93 +<li><a href="oledir.html">oledir</a></li>
  94 +<li><a href="olemap.html">olemap</a></li>
  95 +<li><a href="olevba.html">olevba</a></li>
  96 +<li><a href="mraptor.html">mraptor</a></li>
  97 +<li><a href="pyxswf.html">pyxswf</a></li>
  98 +<li><a href="oleobj.html">oleobj</a></li>
  99 +<li><a href="rtfobj.html">rtfobj</a></li>
113 </ul></li> 100 </ul></li>
114 </ul> 101 </ul>
  102 +</body>
  103 +</html>
oletools/doc/oleid.md
  View file @836b191
@@ -104,6 +104,10 @@ python-oletools documentation @@ -104,6 +104,10 @@ python-oletools documentation
104 - [[oleid]] 104 - [[oleid]]
105 - [[olemeta]] 105 - [[olemeta]]
106 - [[oletimes]] 106 - [[oletimes]]
  107 + - [[oledir]]
  108 + - [[olemap]]
107 - [[olevba]] 109 - [[olevba]]
  110 + - [[mraptor]]
108 - [[pyxswf]] 111 - [[pyxswf]]
109 - - [[rtfobj]]  
110 \ No newline at end of file 112 \ No newline at end of file
  113 + - [[oleobj]]
  114 + - [[rtfobj]]
oletools/doc/olemeta.html
  View file @836b191
1 -<p>olemeta</p>  
2 -<p>=======</p>  
3 -<p>olemeta is a script to parse OLE files such as MS Office documents (e.g. Word,</p>  
4 -<p>Excel), to extract all standard properties present in the OLE file.</p> 1 +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  2 +<html xmlns="http://www.w3.org/1999/xhtml">
  3 +<head>
  4 + <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
  5 + <meta http-equiv="Content-Style-Type" content="text/css" />
  6 + <meta name="generator" content="pandoc" />
  7 + <title></title>
  8 + <style type="text/css">code{white-space: pre;}</style>
  9 +</head>
  10 +<body>
  11 +<h1 id="olemeta">olemeta</h1>
  12 +<p>olemeta is a script to parse OLE files such as MS Office documents (e.g. Word, Excel), to extract all standard properties present in the OLE file.</p>
5 <p>It is part of the <a href="http://www.decalage.info/python/oletools">python-oletools</a> package.</p> 13 <p>It is part of the <a href="http://www.decalage.info/python/oletools">python-oletools</a> package.</p>
6 <h2 id="usage">Usage</h2> 14 <h2 id="usage">Usage</h2>
7 <pre><code>olemeta.py &lt;file&gt;</code></pre> 15 <pre><code>olemeta.py &lt;file&gt;</code></pre>
8 <h3 id="example">Example</h3> 16 <h3 id="example">Example</h3>
9 -<p>Checking the malware sample <a href="https://malwr.com/analysis/M2I4YWRhM2IwY2QwNDljN2E3ZWFjYTg3ODk4NmZhYmE/">DIAN_caso-5415.doc</a>:</p>  
10 -<pre><code>&gt;olemeta.py DIAN_caso-5415.doc  
11 -  
12 -  
13 -  
14 -Properties from SummaryInformation stream:  
15 -  
16 -- codepage: 1252  
17 -  
18 -- title: &#39;Gu\xeda MIPYME para ser emisor electr\xf3nico&#39;  
19 -  
20 -- subject: &#39;&#39;  
21 -  
22 -- author: &#39;OFEyDV&#39;  
23 -  
24 -- keywords: &#39;&#39;  
25 -  
26 -- comments: &#39;&#39;  
27 -  
28 -- template: &#39;Normal.dotm&#39;  
29 -  
30 -- last_saved_by: &#39;clein&#39;  
31 -  
32 -- revision_number: &#39;13&#39;  
33 -  
34 -- total_edit_time: 4800L  
35 -  
36 -- last_printed: datetime.datetime(2006, 6, 7, 14, 4)  
37 -  
38 -- create_time: datetime.datetime(2009, 3, 30, 14, 18)  
39 -  
40 -- last_saved_time: datetime.datetime(2014, 5, 14, 12, 45)  
41 -  
42 -- num_pages: 7  
43 -  
44 -- num_words: 269  
45 -  
46 -- num_chars: 1485  
47 -  
48 -- thumbnail: None  
49 -  
50 -- creating_application: &#39;Microsoft Office Word&#39;  
51 -  
52 -- security: 0  
53 -  
54 -  
55 -  
56 -Properties from DocumentSummaryInformation stream:  
57 -  
58 -- codepage_doc: 1252  
59 -  
60 -- category: None  
61 -  
62 -- presentation_target: None  
63 -  
64 -- bytes: None  
65 -  
66 -- lines: 12  
67 -  
68 -- paragraphs: 3  
69 -  
70 -- slides: None  
71 -  
72 -- notes: None  
73 -  
74 -- hidden_slides: None  
75 -  
76 -- mm_clips: None  
77 -  
78 -- scale_crop: False  
79 -  
80 -- heading_pairs: None  
81 -  
82 -- titles_of_parts: None  
83 -  
84 -- manager: None  
85 -  
86 -- company: &#39;Servicio de Impuestos Internos&#39;  
87 -  
88 -- links_dirty: False  
89 -  
90 -- chars_with_spaces: 1751  
91 -  
92 -- unused: None  
93 -  
94 -- shared_doc: False  
95 -  
96 -- link_base: None  
97 -  
98 -- hlinks: None  
99 -  
100 -- hlinks_changed: False  
101 -  
102 -- version: 786432  
103 -  
104 -- dig_sig: None  
105 -  
106 -- content_type: None  
107 -  
108 -- content_status: None  
109 -  
110 -- language: None  
111 -  
112 -- doc_version: None</code></pre> 17 +<div class="figure">
  18 +<img src="olemeta1.png" />
  19 +</div>
113 <h2 id="how-to-use-olemeta-in-python-applications">How to use olemeta in Python applications</h2> 20 <h2 id="how-to-use-olemeta-in-python-applications">How to use olemeta in Python applications</h2>
114 <p>TODO</p> 21 <p>TODO</p>
115 <hr /> 22 <hr />
116 -<p>python-oletools documentation</p>  
117 -<hr /> 23 +<h2 id="python-oletools-documentation">python-oletools documentation</h2>
118 <ul> 24 <ul>
119 -<li><p><a href="Home.html">Home</a></p></li>  
120 -<li><p><a href="License.html">License</a></p></li>  
121 -<li><p><a href="Install.html">Install</a></p></li>  
122 -<li><p><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</p></li>  
123 -<li><p>Tools:</p> 25 +<li><a href="Home.html">Home</a></li>
  26 +<li><a href="License.html">License</a></li>
  27 +<li><a href="Install.html">Install</a></li>
  28 +<li><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</li>
  29 +<li>Tools:
124 <ul> 30 <ul>
125 -<li><p><a href="olebrowse.html">olebrowse</a></p></li>  
126 -<li><p><a href="oleid.html">oleid</a></p></li>  
127 -<li><p><a href="olemeta.html">olemeta</a></p></li>  
128 -<li><p><a href="oletimes.html">oletimes</a></p></li>  
129 -<li><p><a href="olevba.html">olevba</a></p></li>  
130 -<li><p><a href="pyxswf.html">pyxswf</a></p></li>  
131 -<li><p><a href="rtfobj.html">rtfobj</a></p></li> 31 +<li><a href="olebrowse.html">olebrowse</a></li>
  32 +<li><a href="oleid.html">oleid</a></li>
  33 +<li><a href="olemeta.html">olemeta</a></li>
  34 +<li><a href="oletimes.html">oletimes</a></li>
  35 +<li><a href="oledir.html">oledir</a></li>
  36 +<li><a href="olemap.html">olemap</a></li>
  37 +<li><a href="olevba.html">olevba</a></li>
  38 +<li><a href="mraptor.html">mraptor</a></li>
  39 +<li><a href="pyxswf.html">pyxswf</a></li>
  40 +<li><a href="oleobj.html">oleobj</a></li>
  41 +<li><a href="rtfobj.html">rtfobj</a></li>
132 </ul></li> 42 </ul></li>
133 </ul> 43 </ul>
  44 +</body>
  45 +</html>
oletools/doc/olemeta.md
  View file @836b191
@@ -13,61 +13,7 @@ It is part of the [python-oletools](http://www.decalage.info/python/oletools) pa @@ -13,61 +13,7 @@ It is part of the [python-oletools](http://www.decalage.info/python/oletools) pa
13 13
14 ### Example 14 ### Example
15 15
16 -Checking the malware sample [DIAN_caso-5415.doc](https://malwr.com/analysis/M2I4YWRhM2IwY2QwNDljN2E3ZWFjYTg3ODk4NmZhYmE/):  
17 -  
18 - :::text  
19 - >olemeta.py DIAN_caso-5415.doc  
20 -  
21 - Properties from SummaryInformation stream:  
22 - - codepage: 1252  
23 - - title: 'Gu\xeda MIPYME para ser emisor electr\xf3nico'  
24 - - subject: ''  
25 - - author: 'OFEyDV'  
26 - - keywords: ''  
27 - - comments: ''  
28 - - template: 'Normal.dotm'  
29 - - last_saved_by: 'clein'  
30 - - revision_number: '13'  
31 - - total_edit_time: 4800L  
32 - - last_printed: datetime.datetime(2006, 6, 7, 14, 4)  
33 - - create_time: datetime.datetime(2009, 3, 30, 14, 18)  
34 - - last_saved_time: datetime.datetime(2014, 5, 14, 12, 45)  
35 - - num_pages: 7  
36 - - num_words: 269  
37 - - num_chars: 1485  
38 - - thumbnail: None  
39 - - creating_application: 'Microsoft Office Word'  
40 - - security: 0  
41 -  
42 - Properties from DocumentSummaryInformation stream:  
43 - - codepage_doc: 1252  
44 - - category: None  
45 - - presentation_target: None  
46 - - bytes: None  
47 - - lines: 12  
48 - - paragraphs: 3  
49 - - slides: None  
50 - - notes: None  
51 - - hidden_slides: None  
52 - - mm_clips: None  
53 - - scale_crop: False  
54 - - heading_pairs: None  
55 - - titles_of_parts: None  
56 - - manager: None  
57 - - company: 'Servicio de Impuestos Internos'  
58 - - links_dirty: False  
59 - - chars_with_spaces: 1751  
60 - - unused: None  
61 - - shared_doc: False  
62 - - link_base: None  
63 - - hlinks: None  
64 - - hlinks_changed: False  
65 - - version: 786432  
66 - - dig_sig: None  
67 - - content_type: None  
68 - - content_status: None  
69 - - language: None  
70 - - doc_version: None 16 +![](olemeta1.png)
71 17
72 ## How to use olemeta in Python applications 18 ## How to use olemeta in Python applications
73 19
@@ -87,6 +33,10 @@ python-oletools documentation @@ -87,6 +33,10 @@ python-oletools documentation
87 - [[oleid]] 33 - [[oleid]]
88 - [[olemeta]] 34 - [[olemeta]]
89 - [[oletimes]] 35 - [[oletimes]]
  36 + - [[oledir]]
  37 + - [[olemap]]
90 - [[olevba]] 38 - [[olevba]]
  39 + - [[mraptor]]
91 - [[pyxswf]] 40 - [[pyxswf]]
92 - - [[rtfobj]]  
93 \ No newline at end of file 41 \ No newline at end of file
  42 + - [[oleobj]]
  43 + - [[rtfobj]]
oletools/doc/oletimes.html
  View file @836b191
1 -<p>oletimes</p>  
2 -<p>========</p>  
3 -<p>oletimes is a script to parse OLE files such as MS Office documents (e.g. Word,</p>  
4 -<p>Excel), to extract creation and modification times of all streams and storages</p>  
5 -<p>in the OLE file.</p> 1 +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  2 +<html xmlns="http://www.w3.org/1999/xhtml">
  3 +<head>
  4 + <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
  5 + <meta http-equiv="Content-Style-Type" content="text/css" />
  6 + <meta name="generator" content="pandoc" />
  7 + <title></title>
  8 + <style type="text/css">code{white-space: pre;}</style>
  9 +</head>
  10 +<body>
  11 +<h1 id="oletimes">oletimes</h1>
  12 +<p>oletimes is a script to parse OLE files such as MS Office documents (e.g. Word, Excel), to extract creation and modification times of all streams and storages in the OLE file.</p>
6 <p>It is part of the <a href="http://www.decalage.info/python/oletools">python-oletools</a> package.</p> 13 <p>It is part of the <a href="http://www.decalage.info/python/oletools">python-oletools</a> package.</p>
7 <h2 id="usage">Usage</h2> 14 <h2 id="usage">Usage</h2>
8 <pre><code>oletimes.py &lt;file&gt;</code></pre> 15 <pre><code>oletimes.py &lt;file&gt;</code></pre>
@@ -10,71 +17,52 @@ @@ -10,71 +17,52 @@
10 <p>Checking the malware sample <a href="https://malwr.com/analysis/M2I4YWRhM2IwY2QwNDljN2E3ZWFjYTg3ODk4NmZhYmE/">DIAN_caso-5415.doc</a>:</p> 17 <p>Checking the malware sample <a href="https://malwr.com/analysis/M2I4YWRhM2IwY2QwNDljN2E3ZWFjYTg3ODk4NmZhYmE/">DIAN_caso-5415.doc</a>:</p>
11 <pre><code>&gt;oletimes.py DIAN_caso-5415.doc 18 <pre><code>&gt;oletimes.py DIAN_caso-5415.doc
12 19
13 -  
14 -  
15 +----------------------------+---------------------+---------------------+ 20 +----------------------------+---------------------+---------------------+
16 -  
17 | Stream/Storage name | Modification Time | Creation Time | 21 | Stream/Storage name | Modification Time | Creation Time |
18 -  
19 +----------------------------+---------------------+---------------------+ 22 +----------------------------+---------------------+---------------------+
20 -  
21 | Root | 2014-05-14 12:45:24 | None | 23 | Root | 2014-05-14 12:45:24 | None |
22 -  
23 | &#39;\x01CompObj&#39; | None | None | 24 | &#39;\x01CompObj&#39; | None | None |
24 -  
25 | &#39;\x05DocumentSummaryInform | None | None | 25 | &#39;\x05DocumentSummaryInform | None | None |
26 -  
27 | ation&#39; | | | 26 | ation&#39; | | |
28 -  
29 | &#39;\x05SummaryInformation&#39; | None | None | 27 | &#39;\x05SummaryInformation&#39; | None | None |
30 -  
31 | &#39;1Table&#39; | None | None | 28 | &#39;1Table&#39; | None | None |
32 -  
33 | &#39;Data&#39; | None | None | 29 | &#39;Data&#39; | None | None |
34 -  
35 | &#39;Macros&#39; | 2014-05-14 12:45:24 | 2014-05-14 12:45:24 | 30 | &#39;Macros&#39; | 2014-05-14 12:45:24 | 2014-05-14 12:45:24 |
36 -  
37 | &#39;Macros/PROJECT&#39; | None | None | 31 | &#39;Macros/PROJECT&#39; | None | None |
38 -  
39 | &#39;Macros/PROJECTwm&#39; | None | None | 32 | &#39;Macros/PROJECTwm&#39; | None | None |
40 -  
41 | &#39;Macros/VBA&#39; | 2014-05-14 12:45:24 | 2014-05-14 12:45:24 | 33 | &#39;Macros/VBA&#39; | 2014-05-14 12:45:24 | 2014-05-14 12:45:24 |
42 -  
43 | &#39;Macros/VBA/ThisDocument&#39; | None | None | 34 | &#39;Macros/VBA/ThisDocument&#39; | None | None |
44 -  
45 | &#39;Macros/VBA/_VBA_PROJECT&#39; | None | None | 35 | &#39;Macros/VBA/_VBA_PROJECT&#39; | None | None |
46 -  
47 | &#39;Macros/VBA/__SRP_0&#39; | None | None | 36 | &#39;Macros/VBA/__SRP_0&#39; | None | None |
48 -  
49 | &#39;Macros/VBA/__SRP_1&#39; | None | None | 37 | &#39;Macros/VBA/__SRP_1&#39; | None | None |
50 -  
51 | &#39;Macros/VBA/__SRP_2&#39; | None | None | 38 | &#39;Macros/VBA/__SRP_2&#39; | None | None |
52 -  
53 | &#39;Macros/VBA/__SRP_3&#39; | None | None | 39 | &#39;Macros/VBA/__SRP_3&#39; | None | None |
54 -  
55 | &#39;Macros/VBA/dir&#39; | None | None | 40 | &#39;Macros/VBA/dir&#39; | None | None |
56 -  
57 | &#39;WordDocument&#39; | None | None | 41 | &#39;WordDocument&#39; | None | None |
58 -  
59 +----------------------------+---------------------+---------------------+</code></pre> 42 +----------------------------+---------------------+---------------------+</code></pre>
60 <h2 id="how-to-use-oletimes-in-python-applications">How to use oletimes in Python applications</h2> 43 <h2 id="how-to-use-oletimes-in-python-applications">How to use oletimes in Python applications</h2>
61 <p>TODO</p> 44 <p>TODO</p>
62 <hr /> 45 <hr />
63 -<p>python-oletools documentation</p>  
64 -<hr /> 46 +<h2 id="python-oletools-documentation">python-oletools documentation</h2>
65 <ul> 47 <ul>
66 -<li><p><a href="Home.html">Home</a></p></li>  
67 -<li><p><a href="License.html">License</a></p></li>  
68 -<li><p><a href="Install.html">Install</a></p></li>  
69 -<li><p><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</p></li>  
70 -<li><p>Tools:</p> 48 +<li><a href="Home.html">Home</a></li>
  49 +<li><a href="License.html">License</a></li>
  50 +<li><a href="Install.html">Install</a></li>
  51 +<li><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</li>
  52 +<li>Tools:
71 <ul> 53 <ul>
72 -<li><p><a href="olebrowse.html">olebrowse</a></p></li>  
73 -<li><p><a href="oleid.html">oleid</a></p></li>  
74 -<li><p><a href="olemeta.html">olemeta</a></p></li>  
75 -<li><p><a href="oletimes.html">oletimes</a></p></li>  
76 -<li><p><a href="olevba.html">olevba</a></p></li>  
77 -<li><p><a href="pyxswf.html">pyxswf</a></p></li>  
78 -<li><p><a href="rtfobj.html">rtfobj</a></p></li> 54 +<li><a href="olebrowse.html">olebrowse</a></li>
  55 +<li><a href="oleid.html">oleid</a></li>
  56 +<li><a href="olemeta.html">olemeta</a></li>
  57 +<li><a href="oletimes.html">oletimes</a></li>
  58 +<li><a href="oledir.html">oledir</a></li>
  59 +<li><a href="olemap.html">olemap</a></li>
  60 +<li><a href="olevba.html">olevba</a></li>
  61 +<li><a href="mraptor.html">mraptor</a></li>
  62 +<li><a href="pyxswf.html">pyxswf</a></li>
  63 +<li><a href="oleobj.html">oleobj</a></li>
  64 +<li><a href="rtfobj.html">rtfobj</a></li>
79 </ul></li> 65 </ul></li>
80 </ul> 66 </ul>
  67 +</body>
  68 +</html>
oletools/doc/oletimes.md
  View file @836b191
@@ -61,6 +61,10 @@ python-oletools documentation @@ -61,6 +61,10 @@ python-oletools documentation
61 - [[oleid]] 61 - [[oleid]]
62 - [[olemeta]] 62 - [[olemeta]]
63 - [[oletimes]] 63 - [[oletimes]]
  64 + - [[oledir]]
  65 + - [[olemap]]
64 - [[olevba]] 66 - [[olevba]]
  67 + - [[mraptor]]
65 - [[pyxswf]] 68 - [[pyxswf]]
66 - - [[rtfobj]]  
67 \ No newline at end of file 69 \ No newline at end of file
  70 + - [[oleobj]]
  71 + - [[rtfobj]]
oletools/doc/olevba.html
  View file @836b191
1 -<p>olevba</p>  
2 -<p>======</p>  
3 -<p>olevba is a script to parse OLE and OpenXML files such as MS Office documents</p>  
4 -<p>(e.g. Word, Excel), to <strong>detect VBA Macros</strong>, extract their <strong>source code</strong> in clear text,</p>  
5 -<p>and detect security-related patterns such as <strong>auto-executable macros</strong>, **suspicious</p>  
6 -<p>VBA keywords** used by malware, anti-sandboxing and anti-virtualization techniques,</p>  
7 -<p>and potential <strong>IOCs</strong> (IP addresses, URLs, executable filenames, etc).</p>  
8 -<p>It also detects and decodes several common **obfuscation methods including Hex encoding,</p>  
9 -<p>StrReverse, Base64, Dridex, VBA expressions**, and extracts IOCs from decoded strings.</p> 1 +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  2 +<html xmlns="http://www.w3.org/1999/xhtml">
  3 +<head>
  4 + <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
  5 + <meta http-equiv="Content-Style-Type" content="text/css" />
  6 + <meta name="generator" content="pandoc" />
  7 + <title></title>
  8 + <style type="text/css">code{white-space: pre;}</style>
  9 +</head>
  10 +<body>
  11 +<h1 id="olevba">olevba</h1>
  12 +<p>olevba is a script to parse OLE and OpenXML files such as MS Office documents (e.g. Word, Excel), to <strong>detect VBA Macros</strong>, extract their <strong>source code</strong> in clear text, and detect security-related patterns such as <strong>auto-executable macros</strong>, <strong>suspicious VBA keywords</strong> used by malware, anti-sandboxing and anti-virtualization techniques, and potential <strong>IOCs</strong> (IP addresses, URLs, executable filenames, etc). It also detects and decodes several common <strong>obfuscation methods including Hex encoding, StrReverse, Base64, Dridex, VBA expressions</strong>, and extracts IOCs from decoded strings.</p>
10 <p>It can be used either as a command-line tool, or as a python module from your own applications.</p> 13 <p>It can be used either as a command-line tool, or as a python module from your own applications.</p>
11 <p>It is part of the <a href="http://www.decalage.info/python/oletools">python-oletools</a> package.</p> 14 <p>It is part of the <a href="http://www.decalage.info/python/oletools">python-oletools</a> package.</p>
12 -<p>olevba is based on source code from <a href="https://github.com/unixfreak0037/officeparser">officeparser</a></p>  
13 -<p>by John William Davison, with significant modifications.</p> 15 +<p>olevba is based on source code from <a href="https://github.com/unixfreak0037/officeparser">officeparser</a> by John William Davison, with significant modifications.</p>
14 <h2 id="supported-formats">Supported formats</h2> 16 <h2 id="supported-formats">Supported formats</h2>
15 <ul> 17 <ul>
16 -<li><p>Word 97-2003 (.doc, .dot)</p></li>  
17 -<li><p>Word 2007+ (.docm, .dotm)</p></li>  
18 -<li><p>Word 2003 XML (.xml)</p></li>  
19 -<li><p>Word/Excel MHTML, aka Single File Web Page (.mht)</p></li>  
20 -<li><p>Excel 97-2003 (.xls)</p></li>  
21 -<li><p>Excel 2007+ (.xlsm, .xlsb)</p></li>  
22 -<li><p>PowerPoint 2007+ (.pptm, .ppsm)</p></li>  
23 -<li><p>Text file containing VBA or VBScript source code</p></li>  
24 -<li><p>Password-protected Zip archive containing any of the above</p></li> 18 +<li>Word 97-2003 (.doc, .dot)</li>
  19 +<li>Word 2007+ (.docm, .dotm)</li>
  20 +<li>Word 2003 XML (.xml)</li>
  21 +<li>Word/Excel MHTML, aka Single File Web Page (.mht)</li>
  22 +<li>Excel 97-2003 (.xls)</li>
  23 +<li>Excel 2007+ (.xlsm, .xlsb)</li>
  24 +<li>PowerPoint 2007+ (.pptm, .ppsm)</li>
  25 +<li>Text file containing VBA or VBScript source code</li>
  26 +<li>Password-protected Zip archive containing any of the above</li>
25 </ul> 27 </ul>
26 <h2 id="main-features">Main Features</h2> 28 <h2 id="main-features">Main Features</h2>
27 <ul> 29 <ul>
28 -<li><p>Detect VBA macros in MS Office 97-2003 and 2007+ files, XML, MHT</p></li>  
29 -<li><p>Extract VBA macro source code</p></li>  
30 -<li><p>Detect auto-executable macros</p></li>  
31 -<li><p>Detect suspicious VBA keywords often used by malware</p></li>  
32 -<li><p>Detect anti-sandboxing and anti-virtualization techniques</p></li>  
33 -<li><p>Detect and decodes strings obfuscated with Hex/Base64/StrReverse/Dridex</p></li>  
34 -<li><p>Deobfuscates VBA expressions with any combination of Chr, Asc, Val, StrReverse, Environ, +, &amp;, using a VBA parser built with</p></li> 30 +<li>Detect VBA macros in MS Office 97-2003 and 2007+ files, XML, MHT</li>
  31 +<li>Extract VBA macro source code</li>
  32 +<li>Detect auto-executable macros</li>
  33 +<li>Detect suspicious VBA keywords often used by malware</li>
  34 +<li>Detect anti-sandboxing and anti-virtualization techniques</li>
  35 +<li>Detect and decodes strings obfuscated with Hex/Base64/StrReverse/Dridex</li>
  36 +<li>Deobfuscates VBA expressions with any combination of Chr, Asc, Val, StrReverse, Environ, +, &amp;, using a VBA parser built with <a href="http://pyparsing.wikispaces.com">pyparsing</a>, including custom Hex and Base64 encodings</li>
  37 +<li>Extract IOCs/patterns of interest such as IP addresses, URLs, e-mail addresses and executable file names</li>
  38 +<li>Scan multiple files and sample collections (wildcards, recursive)</li>
  39 +<li>Triage mode for a summary view of multiple files</li>
  40 +<li>Scan malware samples in password-protected Zip archives</li>
  41 +<li>Python API to use olevba from your applications</li>
35 </ul> 42 </ul>
36 -<p><a href="http://pyparsing.wikispaces.com">pyparsing</a>, including custom Hex and Base64 encodings</p>  
37 -<ul>  
38 -<li><p>Extract IOCs/patterns of interest such as IP addresses, URLs, e-mail addresses and executable file names</p></li>  
39 -<li><p>Scan multiple files and sample collections (wildcards, recursive)</p></li>  
40 -<li><p>Triage mode for a summary view of multiple files</p></li>  
41 -<li><p>Scan malware samples in password-protected Zip archives</p></li>  
42 -<li><p>Python API to use olevba from your applications</p></li>  
43 -</ul>  
44 -<p>MS Office files encrypted with a password are also supported, because VBA macro code is never</p>  
45 -<p>encrypted, only the content of the document.</p> 43 +<p>MS Office files encrypted with a password are also supported, because VBA macro code is never encrypted, only the content of the document.</p>
46 <h2 id="about-vba-macros">About VBA Macros</h2> 44 <h2 id="about-vba-macros">About VBA Macros</h2>
47 -<p>See <a href="http://www.decalage.info/en/vba_tools">this article</a> for more information and technical details about VBA Macros</p>  
48 -<p>and how they are stored in MS Office documents.</p> 45 +<p>See <a href="http://www.decalage.info/en/vba_tools">this article</a> for more information and technical details about VBA Macros and how they are stored in MS Office documents.</p>
49 <h2 id="how-it-works">How it works</h2> 46 <h2 id="how-it-works">How it works</h2>
50 <ol style="list-style-type: decimal"> 47 <ol style="list-style-type: decimal">
51 -<li><p>olevba checks the file type: If it is an OLE file (i.e MS Office 97-2003), it is parsed right away.</p></li>  
52 -<li><p>If it is a zip file (i.e. MS Office 2007+), XML or MHTML, olevba looks for all OLE files stored in it (e.g. vbaProject.bin, editdata.mso), and opens them.</p></li>  
53 -<li><p>olevba identifies all the VBA projects stored in the OLE structure.</p></li>  
54 -<li><p>Each VBA project is parsed to find the corresponding OLE streams containing macro code.</p></li>  
55 -<li><p>In each of these OLE streams, the VBA macro source code is extracted and decompressed (RLE compression).</p></li>  
56 -<li><p>olevba looks for specific strings obfuscated with various algorithms (Hex, Base64, StrReverse, Dridex, VBA expressions).</p></li>  
57 -<li><p>olevba scans the macro source code and the deobfuscated strings to find suspicious keywords, auto-executable macros</p></li> 48 +<li>olevba checks the file type: If it is an OLE file (i.e MS Office 97-2003), it is parsed right away.</li>
  49 +<li>If it is a zip file (i.e. MS Office 2007+), XML or MHTML, olevba looks for all OLE files stored in it (e.g. vbaProject.bin, editdata.mso), and opens them.</li>
  50 +<li>olevba identifies all the VBA projects stored in the OLE structure.</li>
  51 +<li>Each VBA project is parsed to find the corresponding OLE streams containing macro code.</li>
  52 +<li>In each of these OLE streams, the VBA macro source code is extracted and decompressed (RLE compression).</li>
  53 +<li>olevba looks for specific strings obfuscated with various algorithms (Hex, Base64, StrReverse, Dridex, VBA expressions).</li>
  54 +<li>olevba scans the macro source code and the deobfuscated strings to find suspicious keywords, auto-executable macros and potential IOCs (URLs, IP addresses, e-mail addresses, executable filenames, etc).</li>
58 </ol> 55 </ol>
59 -<p>and potential IOCs (URLs, IP addresses, e-mail addresses, executable filenames, etc).</p>  
60 <h2 id="usage">Usage</h2> 56 <h2 id="usage">Usage</h2>
61 <pre><code>Usage: olevba.py [options] &lt;filename&gt; [filename2 ...] 57 <pre><code>Usage: olevba.py [options] &lt;filename&gt; [filename2 ...]
62 58
63 -  
64 -  
65 Options: 59 Options:
66 -  
67 -h, --help show this help message and exit 60 -h, --help show this help message and exit
68 -  
69 -r find files recursively in subdirectories. 61 -r find files recursively in subdirectories.
70 -  
71 -z ZIP_PASSWORD, --zip=ZIP_PASSWORD 62 -z ZIP_PASSWORD, --zip=ZIP_PASSWORD
72 -  
73 if the file is a zip archive, open all files from it, 63 if the file is a zip archive, open all files from it,
74 -  
75 using the provided password (requires Python 2.6+) 64 using the provided password (requires Python 2.6+)
76 -  
77 -f ZIP_FNAME, --zipfname=ZIP_FNAME 65 -f ZIP_FNAME, --zipfname=ZIP_FNAME
78 -  
79 if the file is a zip archive, file(s) to be opened 66 if the file is a zip archive, file(s) to be opened
80 -  
81 within the zip. Wildcards * and ? are supported. 67 within the zip. Wildcards * and ? are supported.
82 -  
83 (default:*) 68 (default:*)
84 -  
85 -t, --triage triage mode, display results as a summary table 69 -t, --triage triage mode, display results as a summary table
86 -  
87 (default for multiple files) 70 (default for multiple files)
88 -  
89 -d, --detailed detailed mode, display full results (default for 71 -d, --detailed detailed mode, display full results (default for
90 -  
91 single file) 72 single file)
92 -  
93 -a, --analysis display only analysis results, not the macro source 73 -a, --analysis display only analysis results, not the macro source
94 -  
95 code 74 code
96 -  
97 -c, --code display only VBA source code, do not analyze it 75 -c, --code display only VBA source code, do not analyze it
98 -  
99 -i INPUT, --input=INPUT 76 -i INPUT, --input=INPUT
100 -  
101 input file containing VBA source code to be analyzed 77 input file containing VBA source code to be analyzed
102 -  
103 (no parsing) 78 (no parsing)
104 -  
105 --decode display all the obfuscated strings with their decoded 79 --decode display all the obfuscated strings with their decoded
106 -  
107 content (Hex, Base64, StrReverse, Dridex, VBA). 80 content (Hex, Base64, StrReverse, Dridex, VBA).
108 -  
109 --attr display the attribute lines at the beginning of VBA 81 --attr display the attribute lines at the beginning of VBA
110 -  
111 source code 82 source code
112 -  
113 --reveal display the macro source code after replacing all the 83 --reveal display the macro source code after replacing all the
114 -  
115 obfuscated strings by their decoded content.</code></pre> 84 obfuscated strings by their decoded content.</code></pre>
116 <h3 id="examples">Examples</h3> 85 <h3 id="examples">Examples</h3>
117 <p>Scan a single file:</p> 86 <p>Scan a single file:</p>
@@ -134,399 +103,251 @@ Options: @@ -134,399 +103,251 @@ Options:
134 <p>When a single file is scanned, or when using the option -d, all details of the analysis are displayed.</p> 103 <p>When a single file is scanned, or when using the option -d, all details of the analysis are displayed.</p>
135 <p>For example, checking the malware sample <a href="https://malwr.com/analysis/M2I4YWRhM2IwY2QwNDljN2E3ZWFjYTg3ODk4NmZhYmE/">DIAN_caso-5415.doc</a>:</p> 104 <p>For example, checking the malware sample <a href="https://malwr.com/analysis/M2I4YWRhM2IwY2QwNDljN2E3ZWFjYTg3ODk4NmZhYmE/">DIAN_caso-5415.doc</a>:</p>
136 <pre><code>&gt;olevba.py c:\MalwareZoo\VBA\DIAN_caso-5415.doc.zip -z infected 105 <pre><code>&gt;olevba.py c:\MalwareZoo\VBA\DIAN_caso-5415.doc.zip -z infected
137 -  
138 =============================================================================== 106 ===============================================================================
139 -  
140 FILE: DIAN_caso-5415.doc.malware in c:\MalwareZoo\VBA\DIAN_caso-5415.doc.zip 107 FILE: DIAN_caso-5415.doc.malware in c:\MalwareZoo\VBA\DIAN_caso-5415.doc.zip
141 -  
142 Type: OLE 108 Type: OLE
143 -  
144 ------------------------------------------------------------------------------- 109 -------------------------------------------------------------------------------
145 -  
146 VBA MACRO ThisDocument.cls 110 VBA MACRO ThisDocument.cls
147 -  
148 in file: DIAN_caso-5415.doc.malware - OLE stream: Macros/VBA/ThisDocument 111 in file: DIAN_caso-5415.doc.malware - OLE stream: Macros/VBA/ThisDocument
149 -  
150 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 112 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
151 -  
152 Option Explicit 113 Option Explicit
153 -  
154 Private Declare Function URLDownloadToFileA Lib &quot;urlmon&quot; (ByVal FVQGKS As Long,_ 114 Private Declare Function URLDownloadToFileA Lib &quot;urlmon&quot; (ByVal FVQGKS As Long,_
155 -  
156 ByVal WSGSGY As String, ByVal IFRRFV As String, ByVal NCVOLV As Long, _ 115 ByVal WSGSGY As String, ByVal IFRRFV As String, ByVal NCVOLV As Long, _
157 -  
158 ByVal HQTLDG As Long) As Long 116 ByVal HQTLDG As Long) As Long
159 -  
160 Sub AutoOpen() 117 Sub AutoOpen()
161 -  
162 Auto_Open 118 Auto_Open
163 -  
164 End Sub 119 End Sub
165 -  
166 Sub Auto_Open() 120 Sub Auto_Open()
167 -  
168 SNVJYQ 121 SNVJYQ
169 -  
170 End Sub 122 End Sub
171 -  
172 Public Sub SNVJYQ() 123 Public Sub SNVJYQ()
173 -  
174 [Malicious Code...] 124 [Malicious Code...]
175 -  
176 End Sub 125 End Sub
177 -  
178 Function OGEXYR(XSTAHU As String, PHHWIV As String) As Boolean 126 Function OGEXYR(XSTAHU As String, PHHWIV As String) As Boolean
179 -  
180 [Malicious Code...] 127 [Malicious Code...]
181 -  
182 Application.DisplayAlerts = False 128 Application.DisplayAlerts = False
183 -  
184 Application.Quit 129 Application.Quit
185 -  
186 End Function 130 End Function
187 -  
188 Sub Workbook_Open() 131 Sub Workbook_Open()
189 -  
190 Auto_Open 132 Auto_Open
191 -  
192 End Sub 133 End Sub
193 134
194 -  
195 -  
196 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 135 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
197 -  
198 ANALYSIS: 136 ANALYSIS:
199 -  
200 +------------+----------------------+-----------------------------------------+ 137 +------------+----------------------+-----------------------------------------+
201 -  
202 | Type | Keyword | Description | 138 | Type | Keyword | Description |
203 -  
204 +------------+----------------------+-----------------------------------------+ 139 +------------+----------------------+-----------------------------------------+
205 -  
206 | AutoExec | AutoOpen | Runs when the Word document is opened | 140 | AutoExec | AutoOpen | Runs when the Word document is opened |
207 -  
208 | AutoExec | Auto_Open | Runs when the Excel Workbook is opened | 141 | AutoExec | Auto_Open | Runs when the Excel Workbook is opened |
209 -  
210 | AutoExec | Workbook_Open | Runs when the Excel Workbook is opened | 142 | AutoExec | Workbook_Open | Runs when the Excel Workbook is opened |
211 -  
212 | Suspicious | Lib | May run code from a DLL | 143 | Suspicious | Lib | May run code from a DLL |
213 -  
214 | Suspicious | Shell | May run an executable file or a system | 144 | Suspicious | Shell | May run an executable file or a system |
215 -  
216 | | | command | 145 | | | command |
217 -  
218 | Suspicious | Environ | May read system environment variables | 146 | Suspicious | Environ | May read system environment variables |
219 -  
220 | Suspicious | URLDownloadToFileA | May download files from the Internet | 147 | Suspicious | URLDownloadToFileA | May download files from the Internet |
221 -  
222 | IOC | http://germanya.com. | URL | 148 | IOC | http://germanya.com. | URL |
223 -  
224 | | ec/logs/test.exe&quot; | | 149 | | ec/logs/test.exe&quot; | |
225 -  
226 | IOC | http://germanya.com. | URL | 150 | IOC | http://germanya.com. | URL |
227 -  
228 | | ec/logs/counter.php&quot; | | 151 | | ec/logs/counter.php&quot; | |
229 -  
230 | IOC | germanya.com | Executable file name | 152 | IOC | germanya.com | Executable file name |
231 -  
232 | IOC | test.exe | Executable file name | 153 | IOC | test.exe | Executable file name |
233 -  
234 | IOC | sfjozjero.exe | Executable file name | 154 | IOC | sfjozjero.exe | Executable file name |
235 -  
236 +------------+----------------------+-----------------------------------------+</code></pre> 155 +------------+----------------------+-----------------------------------------+</code></pre>
237 <h3 id="triage-mode-default-for-multiple-files">Triage mode (default for multiple files)</h3> 156 <h3 id="triage-mode-default-for-multiple-files">Triage mode (default for multiple files)</h3>
238 -<p>When several files are scanned, or when using the option -t, a summary of the analysis for each file is displayed.</p>  
239 -<p>This is more convenient for quick triage of a collection of suspicious files.</p> 157 +<p>When several files are scanned, or when using the option -t, a summary of the analysis for each file is displayed. This is more convenient for quick triage of a collection of suspicious files.</p>
240 <p>The following flags show the results of the analysis:</p> 158 <p>The following flags show the results of the analysis:</p>
241 <ul> 159 <ul>
242 -<li><p><strong>OLE</strong>: the file type is OLE, for example MS Office 97-2003</p></li>  
243 -<li><p><strong>OpX</strong>: the file type is OpenXML, for example MS Office 2007+</p></li>  
244 -<li><p><strong>XML</strong>: the file type is Word 2003 XML</p></li>  
245 -<li><p><strong>MHT</strong>: the file type is Word MHTML, aka Single File Web Page (.mht)</p></li>  
246 -<li><p><strong>?</strong>: the file type is not supported</p></li>  
247 -<li><p><strong>M</strong>: contains VBA Macros</p></li>  
248 -<li><p><strong>A</strong>: auto-executable macros</p></li>  
249 -<li><p><strong>S</strong>: suspicious VBA keywords</p></li>  
250 -<li><p><strong>I</strong>: potential IOCs</p></li>  
251 -<li><p><strong>H</strong>: hex-encoded strings (potential obfuscation)</p></li>  
252 -<li><p><strong>B</strong>: Base64-encoded strings (potential obfuscation)</p></li>  
253 -<li><p><strong>D</strong>: Dridex-encoded strings (potential obfuscation)</p></li>  
254 -<li><p><strong>V</strong>: VBA string expressions (potential obfuscation)</p></li> 160 +<li><strong>OLE</strong>: the file type is OLE, for example MS Office 97-2003</li>
  161 +<li><strong>OpX</strong>: the file type is OpenXML, for example MS Office 2007+</li>
  162 +<li><strong>XML</strong>: the file type is Word 2003 XML</li>
  163 +<li><strong>MHT</strong>: the file type is Word MHTML, aka Single File Web Page (.mht)</li>
  164 +<li><strong>?</strong>: the file type is not supported</li>
  165 +<li><strong>M</strong>: contains VBA Macros</li>
  166 +<li><strong>A</strong>: auto-executable macros</li>
  167 +<li><strong>S</strong>: suspicious VBA keywords</li>
  168 +<li><strong>I</strong>: potential IOCs</li>
  169 +<li><strong>H</strong>: hex-encoded strings (potential obfuscation)</li>
  170 +<li><strong>B</strong>: Base64-encoded strings (potential obfuscation)</li>
  171 +<li><strong>D</strong>: Dridex-encoded strings (potential obfuscation)</li>
  172 +<li><strong>V</strong>: VBA string expressions (potential obfuscation)</li>
255 </ul> 173 </ul>
256 <p>Here is an example:</p> 174 <p>Here is an example:</p>
257 <pre><code>c:\&gt;olevba.py \MalwareZoo\VBA\samples\* 175 <pre><code>c:\&gt;olevba.py \MalwareZoo\VBA\samples\*
258 -  
259 Flags Filename 176 Flags Filename
260 -  
261 ----------- ----------------------------------------------------------------- 177 ----------- -----------------------------------------------------------------
262 -  
263 OLE:MASI--- \MalwareZoo\VBA\samples\DIAN_caso-5415.doc.malware 178 OLE:MASI--- \MalwareZoo\VBA\samples\DIAN_caso-5415.doc.malware
264 -  
265 OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_1.doc.malware 179 OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_1.doc.malware
266 -  
267 OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_2.doc.malware 180 OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_2.doc.malware
268 -  
269 OLE:MASI--- \MalwareZoo\VBA\samples\DRIDEX_3.doc.malware 181 OLE:MASI--- \MalwareZoo\VBA\samples\DRIDEX_3.doc.malware
270 -  
271 OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_4.doc.malware 182 OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_4.doc.malware
272 -  
273 OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_5.doc.malware 183 OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_5.doc.malware
274 -  
275 OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_6.doc.malware 184 OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_6.doc.malware
276 -  
277 OLE:MAS---- \MalwareZoo\VBA\samples\DRIDEX_7.doc.malware 185 OLE:MAS---- \MalwareZoo\VBA\samples\DRIDEX_7.doc.malware
278 -  
279 OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_8.doc.malware 186 OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_8.doc.malware
280 -  
281 OLE:MASIHBD \MalwareZoo\VBA\samples\DRIDEX_9.xls.malware 187 OLE:MASIHBD \MalwareZoo\VBA\samples\DRIDEX_9.xls.malware
282 -  
283 OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_A.doc.malware 188 OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_A.doc.malware
284 -  
285 OLE:------- \MalwareZoo\VBA\samples\Normal_Document.doc 189 OLE:------- \MalwareZoo\VBA\samples\Normal_Document.doc
286 -  
287 OLE:M------ \MalwareZoo\VBA\samples\Normal_Document_Macro.doc 190 OLE:M------ \MalwareZoo\VBA\samples\Normal_Document_Macro.doc
288 -  
289 OpX:MASI--- \MalwareZoo\VBA\samples\RottenKitten.xlsb.malware 191 OpX:MASI--- \MalwareZoo\VBA\samples\RottenKitten.xlsb.malware
290 -  
291 OLE:MASI-B- \MalwareZoo\VBA\samples\ROVNIX.doc.malware 192 OLE:MASI-B- \MalwareZoo\VBA\samples\ROVNIX.doc.malware
292 -  
293 OLE:MA----- \MalwareZoo\VBA\samples\Word within Word macro auto.doc</code></pre> 193 OLE:MA----- \MalwareZoo\VBA\samples\Word within Word macro auto.doc</code></pre>
294 <hr /> 194 <hr />
295 <h2 id="how-to-use-olevba-in-python-applications">How to use olevba in Python applications</h2> 195 <h2 id="how-to-use-olevba-in-python-applications">How to use olevba in Python applications</h2>
296 -<p>olevba may be used to open a MS Office file, detect if it contains VBA macros, extract and analyze the VBA source code</p>  
297 -<p>from your own python applications.</p> 196 +<p>olevba may be used to open a MS Office file, detect if it contains VBA macros, extract and analyze the VBA source code from your own python applications.</p>
298 <p>IMPORTANT: olevba is currently under active development, therefore this API is likely to change.</p> 197 <p>IMPORTANT: olevba is currently under active development, therefore this API is likely to change.</p>
299 <h3 id="import-olevba">Import olevba</h3> 198 <h3 id="import-olevba">Import olevba</h3>
300 <p>First, import the <strong>oletools.olevba</strong> package, using at least the VBA_Parser and VBA_Scanner classes:</p> 199 <p>First, import the <strong>oletools.olevba</strong> package, using at least the VBA_Parser and VBA_Scanner classes:</p>
301 <pre><code>from oletools.olevba import VBA_Parser, TYPE_OLE, TYPE_OpenXML, TYPE_Word2003_XML, TYPE_MHTML </code></pre> 200 <pre><code>from oletools.olevba import VBA_Parser, TYPE_OLE, TYPE_OpenXML, TYPE_Word2003_XML, TYPE_MHTML </code></pre>
302 <h3 id="parse-a-ms-office-file---vba_parser">Parse a MS Office file - VBA_Parser</h3> 201 <h3 id="parse-a-ms-office-file---vba_parser">Parse a MS Office file - VBA_Parser</h3>
303 -<p>To parse a file on disk, create an instance of the <strong>VBA_Parser</strong> class, providing the name of the file to open as parameter.</p>  
304 -<p>For example:</p> 202 +<p>To parse a file on disk, create an instance of the <strong>VBA_Parser</strong> class, providing the name of the file to open as parameter. For example:</p>
305 <pre><code>vbaparser = VBA_Parser(&#39;my_file_with_macros.doc&#39;)</code></pre> 203 <pre><code>vbaparser = VBA_Parser(&#39;my_file_with_macros.doc&#39;)</code></pre>
306 -<p>The file may also be provided as a bytes string containing its data. In that case, the actual</p>  
307 -<p>filename must be provided for reference, and the file content with the data parameter. For example:</p> 204 +<p>The file may also be provided as a bytes string containing its data. In that case, the actual filename must be provided for reference, and the file content with the data parameter. For example:</p>
308 <pre><code>myfile = &#39;my_file_with_macros.doc&#39; 205 <pre><code>myfile = &#39;my_file_with_macros.doc&#39;
309 -  
310 filedata = open(myfile, &#39;rb&#39;).read() 206 filedata = open(myfile, &#39;rb&#39;).read()
311 -  
312 vbaparser = VBA_Parser(myfile, data=filedata)</code></pre> 207 vbaparser = VBA_Parser(myfile, data=filedata)</code></pre>
313 -<p>VBA_Parser will raise an exception if the file is not a supported format, such as OLE (MS Office 97-2003), OpenXML</p>  
314 -<p>(MS Office 2007+), MHTML or Word 2003 XML.</p>  
315 -<p>After parsing the file, the attribute <strong>VBA_Parser.type</strong> is a string indicating the file type.</p>  
316 -<p>It can be either TYPE_OLE, TYPE_OpenXML, TYPE_Word2003_XML or TYPE_MHTML. (constants defined in the olevba module)</p> 208 +<p>VBA_Parser will raise an exception if the file is not a supported format, such as OLE (MS Office 97-2003), OpenXML (MS Office 2007+), MHTML or Word 2003 XML.</p>
  209 +<p>After parsing the file, the attribute <strong>VBA_Parser.type</strong> is a string indicating the file type. It can be either TYPE_OLE, TYPE_OpenXML, TYPE_Word2003_XML or TYPE_MHTML. (constants defined in the olevba module)</p>
317 <h3 id="detect-vba-macros">Detect VBA macros</h3> 210 <h3 id="detect-vba-macros">Detect VBA macros</h3>
318 -<p>The method <strong>detect_vba_macros</strong> of a VBA_Parser object returns True if VBA macros have been found in the file,</p>  
319 -<p>False otherwise.</p> 211 +<p>The method <strong>detect_vba_macros</strong> of a VBA_Parser object returns True if VBA macros have been found in the file, False otherwise.</p>
320 <pre><code>if vbaparser.detect_vba_macros(): 212 <pre><code>if vbaparser.detect_vba_macros():
321 -  
322 print &#39;VBA Macros found&#39; 213 print &#39;VBA Macros found&#39;
323 -  
324 else: 214 else:
325 -  
326 - print &#39;No VBA Macros found&#39;</code></pre>  
327 -<p>Note: The detection algorithm looks for streams and storage with specific names in the OLE structure, which works fine</p>  
328 -<p>for all the supported formats listed above. However, for some formats such as PowerPoint 97-2003, this method will</p>  
329 -<p>always return False because VBA Macros are stored in a different way which is not yet supported by olevba.</p>  
330 -<p>Moreover, if the file contains an embedded document (e.g. an Excel workbook inserted into a Word document), this method</p>  
331 -<p>may return True if the embedded document contains VBA Macros, even if the main document does not.</p> 215 + print &#39;No VBA Macros found&#39;
  216 + </code></pre>
  217 +<p>Note: The detection algorithm looks for streams and storage with specific names in the OLE structure, which works fine for all the supported formats listed above. However, for some formats such as PowerPoint 97-2003, this method will always return False because VBA Macros are stored in a different way which is not yet supported by olevba.</p>
  218 +<p>Moreover, if the file contains an embedded document (e.g. an Excel workbook inserted into a Word document), this method may return True if the embedded document contains VBA Macros, even if the main document does not.</p>
332 <h3 id="extract-vba-macro-source-code">Extract VBA Macro Source Code</h3> 219 <h3 id="extract-vba-macro-source-code">Extract VBA Macro Source Code</h3>
333 -<p>The method <strong>extract_macros</strong> extracts and decompresses source code for each VBA macro found in the file (possibly</p>  
334 -<p>including embedded files). It is a generator yielding a tuple (filename, stream_path, vba_filename, vba_code)</p>  
335 -<p>for each VBA macro found.</p> 220 +<p>The method <strong>extract_macros</strong> extracts and decompresses source code for each VBA macro found in the file (possibly including embedded files). It is a generator yielding a tuple (filename, stream_path, vba_filename, vba_code) for each VBA macro found.</p>
336 <ul> 221 <ul>
337 -<li><p>filename: If the file is OLE (MS Office 97-2003), filename is the path of the file.</p>  
338 -<p>If the file is OpenXML (MS Office 2007+), filename is the path of the OLE subfile containing VBA macros within the zip archive,</p>  
339 -<p>e.g. word/vbaProject.bin.</p></li>  
340 -<li><p>stream_path: path of the OLE stream containing the VBA macro source code</p></li>  
341 -<li><p>vba_filename: corresponding VBA filename</p></li>  
342 -<li><p>vba_code: string containing the VBA source code in clear text</p></li> 222 +<li>filename: If the file is OLE (MS Office 97-2003), filename is the path of the file. If the file is OpenXML (MS Office 2007+), filename is the path of the OLE subfile containing VBA macros within the zip archive, e.g. word/vbaProject.bin.</li>
  223 +<li>stream_path: path of the OLE stream containing the VBA macro source code</li>
  224 +<li>vba_filename: corresponding VBA filename</li>
  225 +<li>vba_code: string containing the VBA source code in clear text</li>
343 </ul> 226 </ul>
344 <p>Example:</p> 227 <p>Example:</p>
345 <pre><code>for (filename, stream_path, vba_filename, vba_code) in vbaparser.extract_macros(): 228 <pre><code>for (filename, stream_path, vba_filename, vba_code) in vbaparser.extract_macros():
346 -  
347 print &#39;-&#39;*79 229 print &#39;-&#39;*79
348 -  
349 print &#39;Filename :&#39;, filename 230 print &#39;Filename :&#39;, filename
350 -  
351 print &#39;OLE stream :&#39;, stream_path 231 print &#39;OLE stream :&#39;, stream_path
352 -  
353 print &#39;VBA filename:&#39;, vba_filename 232 print &#39;VBA filename:&#39;, vba_filename
354 -  
355 print &#39;- &#39;*39 233 print &#39;- &#39;*39
356 -  
357 - print vba_code</code></pre> 234 + print vba_code
  235 + </code></pre>
358 <p>Alternatively, the VBA_Parser method <strong>extract_all_macros</strong> returns the same results as a list of tuples.</p> 236 <p>Alternatively, the VBA_Parser method <strong>extract_all_macros</strong> returns the same results as a list of tuples.</p>
359 <h3 id="analyze-vba-source-code">Analyze VBA Source Code</h3> 237 <h3 id="analyze-vba-source-code">Analyze VBA Source Code</h3>
360 -<p>Since version 0.40, the VBA_Parser class provides simpler methods than VBA_Scanner to analyze all macros contained</p>  
361 -<p>in a file:</p>  
362 -<p>The method <strong>analyze_macros</strong> from the class <strong>VBA_Parser</strong> can be used to scan the source code of all</p>  
363 -<p>VBA modules to find obfuscated strings, suspicious keywords, IOCs, auto-executable macros, etc.</p>  
364 -<p>analyze_macros() takes an optional argument show_decoded_strings: if set to True, the results will contain all the encoded</p>  
365 -<p>strings found in the code (Hex, Base64, Dridex) with their decoded value.</p>  
366 -<p>By default, it will only include the strings which contain printable characters.</p> 238 +<p>Since version 0.40, the VBA_Parser class provides simpler methods than VBA_Scanner to analyze all macros contained in a file:</p>
  239 +<p>The method <strong>analyze_macros</strong> from the class <strong>VBA_Parser</strong> can be used to scan the source code of all VBA modules to find obfuscated strings, suspicious keywords, IOCs, auto-executable macros, etc.</p>
  240 +<p>analyze_macros() takes an optional argument show_decoded_strings: if set to True, the results will contain all the encoded strings found in the code (Hex, Base64, Dridex) with their decoded value. By default, it will only include the strings which contain printable characters.</p>
367 <p><strong>VBA_Parser.analyze_macros()</strong> returns a list of tuples (type, keyword, description), one for each item in the results.</p> 241 <p><strong>VBA_Parser.analyze_macros()</strong> returns a list of tuples (type, keyword, description), one for each item in the results.</p>
368 <ul> 242 <ul>
369 -<li>type may be either 'AutoExec', 'Suspicious', 'IOC', 'Hex String', 'Base64 String', 'Dridex String' or</li>  
370 -</ul>  
371 -<p>'VBA obfuscated Strings'.</p>  
372 -<ul>  
373 -<li>keyword is the string found for auto-executable macros, suspicious keywords or IOCs. For obfuscated strings, it is</li>  
374 -</ul>  
375 -<p>the decoded value of the string.</p>  
376 -<ul> 243 +<li>type may be either 'AutoExec', 'Suspicious', 'IOC', 'Hex String', 'Base64 String', 'Dridex String' or 'VBA obfuscated Strings'.</li>
  244 +<li>keyword is the string found for auto-executable macros, suspicious keywords or IOCs. For obfuscated strings, it is the decoded value of the string.</li>
377 <li>description provides a description of the keyword. For obfuscated strings, it is the encoded value of the string.</li> 245 <li>description provides a description of the keyword. For obfuscated strings, it is the encoded value of the string.</li>
378 </ul> 246 </ul>
379 <p>Example:</p> 247 <p>Example:</p>
380 <pre><code>results = vbaparser.analyze_macros() 248 <pre><code>results = vbaparser.analyze_macros()
381 -  
382 for kw_type, keyword, description in results: 249 for kw_type, keyword, description in results:
383 -  
384 - print &#39;type=%s - keyword=%s - description=%s&#39; % (kw_type, keyword, description)</code></pre>  
385 -<p>After calling analyze_macros, the following VBA_Parser attributes also provide the number</p>  
386 -<p>of items found for each category:</p> 250 + print &#39;type=%s - keyword=%s - description=%s&#39; % (kw_type, keyword, description)
  251 + </code></pre>
  252 +<p>After calling analyze_macros, the following VBA_Parser attributes also provide the number of items found for each category:</p>
387 <pre><code>print &#39;AutoExec keywords: %d&#39; % vbaparser.nb_autoexec 253 <pre><code>print &#39;AutoExec keywords: %d&#39; % vbaparser.nb_autoexec
388 -  
389 print &#39;Suspicious keywords: %d&#39; % vbaparser.nb_suspicious 254 print &#39;Suspicious keywords: %d&#39; % vbaparser.nb_suspicious
390 -  
391 print &#39;IOCs: %d&#39; % vbaparser.nb_iocs 255 print &#39;IOCs: %d&#39; % vbaparser.nb_iocs
392 -  
393 print &#39;Hex obfuscated strings: %d&#39; % vbaparser.nb_hexstrings 256 print &#39;Hex obfuscated strings: %d&#39; % vbaparser.nb_hexstrings
394 -  
395 print &#39;Base64 obfuscated strings: %d&#39; % vbaparser.nb_base64strings 257 print &#39;Base64 obfuscated strings: %d&#39; % vbaparser.nb_base64strings
396 -  
397 print &#39;Dridex obfuscated strings: %d&#39; % vbaparser.nb_dridexstrings 258 print &#39;Dridex obfuscated strings: %d&#39; % vbaparser.nb_dridexstrings
398 -  
399 print &#39;VBA obfuscated strings: %d&#39; % vbaparser.nb_vbastrings</code></pre> 259 print &#39;VBA obfuscated strings: %d&#39; % vbaparser.nb_vbastrings</code></pre>
400 <h3 id="deobfuscate-vba-macro-source-code">Deobfuscate VBA Macro Source Code</h3> 260 <h3 id="deobfuscate-vba-macro-source-code">Deobfuscate VBA Macro Source Code</h3>
401 -<p>The method <strong>reveal</strong> attempts to deobfuscate the macro source code by replacing all</p>  
402 -<p>the obfuscated strings by their decoded content. Returns a single string.</p> 261 +<p>The method <strong>reveal</strong> attempts to deobfuscate the macro source code by replacing all the obfuscated strings by their decoded content. Returns a single string.</p>
403 <p>Example:</p> 262 <p>Example:</p>
404 <pre><code>print vbaparser.reveal()</code></pre> 263 <pre><code>print vbaparser.reveal()</code></pre>
405 <h3 id="close-the-vba_parser">Close the VBA_Parser</h3> 264 <h3 id="close-the-vba_parser">Close the VBA_Parser</h3>
406 -<p>After usage, it is better to call the <strong>close</strong> method of the VBA_Parser object, to make sure the file is closed,</p>  
407 -<p>especially if your application is parsing many files.</p> 265 +<p>After usage, it is better to call the <strong>close</strong> method of the VBA_Parser object, to make sure the file is closed, especially if your application is parsing many files.</p>
408 <pre><code>vbaparser.close()</code></pre> 266 <pre><code>vbaparser.close()</code></pre>
409 <hr /> 267 <hr />
410 <h2 id="deprecated-api">Deprecated API</h2> 268 <h2 id="deprecated-api">Deprecated API</h2>
411 -<p>The following methods and functions are still functional, but their usage is not recommended</p>  
412 -<p>since they have been replaced by better solutions.</p> 269 +<p>The following methods and functions are still functional, but their usage is not recommended since they have been replaced by better solutions.</p>
413 <h3 id="vba_scanner-deprecated">VBA_Scanner (deprecated)</h3> 270 <h3 id="vba_scanner-deprecated">VBA_Scanner (deprecated)</h3>
414 -<p>The class <strong>VBA_Scanner</strong> can be used to scan the source code of a VBA module to find obfuscated strings,</p>  
415 -<p>suspicious keywords, IOCs, auto-executable macros, etc.</p>  
416 -<p>First, create a VBA_Scanner object with a string containing the VBA source code (for example returned by the</p>  
417 -<p>extract_macros method). Then call the methods <strong>scan</strong> or <strong>scan_summary</strong> to get the results of the analysis.</p>  
418 -<p>scan() takes an optional argument include_decoded_strings: if set to True, the results will contain all the encoded</p>  
419 -<p>strings found in the code (Hex, Base64, Dridex) with their decoded value.</p> 271 +<p>The class <strong>VBA_Scanner</strong> can be used to scan the source code of a VBA module to find obfuscated strings, suspicious keywords, IOCs, auto-executable macros, etc.</p>
  272 +<p>First, create a VBA_Scanner object with a string containing the VBA source code (for example returned by the extract_macros method). Then call the methods <strong>scan</strong> or <strong>scan_summary</strong> to get the results of the analysis.</p>
  273 +<p>scan() takes an optional argument include_decoded_strings: if set to True, the results will contain all the encoded strings found in the code (Hex, Base64, Dridex) with their decoded value.</p>
420 <p><strong>scan</strong> returns a list of tuples (type, keyword, description), one for each item in the results.</p> 274 <p><strong>scan</strong> returns a list of tuples (type, keyword, description), one for each item in the results.</p>
421 <ul> 275 <ul>
422 -<li><p>type may be either 'AutoExec', 'Suspicious', 'IOC', 'Hex String', 'Base64 String' or 'Dridex String'.</p></li>  
423 -<li><p>keyword is the string found for auto-executable macros, suspicious keywords or IOCs. For obfuscated strings, it is</p></li>  
424 -</ul>  
425 -<p>the decoded value of the string.</p>  
426 -<ul> 276 +<li>type may be either 'AutoExec', 'Suspicious', 'IOC', 'Hex String', 'Base64 String' or 'Dridex String'.</li>
  277 +<li>keyword is the string found for auto-executable macros, suspicious keywords or IOCs. For obfuscated strings, it is the decoded value of the string.</li>
427 <li>description provides a description of the keyword. For obfuscated strings, it is the encoded value of the string.</li> 278 <li>description provides a description of the keyword. For obfuscated strings, it is the encoded value of the string.</li>
428 </ul> 279 </ul>
429 <p>Example:</p> 280 <p>Example:</p>
430 <pre><code>vba_scanner = VBA_Scanner(vba_code) 281 <pre><code>vba_scanner = VBA_Scanner(vba_code)
431 -  
432 results = vba_scanner.scan(include_decoded_strings=True) 282 results = vba_scanner.scan(include_decoded_strings=True)
433 -  
434 for kw_type, keyword, description in results: 283 for kw_type, keyword, description in results:
435 -  
436 print &#39;type=%s - keyword=%s - description=%s&#39; % (kw_type, keyword, description)</code></pre> 284 print &#39;type=%s - keyword=%s - description=%s&#39; % (kw_type, keyword, description)</code></pre>
437 <p>The function <strong>scan_vba</strong> is a shortcut for VBA_Scanner(vba_code).scan():</p> 285 <p>The function <strong>scan_vba</strong> is a shortcut for VBA_Scanner(vba_code).scan():</p>
438 <pre><code>results = scan_vba(vba_code, include_decoded_strings=True) 286 <pre><code>results = scan_vba(vba_code, include_decoded_strings=True)
439 -  
440 for kw_type, keyword, description in results: 287 for kw_type, keyword, description in results:
441 -  
442 - print &#39;type=%s - keyword=%s - description=%s&#39; % (kw_type, keyword, description)</code></pre>  
443 -<p><strong>scan_summary</strong> returns a tuple with the number of items found for each category:</p>  
444 -<p>(autoexec, suspicious, IOCs, hex, base64, dridex).</p> 288 + print &#39;type=%s - keyword=%s - description=%s&#39; % (kw_type, keyword, description)
  289 + </code></pre>
  290 +<p><strong>scan_summary</strong> returns a tuple with the number of items found for each category: (autoexec, suspicious, IOCs, hex, base64, dridex).</p>
445 <h3 id="detect-auto-executable-macros-deprecated">Detect auto-executable macros (deprecated)</h3> 291 <h3 id="detect-auto-executable-macros-deprecated">Detect auto-executable macros (deprecated)</h3>
446 <p><strong>Deprecated</strong>: It is preferable to use either scan_vba or VBA_Scanner to get all results at once.</p> 292 <p><strong>Deprecated</strong>: It is preferable to use either scan_vba or VBA_Scanner to get all results at once.</p>
447 -<p>The function <strong>detect_autoexec</strong> checks if VBA macro code contains specific macro names</p>  
448 -<p>that will be triggered when the document/workbook is opened, closed, changed, etc.</p>  
449 -<p>It returns a list of tuples containing two strings, the detected keyword, and the</p>  
450 -<p>description of the trigger. (See the malware example above)</p> 293 +<p>The function <strong>detect_autoexec</strong> checks if VBA macro code contains specific macro names that will be triggered when the document/workbook is opened, closed, changed, etc.</p>
  294 +<p>It returns a list of tuples containing two strings, the detected keyword, and the description of the trigger. (See the malware example above)</p>
451 <p>Sample usage:</p> 295 <p>Sample usage:</p>
452 <pre><code>from oletools.olevba import detect_autoexec 296 <pre><code>from oletools.olevba import detect_autoexec
453 -  
454 autoexec_keywords = detect_autoexec(vba_code) 297 autoexec_keywords = detect_autoexec(vba_code)
455 -  
456 if autoexec_keywords: 298 if autoexec_keywords:
457 -  
458 print &#39;Auto-executable macro keywords found:&#39; 299 print &#39;Auto-executable macro keywords found:&#39;
459 -  
460 for keyword, description in autoexec_keywords: 300 for keyword, description in autoexec_keywords:
461 -  
462 print &#39;%s: %s&#39; % (keyword, description) 301 print &#39;%s: %s&#39; % (keyword, description)
463 -  
464 else: 302 else:
465 -  
466 print &#39;Auto-executable macro keywords: None found&#39;</code></pre> 303 print &#39;Auto-executable macro keywords: None found&#39;</code></pre>
467 <h3 id="detect-suspicious-vba-keywords-deprecated">Detect suspicious VBA keywords (deprecated)</h3> 304 <h3 id="detect-suspicious-vba-keywords-deprecated">Detect suspicious VBA keywords (deprecated)</h3>
468 <p><strong>Deprecated</strong>: It is preferable to use either scan_vba or VBA_Scanner to get all results at once.</p> 305 <p><strong>Deprecated</strong>: It is preferable to use either scan_vba or VBA_Scanner to get all results at once.</p>
469 -<p>The function <strong>detect_suspicious</strong> checks if VBA macro code contains specific</p>  
470 -<p>keywords often used by malware to act on the system (create files, run</p>  
471 -<p>commands or applications, write to the registry, etc).</p>  
472 -<p>It returns a list of tuples containing two strings, the detected keyword, and the</p>  
473 -<p>description of the corresponding malicious behaviour. (See the malware example above)</p> 306 +<p>The function <strong>detect_suspicious</strong> checks if VBA macro code contains specific keywords often used by malware to act on the system (create files, run commands or applications, write to the registry, etc).</p>
  307 +<p>It returns a list of tuples containing two strings, the detected keyword, and the description of the corresponding malicious behaviour. (See the malware example above)</p>
474 <p>Sample usage:</p> 308 <p>Sample usage:</p>
475 <pre><code>from oletools.olevba import detect_suspicious 309 <pre><code>from oletools.olevba import detect_suspicious
476 -  
477 suspicious_keywords = detect_suspicious(vba_code) 310 suspicious_keywords = detect_suspicious(vba_code)
478 -  
479 if suspicious_keywords: 311 if suspicious_keywords:
480 -  
481 print &#39;Suspicious VBA keywords found:&#39; 312 print &#39;Suspicious VBA keywords found:&#39;
482 -  
483 for keyword, description in suspicious_keywords: 313 for keyword, description in suspicious_keywords:
484 -  
485 print &#39;%s: %s&#39; % (keyword, description) 314 print &#39;%s: %s&#39; % (keyword, description)
486 -  
487 else: 315 else:
488 -  
489 print &#39;Suspicious VBA keywords: None found&#39;</code></pre> 316 print &#39;Suspicious VBA keywords: None found&#39;</code></pre>
490 <h3 id="extract-potential-iocs-deprecated">Extract potential IOCs (deprecated)</h3> 317 <h3 id="extract-potential-iocs-deprecated">Extract potential IOCs (deprecated)</h3>
491 <p><strong>Deprecated</strong>: It is preferable to use either scan_vba or VBA_Scanner to get all results at once.</p> 318 <p><strong>Deprecated</strong>: It is preferable to use either scan_vba or VBA_Scanner to get all results at once.</p>
492 -<p>The function <strong>detect_patterns</strong> checks if VBA macro code contains specific</p>  
493 -<p>patterns of interest, that may be useful for malware analysis and detection</p>  
494 -<p>(potential Indicators of Compromise): IP addresses, e-mail addresses,</p>  
495 -<p>URLs, executable file names.</p>  
496 -<p>It returns a list of tuples containing two strings, the pattern type, and the</p>  
497 -<p>extracted value. (See the malware example above)</p> 319 +<p>The function <strong>detect_patterns</strong> checks if VBA macro code contains specific patterns of interest, that may be useful for malware analysis and detection (potential Indicators of Compromise): IP addresses, e-mail addresses, URLs, executable file names.</p>
  320 +<p>It returns a list of tuples containing two strings, the pattern type, and the extracted value. (See the malware example above)</p>
498 <p>Sample usage:</p> 321 <p>Sample usage:</p>
499 <pre><code>from oletools.olevba import detect_patterns 322 <pre><code>from oletools.olevba import detect_patterns
500 -  
501 patterns = detect_patterns(vba_code) 323 patterns = detect_patterns(vba_code)
502 -  
503 if patterns: 324 if patterns:
504 -  
505 print &#39;Patterns found:&#39; 325 print &#39;Patterns found:&#39;
506 -  
507 for pattern_type, value in patterns: 326 for pattern_type, value in patterns:
508 -  
509 print &#39;%s: %s&#39; % (pattern_type, value) 327 print &#39;%s: %s&#39; % (pattern_type, value)
510 -  
511 else: 328 else:
512 -  
513 print &#39;Patterns: None found&#39;</code></pre> 329 print &#39;Patterns: None found&#39;</code></pre>
514 <hr /> 330 <hr />
515 -<p>python-oletools documentation</p>  
516 -<hr /> 331 +<h2 id="python-oletools-documentation">python-oletools documentation</h2>
517 <ul> 332 <ul>
518 -<li><p><a href="Home.html">Home</a></p></li>  
519 -<li><p><a href="License.html">License</a></p></li>  
520 -<li><p><a href="Install.html">Install</a></p></li>  
521 -<li><p><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</p></li>  
522 -<li><p>Tools:</p> 333 +<li><a href="Home.html">Home</a></li>
  334 +<li><a href="License.html">License</a></li>
  335 +<li><a href="Install.html">Install</a></li>
  336 +<li><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</li>
  337 +<li>Tools:
523 <ul> 338 <ul>
524 -<li><p><a href="olebrowse.html">olebrowse</a></p></li>  
525 -<li><p><a href="oleid.html">oleid</a></p></li>  
526 -<li><p><a href="olemeta.html">olemeta</a></p></li>  
527 -<li><p><a href="oletimes.html">oletimes</a></p></li>  
528 -<li><p><a href="olevba.html">olevba</a></p></li>  
529 -<li><p><a href="pyxswf.html">pyxswf</a></p></li>  
530 -<li><p><a href="rtfobj.html">rtfobj</a></p></li> 339 +<li><a href="olebrowse.html">olebrowse</a></li>
  340 +<li><a href="oleid.html">oleid</a></li>
  341 +<li><a href="olemeta.html">olemeta</a></li>
  342 +<li><a href="oletimes.html">oletimes</a></li>
  343 +<li><a href="oledir.html">oledir</a></li>
  344 +<li><a href="olemap.html">olemap</a></li>
  345 +<li><a href="olevba.html">olevba</a></li>
  346 +<li><a href="mraptor.html">mraptor</a></li>
  347 +<li><a href="pyxswf.html">pyxswf</a></li>
  348 +<li><a href="oleobj.html">oleobj</a></li>
  349 +<li><a href="rtfobj.html">rtfobj</a></li>
531 </ul></li> 350 </ul></li>
532 </ul> 351 </ul>
  352 +</body>
  353 +</html>
oletools/doc/olevba.md
  View file @836b191
1 -olevba  
2 -======  
3 -  
4 -olevba is a script to parse OLE and OpenXML files such as MS Office documents  
5 -(e.g. Word, Excel), to **detect VBA Macros**, extract their **source code** in clear text,  
6 -and detect security-related patterns such as **auto-executable macros**, **suspicious  
7 -VBA keywords** used by malware, anti-sandboxing and anti-virtualization techniques,  
8 -and potential **IOCs** (IP addresses, URLs, executable filenames, etc).  
9 -It also detects and decodes several common **obfuscation methods including Hex encoding,  
10 -StrReverse, Base64, Dridex, VBA expressions**, and extracts IOCs from decoded strings.  
11 -  
12 -It can be used either as a command-line tool, or as a python module from your own applications.  
13 -  
14 -It is part of the [python-oletools](http://www.decalage.info/python/oletools) package.  
15 -  
16 -olevba is based on source code from [officeparser](https://github.com/unixfreak0037/officeparser)  
17 -by John William Davison, with significant modifications.  
18 -  
19 -## Supported formats  
20 -  
21 -- Word 97-2003 (.doc, .dot)  
22 -- Word 2007+ (.docm, .dotm)  
23 -- Word 2003 XML (.xml)  
24 -- Word/Excel MHTML, aka Single File Web Page (.mht)  
25 -- Excel 97-2003 (.xls)  
26 -- Excel 2007+ (.xlsm, .xlsb)  
27 -- PowerPoint 2007+ (.pptm, .ppsm)  
28 -- Text file containing VBA or VBScript source code  
29 -- Password-protected Zip archive containing any of the above  
30 -  
31 -## Main Features  
32 -  
33 -- Detect VBA macros in MS Office 97-2003 and 2007+ files, XML, MHT  
34 -- Extract VBA macro source code  
35 -- Detect auto-executable macros  
36 -- Detect suspicious VBA keywords often used by malware  
37 -- Detect anti-sandboxing and anti-virtualization techniques  
38 -- Detect and decodes strings obfuscated with Hex/Base64/StrReverse/Dridex  
39 -- Deobfuscates VBA expressions with any combination of Chr, Asc, Val, StrReverse, Environ, +, &, using a VBA parser built with  
40 -[pyparsing](http://pyparsing.wikispaces.com), including custom Hex and Base64 encodings  
41 -- Extract IOCs/patterns of interest such as IP addresses, URLs, e-mail addresses and executable file names  
42 -- Scan multiple files and sample collections (wildcards, recursive)  
43 -- Triage mode for a summary view of multiple files  
44 -- Scan malware samples in password-protected Zip archives  
45 -- Python API to use olevba from your applications  
46 -  
47 -MS Office files encrypted with a password are also supported, because VBA macro code is never  
48 -encrypted, only the content of the document.  
49 -  
50 -## About VBA Macros  
51 -  
52 -See [this article](http://www.decalage.info/en/vba_tools) for more information and technical details about VBA Macros  
53 -and how they are stored in MS Office documents.  
54 -  
55 -## How it works  
56 -  
57 -1. olevba checks the file type: If it is an OLE file (i.e MS Office 97-2003), it is parsed right away.  
58 -1. If it is a zip file (i.e. MS Office 2007+), XML or MHTML, olevba looks for all OLE files stored in it (e.g. vbaProject.bin, editdata.mso), and opens them.  
59 -1. olevba identifies all the VBA projects stored in the OLE structure.  
60 -1. Each VBA project is parsed to find the corresponding OLE streams containing macro code.  
61 -1. In each of these OLE streams, the VBA macro source code is extracted and decompressed (RLE compression).  
62 -1. olevba looks for specific strings obfuscated with various algorithms (Hex, Base64, StrReverse, Dridex, VBA expressions).  
63 -1. olevba scans the macro source code and the deobfuscated strings to find suspicious keywords, auto-executable macros  
64 -and potential IOCs (URLs, IP addresses, e-mail addresses, executable filenames, etc).  
65 -  
66 -  
67 -## Usage  
68 -  
69 - :::text  
70 - Usage: olevba.py [options] <filename> [filename2 ...]  
71 -  
72 - Options:  
73 - -h, --help show this help message and exit  
74 - -r find files recursively in subdirectories.  
75 - -z ZIP_PASSWORD, --zip=ZIP_PASSWORD  
76 - if the file is a zip archive, open all files from it,  
77 - using the provided password (requires Python 2.6+)  
78 - -f ZIP_FNAME, --zipfname=ZIP_FNAME  
79 - if the file is a zip archive, file(s) to be opened  
80 - within the zip. Wildcards * and ? are supported.  
81 - (default:*)  
82 - -t, --triage triage mode, display results as a summary table  
83 - (default for multiple files)  
84 - -d, --detailed detailed mode, display full results (default for  
85 - single file)  
86 - -a, --analysis display only analysis results, not the macro source  
87 - code  
88 - -c, --code display only VBA source code, do not analyze it  
89 - -i INPUT, --input=INPUT  
90 - input file containing VBA source code to be analyzed  
91 - (no parsing)  
92 - --decode display all the obfuscated strings with their decoded  
93 - content (Hex, Base64, StrReverse, Dridex, VBA).  
94 - --attr display the attribute lines at the beginning of VBA  
95 - source code  
96 - --reveal display the macro source code after replacing all the  
97 - obfuscated strings by their decoded content.  
98 -  
99 -### Examples  
100 -  
101 -Scan a single file:  
102 -  
103 - :::text  
104 - olevba.py file.doc  
105 -  
106 -Scan a single file, stored in a Zip archive with password "infected":  
107 -  
108 - :::text  
109 - olevba.py malicious_file.xls.zip -z infected  
110 -  
111 -Scan a single file, showing all obfuscated strings decoded:  
112 -  
113 - :::text  
114 - olevba.py file.doc --decode  
115 -  
116 -Scan a single file, showing the macro source code with VBA strings deobfuscated:  
117 -  
118 - :::text  
119 - olevba.py file.doc --reveal  
120 -  
121 -Scan VBA source code extracted into a text file:  
122 -  
123 - :::text  
124 - olevba.py -i source_code.vba  
125 -  
126 -Scan a collection of files stored in a folder:  
127 -  
128 - :::text  
129 - olevba.py MalwareZoo/VBA/*  
130 -  
131 -Scan all .doc and .xls files, recursively in all subfolders:  
132 -  
133 - :::text  
134 - olevba.py MalwareZoo/VBA/*.doc MalwareZoo/VBA/*.xls -r  
135 -  
136 -Scan all .doc files within all .zip files with password, recursively:  
137 -  
138 - :::text  
139 - olevba.py MalwareZoo/VBA/*.zip -r -z infected -f *.doc  
140 -  
141 -  
142 -### Detailed analysis mode (default for single file)  
143 -  
144 -When a single file is scanned, or when using the option -d, all details of the analysis are displayed.  
145 -  
146 -For example, checking the malware sample [DIAN_caso-5415.doc](https://malwr.com/analysis/M2I4YWRhM2IwY2QwNDljN2E3ZWFjYTg3ODk4NmZhYmE/):  
147 -  
148 - :::text  
149 - >olevba.py c:\MalwareZoo\VBA\DIAN_caso-5415.doc.zip -z infected  
150 - ===============================================================================  
151 - FILE: DIAN_caso-5415.doc.malware in c:\MalwareZoo\VBA\DIAN_caso-5415.doc.zip  
152 - Type: OLE  
153 - -------------------------------------------------------------------------------  
154 - VBA MACRO ThisDocument.cls  
155 - in file: DIAN_caso-5415.doc.malware - OLE stream: Macros/VBA/ThisDocument  
156 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
157 - Option Explicit  
158 - Private Declare Function URLDownloadToFileA Lib "urlmon" (ByVal FVQGKS As Long,_  
159 - ByVal WSGSGY As String, ByVal IFRRFV As String, ByVal NCVOLV As Long, _  
160 - ByVal HQTLDG As Long) As Long  
161 - Sub AutoOpen()  
162 - Auto_Open  
163 - End Sub  
164 - Sub Auto_Open()  
165 - SNVJYQ  
166 - End Sub  
167 - Public Sub SNVJYQ()  
168 - [Malicious Code...]  
169 - End Sub  
170 - Function OGEXYR(XSTAHU As String, PHHWIV As String) As Boolean  
171 - [Malicious Code...]  
172 - Application.DisplayAlerts = False  
173 - Application.Quit  
174 - End Function  
175 - Sub Workbook_Open()  
176 - Auto_Open  
177 - End Sub  
178 -  
179 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
180 - ANALYSIS:  
181 - +------------+----------------------+-----------------------------------------+  
182 - | Type | Keyword | Description |  
183 - +------------+----------------------+-----------------------------------------+  
184 - | AutoExec | AutoOpen | Runs when the Word document is opened |  
185 - | AutoExec | Auto_Open | Runs when the Excel Workbook is opened |  
186 - | AutoExec | Workbook_Open | Runs when the Excel Workbook is opened |  
187 - | Suspicious | Lib | May run code from a DLL |  
188 - | Suspicious | Shell | May run an executable file or a system |  
189 - | | | command |  
190 - | Suspicious | Environ | May read system environment variables |  
191 - | Suspicious | URLDownloadToFileA | May download files from the Internet |  
192 - | IOC | http://germanya.com. | URL |  
193 - | | ec/logs/test.exe" | |  
194 - | IOC | http://germanya.com. | URL |  
195 - | | ec/logs/counter.php" | |  
196 - | IOC | germanya.com | Executable file name |  
197 - | IOC | test.exe | Executable file name |  
198 - | IOC | sfjozjero.exe | Executable file name |  
199 - +------------+----------------------+-----------------------------------------+  
200 -  
201 -### Triage mode (default for multiple files)  
202 -  
203 -When several files are scanned, or when using the option -t, a summary of the analysis for each file is displayed.  
204 -This is more convenient for quick triage of a collection of suspicious files.  
205 -  
206 -The following flags show the results of the analysis:  
207 -  
208 -- **OLE**: the file type is OLE, for example MS Office 97-2003  
209 -- **OpX**: the file type is OpenXML, for example MS Office 2007+  
210 -- **XML**: the file type is Word 2003 XML  
211 -- **MHT**: the file type is Word MHTML, aka Single File Web Page (.mht)  
212 -- **?**: the file type is not supported  
213 -- **M**: contains VBA Macros  
214 -- **A**: auto-executable macros  
215 -- **S**: suspicious VBA keywords  
216 -- **I**: potential IOCs  
217 -- **H**: hex-encoded strings (potential obfuscation)  
218 -- **B**: Base64-encoded strings (potential obfuscation)  
219 -- **D**: Dridex-encoded strings (potential obfuscation)  
220 -- **V**: VBA string expressions (potential obfuscation)  
221 -  
222 -Here is an example:  
223 -  
224 - :::text  
225 - c:\>olevba.py \MalwareZoo\VBA\samples\*  
226 - Flags Filename  
227 - ----------- -----------------------------------------------------------------  
228 - OLE:MASI--- \MalwareZoo\VBA\samples\DIAN_caso-5415.doc.malware  
229 - OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_1.doc.malware  
230 - OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_2.doc.malware  
231 - OLE:MASI--- \MalwareZoo\VBA\samples\DRIDEX_3.doc.malware  
232 - OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_4.doc.malware  
233 - OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_5.doc.malware  
234 - OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_6.doc.malware  
235 - OLE:MAS---- \MalwareZoo\VBA\samples\DRIDEX_7.doc.malware  
236 - OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_8.doc.malware  
237 - OLE:MASIHBD \MalwareZoo\VBA\samples\DRIDEX_9.xls.malware  
238 - OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_A.doc.malware  
239 - OLE:------- \MalwareZoo\VBA\samples\Normal_Document.doc  
240 - OLE:M------ \MalwareZoo\VBA\samples\Normal_Document_Macro.doc  
241 - OpX:MASI--- \MalwareZoo\VBA\samples\RottenKitten.xlsb.malware  
242 - OLE:MASI-B- \MalwareZoo\VBA\samples\ROVNIX.doc.malware  
243 - OLE:MA----- \MalwareZoo\VBA\samples\Word within Word macro auto.doc  
244 -  
245 -  
246 ---------------------------------------------------------------------------  
247 -  
248 -## How to use olevba in Python applications  
249 -  
250 -olevba may be used to open a MS Office file, detect if it contains VBA macros, extract and analyze the VBA source code  
251 -from your own python applications.  
252 -  
253 -IMPORTANT: olevba is currently under active development, therefore this API is likely to change.  
254 -  
255 -### Import olevba  
256 -  
257 -First, import the **oletools.olevba** package, using at least the VBA_Parser and VBA_Scanner classes:  
258 -  
259 - :::python  
260 - from oletools.olevba import VBA_Parser, TYPE_OLE, TYPE_OpenXML, TYPE_Word2003_XML, TYPE_MHTML  
261 -  
262 -### Parse a MS Office file - VBA_Parser  
263 -  
264 -To parse a file on disk, create an instance of the **VBA_Parser** class, providing the name of the file to open as parameter.  
265 -For example:  
266 -  
267 - :::python  
268 - vbaparser = VBA_Parser('my_file_with_macros.doc')  
269 -  
270 -The file may also be provided as a bytes string containing its data. In that case, the actual  
271 -filename must be provided for reference, and the file content with the data parameter. For example:  
272 -  
273 - :::python  
274 - myfile = 'my_file_with_macros.doc'  
275 - filedata = open(myfile, 'rb').read()  
276 - vbaparser = VBA_Parser(myfile, data=filedata)  
277 -  
278 -VBA_Parser will raise an exception if the file is not a supported format, such as OLE (MS Office 97-2003), OpenXML  
279 -(MS Office 2007+), MHTML or Word 2003 XML.  
280 -  
281 -After parsing the file, the attribute **VBA_Parser.type** is a string indicating the file type.  
282 -It can be either TYPE_OLE, TYPE_OpenXML, TYPE_Word2003_XML or TYPE_MHTML. (constants defined in the olevba module)  
283 -  
284 -### Detect VBA macros  
285 -  
286 -The method **detect_vba_macros** of a VBA_Parser object returns True if VBA macros have been found in the file,  
287 -False otherwise.  
288 -  
289 - :::python  
290 - if vbaparser.detect_vba_macros():  
291 - print 'VBA Macros found'  
292 - else:  
293 - print 'No VBA Macros found'  
294 -  
295 -Note: The detection algorithm looks for streams and storage with specific names in the OLE structure, which works fine  
296 -for all the supported formats listed above. However, for some formats such as PowerPoint 97-2003, this method will  
297 -always return False because VBA Macros are stored in a different way which is not yet supported by olevba.  
298 -  
299 -Moreover, if the file contains an embedded document (e.g. an Excel workbook inserted into a Word document), this method  
300 -may return True if the embedded document contains VBA Macros, even if the main document does not.  
301 -  
302 -### Extract VBA Macro Source Code  
303 -  
304 -The method **extract_macros** extracts and decompresses source code for each VBA macro found in the file (possibly  
305 -including embedded files). It is a generator yielding a tuple (filename, stream_path, vba_filename, vba_code)  
306 -for each VBA macro found.  
307 -  
308 -- filename: If the file is OLE (MS Office 97-2003), filename is the path of the file.  
309 - If the file is OpenXML (MS Office 2007+), filename is the path of the OLE subfile containing VBA macros within the zip archive,  
310 - e.g. word/vbaProject.bin.  
311 -- stream_path: path of the OLE stream containing the VBA macro source code  
312 -- vba_filename: corresponding VBA filename  
313 -- vba_code: string containing the VBA source code in clear text  
314 -  
315 -Example:  
316 -  
317 - :::python  
318 - for (filename, stream_path, vba_filename, vba_code) in vbaparser.extract_macros():  
319 - print '-'*79  
320 - print 'Filename :', filename  
321 - print 'OLE stream :', stream_path  
322 - print 'VBA filename:', vba_filename  
323 - print '- '*39  
324 - print vba_code  
325 -  
326 -Alternatively, the VBA_Parser method **extract_all_macros** returns the same results as a list of tuples.  
327 -  
328 -### Analyze VBA Source Code  
329 -  
330 -Since version 0.40, the VBA_Parser class provides simpler methods than VBA_Scanner to analyze all macros contained  
331 -in a file:  
332 -  
333 -The method **analyze_macros** from the class **VBA_Parser** can be used to scan the source code of all  
334 -VBA modules to find obfuscated strings, suspicious keywords, IOCs, auto-executable macros, etc.  
335 -  
336 -analyze_macros() takes an optional argument show_decoded_strings: if set to True, the results will contain all the encoded  
337 -strings found in the code (Hex, Base64, Dridex) with their decoded value.  
338 -By default, it will only include the strings which contain printable characters.  
339 -  
340 -**VBA_Parser.analyze_macros()** returns a list of tuples (type, keyword, description), one for each item in the results.  
341 -  
342 -- type may be either 'AutoExec', 'Suspicious', 'IOC', 'Hex String', 'Base64 String', 'Dridex String' or  
343 - 'VBA obfuscated Strings'.  
344 -- keyword is the string found for auto-executable macros, suspicious keywords or IOCs. For obfuscated strings, it is  
345 - the decoded value of the string.  
346 -- description provides a description of the keyword. For obfuscated strings, it is the encoded value of the string.  
347 -  
348 -Example:  
349 -  
350 - :::python  
351 - results = vbaparser.analyze_macros()  
352 - for kw_type, keyword, description in results:  
353 - print 'type=%s - keyword=%s - description=%s' % (kw_type, keyword, description)  
354 -  
355 -After calling analyze_macros, the following VBA_Parser attributes also provide the number  
356 -of items found for each category:  
357 -  
358 - :::python  
359 - print 'AutoExec keywords: %d' % vbaparser.nb_autoexec  
360 - print 'Suspicious keywords: %d' % vbaparser.nb_suspicious  
361 - print 'IOCs: %d' % vbaparser.nb_iocs  
362 - print 'Hex obfuscated strings: %d' % vbaparser.nb_hexstrings  
363 - print 'Base64 obfuscated strings: %d' % vbaparser.nb_base64strings  
364 - print 'Dridex obfuscated strings: %d' % vbaparser.nb_dridexstrings  
365 - print 'VBA obfuscated strings: %d' % vbaparser.nb_vbastrings  
366 -  
367 -  
368 -### Deobfuscate VBA Macro Source Code  
369 -  
370 -The method **reveal** attempts to deobfuscate the macro source code by replacing all  
371 -the obfuscated strings by their decoded content. Returns a single string.  
372 -  
373 -Example:  
374 -  
375 - :::python  
376 - print vbaparser.reveal()  
377 -  
378 -  
379 -### Close the VBA_Parser  
380 -  
381 -After usage, it is better to call the **close** method of the VBA_Parser object, to make sure the file is closed,  
382 -especially if your application is parsing many files.  
383 -  
384 - :::python  
385 - vbaparser.close()  
386 -  
387 -  
388 ---------------------------------------------------------------------------  
389 -  
390 -## Deprecated API  
391 -  
392 -The following methods and functions are still functional, but their usage is not recommended  
393 -since they have been replaced by better solutions.  
394 -  
395 -### VBA_Scanner (deprecated)  
396 -  
397 -The class **VBA_Scanner** can be used to scan the source code of a VBA module to find obfuscated strings,  
398 -suspicious keywords, IOCs, auto-executable macros, etc.  
399 -  
400 -First, create a VBA_Scanner object with a string containing the VBA source code (for example returned by the  
401 -extract_macros method). Then call the methods **scan** or **scan_summary** to get the results of the analysis.  
402 -  
403 -scan() takes an optional argument include_decoded_strings: if set to True, the results will contain all the encoded  
404 -strings found in the code (Hex, Base64, Dridex) with their decoded value.  
405 -  
406 -**scan** returns a list of tuples (type, keyword, description), one for each item in the results.  
407 -  
408 -- type may be either 'AutoExec', 'Suspicious', 'IOC', 'Hex String', 'Base64 String' or 'Dridex String'.  
409 -- keyword is the string found for auto-executable macros, suspicious keywords or IOCs. For obfuscated strings, it is  
410 - the decoded value of the string.  
411 -- description provides a description of the keyword. For obfuscated strings, it is the encoded value of the string.  
412 -  
413 -Example:  
414 -  
415 - :::python  
416 - vba_scanner = VBA_Scanner(vba_code)  
417 - results = vba_scanner.scan(include_decoded_strings=True)  
418 - for kw_type, keyword, description in results:  
419 - print 'type=%s - keyword=%s - description=%s' % (kw_type, keyword, description)  
420 -  
421 -The function **scan_vba** is a shortcut for VBA_Scanner(vba_code).scan():  
422 -  
423 - :::python  
424 - results = scan_vba(vba_code, include_decoded_strings=True)  
425 - for kw_type, keyword, description in results:  
426 - print 'type=%s - keyword=%s - description=%s' % (kw_type, keyword, description)  
427 -  
428 -**scan_summary** returns a tuple with the number of items found for each category:  
429 -(autoexec, suspicious, IOCs, hex, base64, dridex).  
430 -  
431 -  
432 -### Detect auto-executable macros (deprecated)  
433 -  
434 -**Deprecated**: It is preferable to use either scan_vba or VBA_Scanner to get all results at once.  
435 -  
436 -The function **detect_autoexec** checks if VBA macro code contains specific macro names  
437 -that will be triggered when the document/workbook is opened, closed, changed, etc.  
438 -  
439 -It returns a list of tuples containing two strings, the detected keyword, and the  
440 -description of the trigger. (See the malware example above)  
441 -  
442 -Sample usage:  
443 -  
444 - :::python  
445 - from oletools.olevba import detect_autoexec  
446 - autoexec_keywords = detect_autoexec(vba_code)  
447 - if autoexec_keywords:  
448 - print 'Auto-executable macro keywords found:'  
449 - for keyword, description in autoexec_keywords:  
450 - print '%s: %s' % (keyword, description)  
451 - else:  
452 - print 'Auto-executable macro keywords: None found'  
453 -  
454 -  
455 -### Detect suspicious VBA keywords (deprecated)  
456 -  
457 -**Deprecated**: It is preferable to use either scan_vba or VBA_Scanner to get all results at once.  
458 -  
459 -The function **detect_suspicious** checks if VBA macro code contains specific  
460 -keywords often used by malware to act on the system (create files, run  
461 -commands or applications, write to the registry, etc).  
462 -  
463 -It returns a list of tuples containing two strings, the detected keyword, and the  
464 -description of the corresponding malicious behaviour. (See the malware example above)  
465 -  
466 -Sample usage:  
467 -  
468 - :::python  
469 - from oletools.olevba import detect_suspicious  
470 - suspicious_keywords = detect_suspicious(vba_code)  
471 - if suspicious_keywords:  
472 - print 'Suspicious VBA keywords found:'  
473 - for keyword, description in suspicious_keywords:  
474 - print '%s: %s' % (keyword, description)  
475 - else:  
476 - print 'Suspicious VBA keywords: None found'  
477 -  
478 -  
479 -### Extract potential IOCs (deprecated)  
480 -  
481 -**Deprecated**: It is preferable to use either scan_vba or VBA_Scanner to get all results at once.  
482 -  
483 -The function **detect_patterns** checks if VBA macro code contains specific  
484 -patterns of interest, that may be useful for malware analysis and detection  
485 -(potential Indicators of Compromise): IP addresses, e-mail addresses,  
486 -URLs, executable file names.  
487 -  
488 -It returns a list of tuples containing two strings, the pattern type, and the  
489 -extracted value. (See the malware example above)  
490 -  
491 -Sample usage:  
492 -  
493 - :::python  
494 - from oletools.olevba import detect_patterns  
495 - patterns = detect_patterns(vba_code)  
496 - if patterns:  
497 - print 'Patterns found:'  
498 - for pattern_type, value in patterns:  
499 - print '%s: %s' % (pattern_type, value)  
500 - else:  
501 - print 'Patterns: None found'  
502 -  
503 -  
504 ---------------------------------------------------------------------------  
505 -  
506 -python-oletools documentation  
507 ------------------------------  
508 -  
509 -- [[Home]]  
510 -- [[License]]  
511 -- [[Install]]  
512 -- [[Contribute]], Suggest Improvements or Report Issues  
513 -- Tools:  
514 - - [[olebrowse]]  
515 - - [[oleid]]  
516 - - [[olemeta]]  
517 - - [[oletimes]]  
518 - - [[olevba]]  
519 - - [[pyxswf]]  
520 - - [[rtfobj]]  
521 \ No newline at end of file 1 \ No newline at end of file
  2 +olevba
  3 +======
  4 +
  5 +olevba is a script to parse OLE and OpenXML files such as MS Office documents
  6 +(e.g. Word, Excel), to **detect VBA Macros**, extract their **source code** in clear text,
  7 +and detect security-related patterns such as **auto-executable macros**, **suspicious
  8 +VBA keywords** used by malware, anti-sandboxing and anti-virtualization techniques,
  9 +and potential **IOCs** (IP addresses, URLs, executable filenames, etc).
  10 +It also detects and decodes several common **obfuscation methods including Hex encoding,
  11 +StrReverse, Base64, Dridex, VBA expressions**, and extracts IOCs from decoded strings.
  12 +
  13 +It can be used either as a command-line tool, or as a python module from your own applications.
  14 +
  15 +It is part of the [python-oletools](http://www.decalage.info/python/oletools) package.
  16 +
  17 +olevba is based on source code from [officeparser](https://github.com/unixfreak0037/officeparser)
  18 +by John William Davison, with significant modifications.
  19 +
  20 +## Supported formats
  21 +
  22 +- Word 97-2003 (.doc, .dot)
  23 +- Word 2007+ (.docm, .dotm)
  24 +- Word 2003 XML (.xml)
  25 +- Word/Excel MHTML, aka Single File Web Page (.mht)
  26 +- Excel 97-2003 (.xls)
  27 +- Excel 2007+ (.xlsm, .xlsb)
  28 +- PowerPoint 2007+ (.pptm, .ppsm)
  29 +- Text file containing VBA or VBScript source code
  30 +- Password-protected Zip archive containing any of the above
  31 +
  32 +## Main Features
  33 +
  34 +- Detect VBA macros in MS Office 97-2003 and 2007+ files, XML, MHT
  35 +- Extract VBA macro source code
  36 +- Detect auto-executable macros
  37 +- Detect suspicious VBA keywords often used by malware
  38 +- Detect anti-sandboxing and anti-virtualization techniques
  39 +- Detect and decodes strings obfuscated with Hex/Base64/StrReverse/Dridex
  40 +- Deobfuscates VBA expressions with any combination of Chr, Asc, Val, StrReverse, Environ, +, &, using a VBA parser built with
  41 +[pyparsing](http://pyparsing.wikispaces.com), including custom Hex and Base64 encodings
  42 +- Extract IOCs/patterns of interest such as IP addresses, URLs, e-mail addresses and executable file names
  43 +- Scan multiple files and sample collections (wildcards, recursive)
  44 +- Triage mode for a summary view of multiple files
  45 +- Scan malware samples in password-protected Zip archives
  46 +- Python API to use olevba from your applications
  47 +
  48 +MS Office files encrypted with a password are also supported, because VBA macro code is never
  49 +encrypted, only the content of the document.
  50 +
  51 +## About VBA Macros
  52 +
  53 +See [this article](http://www.decalage.info/en/vba_tools) for more information and technical details about VBA Macros
  54 +and how they are stored in MS Office documents.
  55 +
  56 +## How it works
  57 +
  58 +1. olevba checks the file type: If it is an OLE file (i.e MS Office 97-2003), it is parsed right away.
  59 +1. If it is a zip file (i.e. MS Office 2007+), XML or MHTML, olevba looks for all OLE files stored in it (e.g. vbaProject.bin, editdata.mso), and opens them.
  60 +1. olevba identifies all the VBA projects stored in the OLE structure.
  61 +1. Each VBA project is parsed to find the corresponding OLE streams containing macro code.
  62 +1. In each of these OLE streams, the VBA macro source code is extracted and decompressed (RLE compression).
  63 +1. olevba looks for specific strings obfuscated with various algorithms (Hex, Base64, StrReverse, Dridex, VBA expressions).
  64 +1. olevba scans the macro source code and the deobfuscated strings to find suspicious keywords, auto-executable macros
  65 +and potential IOCs (URLs, IP addresses, e-mail addresses, executable filenames, etc).
  66 +
  67 +
  68 +## Usage
  69 +
  70 + :::text
  71 + Usage: olevba.py [options] <filename> [filename2 ...]
  72 +
  73 + Options:
  74 + -h, --help show this help message and exit
  75 + -r find files recursively in subdirectories.
  76 + -z ZIP_PASSWORD, --zip=ZIP_PASSWORD
  77 + if the file is a zip archive, open all files from it,
  78 + using the provided password (requires Python 2.6+)
  79 + -f ZIP_FNAME, --zipfname=ZIP_FNAME
  80 + if the file is a zip archive, file(s) to be opened
  81 + within the zip. Wildcards * and ? are supported.
  82 + (default:*)
  83 + -t, --triage triage mode, display results as a summary table
  84 + (default for multiple files)
  85 + -d, --detailed detailed mode, display full results (default for
  86 + single file)
  87 + -a, --analysis display only analysis results, not the macro source
  88 + code
  89 + -c, --code display only VBA source code, do not analyze it
  90 + -i INPUT, --input=INPUT
  91 + input file containing VBA source code to be analyzed
  92 + (no parsing)
  93 + --decode display all the obfuscated strings with their decoded
  94 + content (Hex, Base64, StrReverse, Dridex, VBA).
  95 + --attr display the attribute lines at the beginning of VBA
  96 + source code
  97 + --reveal display the macro source code after replacing all the
  98 + obfuscated strings by their decoded content.
  99 +
  100 +### Examples
  101 +
  102 +Scan a single file:
  103 +
  104 + :::text
  105 + olevba.py file.doc
  106 +
  107 +Scan a single file, stored in a Zip archive with password "infected":
  108 +
  109 + :::text
  110 + olevba.py malicious_file.xls.zip -z infected
  111 +
  112 +Scan a single file, showing all obfuscated strings decoded:
  113 +
  114 + :::text
  115 + olevba.py file.doc --decode
  116 +
  117 +Scan a single file, showing the macro source code with VBA strings deobfuscated:
  118 +
  119 + :::text
  120 + olevba.py file.doc --reveal
  121 +
  122 +Scan VBA source code extracted into a text file:
  123 +
  124 + :::text
  125 + olevba.py -i source_code.vba
  126 +
  127 +Scan a collection of files stored in a folder:
  128 +
  129 + :::text
  130 + olevba.py MalwareZoo/VBA/*
  131 +
  132 +Scan all .doc and .xls files, recursively in all subfolders:
  133 +
  134 + :::text
  135 + olevba.py MalwareZoo/VBA/*.doc MalwareZoo/VBA/*.xls -r
  136 +
  137 +Scan all .doc files within all .zip files with password, recursively:
  138 +
  139 + :::text
  140 + olevba.py MalwareZoo/VBA/*.zip -r -z infected -f *.doc
  141 +
  142 +
  143 +### Detailed analysis mode (default for single file)
  144 +
  145 +When a single file is scanned, or when using the option -d, all details of the analysis are displayed.
  146 +
  147 +For example, checking the malware sample [DIAN_caso-5415.doc](https://malwr.com/analysis/M2I4YWRhM2IwY2QwNDljN2E3ZWFjYTg3ODk4NmZhYmE/):
  148 +
  149 + :::text
  150 + >olevba.py c:\MalwareZoo\VBA\DIAN_caso-5415.doc.zip -z infected
  151 + ===============================================================================
  152 + FILE: DIAN_caso-5415.doc.malware in c:\MalwareZoo\VBA\DIAN_caso-5415.doc.zip
  153 + Type: OLE
  154 + -------------------------------------------------------------------------------
  155 + VBA MACRO ThisDocument.cls
  156 + in file: DIAN_caso-5415.doc.malware - OLE stream: Macros/VBA/ThisDocument
  157 + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  158 + Option Explicit
  159 + Private Declare Function URLDownloadToFileA Lib "urlmon" (ByVal FVQGKS As Long,_
  160 + ByVal WSGSGY As String, ByVal IFRRFV As String, ByVal NCVOLV As Long, _
  161 + ByVal HQTLDG As Long) As Long
  162 + Sub AutoOpen()
  163 + Auto_Open
  164 + End Sub
  165 + Sub Auto_Open()
  166 + SNVJYQ
  167 + End Sub
  168 + Public Sub SNVJYQ()
  169 + [Malicious Code...]
  170 + End Sub
  171 + Function OGEXYR(XSTAHU As String, PHHWIV As String) As Boolean
  172 + [Malicious Code...]
  173 + Application.DisplayAlerts = False
  174 + Application.Quit
  175 + End Function
  176 + Sub Workbook_Open()
  177 + Auto_Open
  178 + End Sub
  179 +
  180 + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  181 + ANALYSIS:
  182 + +------------+----------------------+-----------------------------------------+
  183 + | Type | Keyword | Description |
  184 + +------------+----------------------+-----------------------------------------+
  185 + | AutoExec | AutoOpen | Runs when the Word document is opened |
  186 + | AutoExec | Auto_Open | Runs when the Excel Workbook is opened |
  187 + | AutoExec | Workbook_Open | Runs when the Excel Workbook is opened |
  188 + | Suspicious | Lib | May run code from a DLL |
  189 + | Suspicious | Shell | May run an executable file or a system |
  190 + | | | command |
  191 + | Suspicious | Environ | May read system environment variables |
  192 + | Suspicious | URLDownloadToFileA | May download files from the Internet |
  193 + | IOC | http://germanya.com. | URL |
  194 + | | ec/logs/test.exe" | |
  195 + | IOC | http://germanya.com. | URL |
  196 + | | ec/logs/counter.php" | |
  197 + | IOC | germanya.com | Executable file name |
  198 + | IOC | test.exe | Executable file name |
  199 + | IOC | sfjozjero.exe | Executable file name |
  200 + +------------+----------------------+-----------------------------------------+
  201 +
  202 +### Triage mode (default for multiple files)
  203 +
  204 +When several files are scanned, or when using the option -t, a summary of the analysis for each file is displayed.
  205 +This is more convenient for quick triage of a collection of suspicious files.
  206 +
  207 +The following flags show the results of the analysis:
  208 +
  209 +- **OLE**: the file type is OLE, for example MS Office 97-2003
  210 +- **OpX**: the file type is OpenXML, for example MS Office 2007+
  211 +- **XML**: the file type is Word 2003 XML
  212 +- **MHT**: the file type is Word MHTML, aka Single File Web Page (.mht)
  213 +- **?**: the file type is not supported
  214 +- **M**: contains VBA Macros
  215 +- **A**: auto-executable macros
  216 +- **S**: suspicious VBA keywords
  217 +- **I**: potential IOCs
  218 +- **H**: hex-encoded strings (potential obfuscation)
  219 +- **B**: Base64-encoded strings (potential obfuscation)
  220 +- **D**: Dridex-encoded strings (potential obfuscation)
  221 +- **V**: VBA string expressions (potential obfuscation)
  222 +
  223 +Here is an example:
  224 +
  225 + :::text
  226 + c:\>olevba.py \MalwareZoo\VBA\samples\*
  227 + Flags Filename
  228 + ----------- -----------------------------------------------------------------
  229 + OLE:MASI--- \MalwareZoo\VBA\samples\DIAN_caso-5415.doc.malware
  230 + OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_1.doc.malware
  231 + OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_2.doc.malware
  232 + OLE:MASI--- \MalwareZoo\VBA\samples\DRIDEX_3.doc.malware
  233 + OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_4.doc.malware
  234 + OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_5.doc.malware
  235 + OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_6.doc.malware
  236 + OLE:MAS---- \MalwareZoo\VBA\samples\DRIDEX_7.doc.malware
  237 + OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_8.doc.malware
  238 + OLE:MASIHBD \MalwareZoo\VBA\samples\DRIDEX_9.xls.malware
  239 + OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_A.doc.malware
  240 + OLE:------- \MalwareZoo\VBA\samples\Normal_Document.doc
  241 + OLE:M------ \MalwareZoo\VBA\samples\Normal_Document_Macro.doc
  242 + OpX:MASI--- \MalwareZoo\VBA\samples\RottenKitten.xlsb.malware
  243 + OLE:MASI-B- \MalwareZoo\VBA\samples\ROVNIX.doc.malware
  244 + OLE:MA----- \MalwareZoo\VBA\samples\Word within Word macro auto.doc
  245 +
  246 +
  247 +--------------------------------------------------------------------------
  248 +
  249 +## How to use olevba in Python applications
  250 +
  251 +olevba may be used to open a MS Office file, detect if it contains VBA macros, extract and analyze the VBA source code
  252 +from your own python applications.
  253 +
  254 +IMPORTANT: olevba is currently under active development, therefore this API is likely to change.
  255 +
  256 +### Import olevba
  257 +
  258 +First, import the **oletools.olevba** package, using at least the VBA_Parser and VBA_Scanner classes:
  259 +
  260 + :::python
  261 + from oletools.olevba import VBA_Parser, TYPE_OLE, TYPE_OpenXML, TYPE_Word2003_XML, TYPE_MHTML
  262 +
  263 +### Parse a MS Office file - VBA_Parser
  264 +
  265 +To parse a file on disk, create an instance of the **VBA_Parser** class, providing the name of the file to open as parameter.
  266 +For example:
  267 +
  268 + :::python
  269 + vbaparser = VBA_Parser('my_file_with_macros.doc')
  270 +
  271 +The file may also be provided as a bytes string containing its data. In that case, the actual
  272 +filename must be provided for reference, and the file content with the data parameter. For example:
  273 +
  274 + :::python
  275 + myfile = 'my_file_with_macros.doc'
  276 + filedata = open(myfile, 'rb').read()
  277 + vbaparser = VBA_Parser(myfile, data=filedata)
  278 +
  279 +VBA_Parser will raise an exception if the file is not a supported format, such as OLE (MS Office 97-2003), OpenXML
  280 +(MS Office 2007+), MHTML or Word 2003 XML.
  281 +
  282 +After parsing the file, the attribute **VBA_Parser.type** is a string indicating the file type.
  283 +It can be either TYPE_OLE, TYPE_OpenXML, TYPE_Word2003_XML or TYPE_MHTML. (constants defined in the olevba module)
  284 +
  285 +### Detect VBA macros
  286 +
  287 +The method **detect_vba_macros** of a VBA_Parser object returns True if VBA macros have been found in the file,
  288 +False otherwise.
  289 +
  290 + :::python
  291 + if vbaparser.detect_vba_macros():
  292 + print 'VBA Macros found'
  293 + else:
  294 + print 'No VBA Macros found'
  295 +
  296 +Note: The detection algorithm looks for streams and storage with specific names in the OLE structure, which works fine
  297 +for all the supported formats listed above. However, for some formats such as PowerPoint 97-2003, this method will
  298 +always return False because VBA Macros are stored in a different way which is not yet supported by olevba.
  299 +
  300 +Moreover, if the file contains an embedded document (e.g. an Excel workbook inserted into a Word document), this method
  301 +may return True if the embedded document contains VBA Macros, even if the main document does not.
  302 +
  303 +### Extract VBA Macro Source Code
  304 +
  305 +The method **extract_macros** extracts and decompresses source code for each VBA macro found in the file (possibly
  306 +including embedded files). It is a generator yielding a tuple (filename, stream_path, vba_filename, vba_code)
  307 +for each VBA macro found.
  308 +
  309 +- filename: If the file is OLE (MS Office 97-2003), filename is the path of the file.
  310 + If the file is OpenXML (MS Office 2007+), filename is the path of the OLE subfile containing VBA macros within the zip archive,
  311 + e.g. word/vbaProject.bin.
  312 +- stream_path: path of the OLE stream containing the VBA macro source code
  313 +- vba_filename: corresponding VBA filename
  314 +- vba_code: string containing the VBA source code in clear text
  315 +
  316 +Example:
  317 +
  318 + :::python
  319 + for (filename, stream_path, vba_filename, vba_code) in vbaparser.extract_macros():
  320 + print '-'*79
  321 + print 'Filename :', filename
  322 + print 'OLE stream :', stream_path
  323 + print 'VBA filename:', vba_filename
  324 + print '- '*39
  325 + print vba_code
  326 +
  327 +Alternatively, the VBA_Parser method **extract_all_macros** returns the same results as a list of tuples.
  328 +
  329 +### Analyze VBA Source Code
  330 +
  331 +Since version 0.40, the VBA_Parser class provides simpler methods than VBA_Scanner to analyze all macros contained
  332 +in a file:
  333 +
  334 +The method **analyze_macros** from the class **VBA_Parser** can be used to scan the source code of all
  335 +VBA modules to find obfuscated strings, suspicious keywords, IOCs, auto-executable macros, etc.
  336 +
  337 +analyze_macros() takes an optional argument show_decoded_strings: if set to True, the results will contain all the encoded
  338 +strings found in the code (Hex, Base64, Dridex) with their decoded value.
  339 +By default, it will only include the strings which contain printable characters.
  340 +
  341 +**VBA_Parser.analyze_macros()** returns a list of tuples (type, keyword, description), one for each item in the results.
  342 +
  343 +- type may be either 'AutoExec', 'Suspicious', 'IOC', 'Hex String', 'Base64 String', 'Dridex String' or
  344 + 'VBA obfuscated Strings'.
  345 +- keyword is the string found for auto-executable macros, suspicious keywords or IOCs. For obfuscated strings, it is
  346 + the decoded value of the string.
  347 +- description provides a description of the keyword. For obfuscated strings, it is the encoded value of the string.
  348 +
  349 +Example:
  350 +
  351 + :::python
  352 + results = vbaparser.analyze_macros()
  353 + for kw_type, keyword, description in results:
  354 + print 'type=%s - keyword=%s - description=%s' % (kw_type, keyword, description)
  355 +
  356 +After calling analyze_macros, the following VBA_Parser attributes also provide the number
  357 +of items found for each category:
  358 +
  359 + :::python
  360 + print 'AutoExec keywords: %d' % vbaparser.nb_autoexec
  361 + print 'Suspicious keywords: %d' % vbaparser.nb_suspicious
  362 + print 'IOCs: %d' % vbaparser.nb_iocs
  363 + print 'Hex obfuscated strings: %d' % vbaparser.nb_hexstrings
  364 + print 'Base64 obfuscated strings: %d' % vbaparser.nb_base64strings
  365 + print 'Dridex obfuscated strings: %d' % vbaparser.nb_dridexstrings
  366 + print 'VBA obfuscated strings: %d' % vbaparser.nb_vbastrings
  367 +
  368 +
  369 +### Deobfuscate VBA Macro Source Code
  370 +
  371 +The method **reveal** attempts to deobfuscate the macro source code by replacing all
  372 +the obfuscated strings by their decoded content. Returns a single string.
  373 +
  374 +Example:
  375 +
  376 + :::python
  377 + print vbaparser.reveal()
  378 +
  379 +
  380 +### Close the VBA_Parser
  381 +
  382 +After usage, it is better to call the **close** method of the VBA_Parser object, to make sure the file is closed,
  383 +especially if your application is parsing many files.
  384 +
  385 + :::python
  386 + vbaparser.close()
  387 +
  388 +
  389 +--------------------------------------------------------------------------
  390 +
  391 +## Deprecated API
  392 +
  393 +The following methods and functions are still functional, but their usage is not recommended
  394 +since they have been replaced by better solutions.
  395 +
  396 +### VBA_Scanner (deprecated)
  397 +
  398 +The class **VBA_Scanner** can be used to scan the source code of a VBA module to find obfuscated strings,
  399 +suspicious keywords, IOCs, auto-executable macros, etc.
  400 +
  401 +First, create a VBA_Scanner object with a string containing the VBA source code (for example returned by the
  402 +extract_macros method). Then call the methods **scan** or **scan_summary** to get the results of the analysis.
  403 +
  404 +scan() takes an optional argument include_decoded_strings: if set to True, the results will contain all the encoded
  405 +strings found in the code (Hex, Base64, Dridex) with their decoded value.
  406 +
  407 +**scan** returns a list of tuples (type, keyword, description), one for each item in the results.
  408 +
  409 +- type may be either 'AutoExec', 'Suspicious', 'IOC', 'Hex String', 'Base64 String' or 'Dridex String'.
  410 +- keyword is the string found for auto-executable macros, suspicious keywords or IOCs. For obfuscated strings, it is
  411 + the decoded value of the string.
  412 +- description provides a description of the keyword. For obfuscated strings, it is the encoded value of the string.
  413 +
  414 +Example:
  415 +
  416 + :::python
  417 + vba_scanner = VBA_Scanner(vba_code)
  418 + results = vba_scanner.scan(include_decoded_strings=True)
  419 + for kw_type, keyword, description in results:
  420 + print 'type=%s - keyword=%s - description=%s' % (kw_type, keyword, description)
  421 +
  422 +The function **scan_vba** is a shortcut for VBA_Scanner(vba_code).scan():
  423 +
  424 + :::python
  425 + results = scan_vba(vba_code, include_decoded_strings=True)
  426 + for kw_type, keyword, description in results:
  427 + print 'type=%s - keyword=%s - description=%s' % (kw_type, keyword, description)
  428 +
  429 +**scan_summary** returns a tuple with the number of items found for each category:
  430 +(autoexec, suspicious, IOCs, hex, base64, dridex).
  431 +
  432 +
  433 +### Detect auto-executable macros (deprecated)
  434 +
  435 +**Deprecated**: It is preferable to use either scan_vba or VBA_Scanner to get all results at once.
  436 +
  437 +The function **detect_autoexec** checks if VBA macro code contains specific macro names
  438 +that will be triggered when the document/workbook is opened, closed, changed, etc.
  439 +
  440 +It returns a list of tuples containing two strings, the detected keyword, and the
  441 +description of the trigger. (See the malware example above)
  442 +
  443 +Sample usage:
  444 +
  445 + :::python
  446 + from oletools.olevba import detect_autoexec
  447 + autoexec_keywords = detect_autoexec(vba_code)
  448 + if autoexec_keywords:
  449 + print 'Auto-executable macro keywords found:'
  450 + for keyword, description in autoexec_keywords:
  451 + print '%s: %s' % (keyword, description)
  452 + else:
  453 + print 'Auto-executable macro keywords: None found'
  454 +
  455 +
  456 +### Detect suspicious VBA keywords (deprecated)
  457 +
  458 +**Deprecated**: It is preferable to use either scan_vba or VBA_Scanner to get all results at once.
  459 +
  460 +The function **detect_suspicious** checks if VBA macro code contains specific
  461 +keywords often used by malware to act on the system (create files, run
  462 +commands or applications, write to the registry, etc).
  463 +
  464 +It returns a list of tuples containing two strings, the detected keyword, and the
  465 +description of the corresponding malicious behaviour. (See the malware example above)
  466 +
  467 +Sample usage:
  468 +
  469 + :::python
  470 + from oletools.olevba import detect_suspicious
  471 + suspicious_keywords = detect_suspicious(vba_code)
  472 + if suspicious_keywords:
  473 + print 'Suspicious VBA keywords found:'
  474 + for keyword, description in suspicious_keywords:
  475 + print '%s: %s' % (keyword, description)
  476 + else:
  477 + print 'Suspicious VBA keywords: None found'
  478 +
  479 +
  480 +### Extract potential IOCs (deprecated)
  481 +
  482 +**Deprecated**: It is preferable to use either scan_vba or VBA_Scanner to get all results at once.
  483 +
  484 +The function **detect_patterns** checks if VBA macro code contains specific
  485 +patterns of interest, that may be useful for malware analysis and detection
  486 +(potential Indicators of Compromise): IP addresses, e-mail addresses,
  487 +URLs, executable file names.
  488 +
  489 +It returns a list of tuples containing two strings, the pattern type, and the
  490 +extracted value. (See the malware example above)
  491 +
  492 +Sample usage:
  493 +
  494 + :::python
  495 + from oletools.olevba import detect_patterns
  496 + patterns = detect_patterns(vba_code)
  497 + if patterns:
  498 + print 'Patterns found:'
  499 + for pattern_type, value in patterns:
  500 + print '%s: %s' % (pattern_type, value)
  501 + else:
  502 + print 'Patterns: None found'
  503 +
  504 +
  505 +--------------------------------------------------------------------------
  506 +
  507 +python-oletools documentation
  508 +-----------------------------
  509 +
  510 +- [[Home]]
  511 +- [[License]]
  512 +- [[Install]]
  513 +- [[Contribute]], Suggest Improvements or Report Issues
  514 +- Tools:
  515 + - [[olebrowse]]
  516 + - [[oleid]]
  517 + - [[olemeta]]
  518 + - [[oletimes]]
  519 + - [[oledir]]
  520 + - [[olemap]]
  521 + - [[olevba]]
  522 + - [[mraptor]]
  523 + - [[pyxswf]]
  524 + - [[oleobj]]
  525 + - [[rtfobj]]
oletools/doc/pyxswf.html
  View file @836b191
1 -<p>pyxswf</p>  
2 -<p>======</p>  
3 -<p>pyxswf is a script to detect, extract and analyze Flash objects (SWF files) that may</p>  
4 -<p>be embedded in files such as MS Office documents (e.g. Word, Excel),</p>  
5 -<p>which is especially useful for malware analysis.</p> 1 +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  2 +<html xmlns="http://www.w3.org/1999/xhtml">
  3 +<head>
  4 + <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
  5 + <meta http-equiv="Content-Style-Type" content="text/css" />
  6 + <meta name="generator" content="pandoc" />
  7 + <title></title>
  8 + <style type="text/css">code{white-space: pre;}</style>
  9 +</head>
  10 +<body>
  11 +<h1 id="pyxswf">pyxswf</h1>
  12 +<p>pyxswf is a script to detect, extract and analyze Flash objects (SWF files) that may be embedded in files such as MS Office documents (e.g. Word, Excel), which is especially useful for malware analysis.</p>
6 <p>It is part of the <a href="http://www.decalage.info/python/oletools">python-oletools</a> package.</p> 13 <p>It is part of the <a href="http://www.decalage.info/python/oletools">python-oletools</a> package.</p>
7 <p>pyxswf is an extension to <a href="http://hooked-on-mnemonics.blogspot.nl/2011/12/xxxswfpy.html">xxxswf.py</a> published by Alexander Hanel.</p> 14 <p>pyxswf is an extension to <a href="http://hooked-on-mnemonics.blogspot.nl/2011/12/xxxswfpy.html">xxxswf.py</a> published by Alexander Hanel.</p>
8 -<p>Compared to xxxswf, it can extract streams from MS Office documents by parsing</p>  
9 -<p>their OLE structure properly, which is necessary when streams are fragmented.</p>  
10 -<p>Stream fragmentation is a known obfuscation technique, as explained on</p>  
11 -<p><a href="http://www.breakingpointsystems.com/resources/blog/evasion-with-ole2-fragmentation/">http://www.breakingpointsystems.com/resources/blog/evasion-with-ole2-fragmentation/</a></p> 15 +<p>Compared to xxxswf, it can extract streams from MS Office documents by parsing their OLE structure properly, which is necessary when streams are fragmented. Stream fragmentation is a known obfuscation technique, as explained on <a href="http://www.breakingpointsystems.com/resources/blog/evasion-with-ole2-fragmentation/">http://www.breakingpointsystems.com/resources/blog/evasion-with-ole2-fragmentation/</a></p>
12 <p>It can also extract Flash objects from RTF documents, by parsing embedded objects encoded in hexadecimal format (-f option).</p> 16 <p>It can also extract Flash objects from RTF documents, by parsing embedded objects encoded in hexadecimal format (-f option).</p>
13 <p>For this, simply add the -o option to work on OLE streams rather than raw files, or the -f option to work on RTF files.</p> 17 <p>For this, simply add the -o option to work on OLE streams rather than raw files, or the -f option to work on RTF files.</p>
14 <h2 id="usage">Usage</h2> 18 <h2 id="usage">Usage</h2>
15 <pre><code>Usage: pyxswf.py [options] &lt;file.bad&gt; 19 <pre><code>Usage: pyxswf.py [options] &lt;file.bad&gt;
16 20
17 -  
18 -  
19 Options: 21 Options:
20 -  
21 -o, --ole Parse an OLE file (e.g. Word, Excel) to look for SWF 22 -o, --ole Parse an OLE file (e.g. Word, Excel) to look for SWF
22 -  
23 in each stream 23 in each stream
24 -  
25 -f, --rtf Parse an RTF file to look for SWF in each embedded 24 -f, --rtf Parse an RTF file to look for SWF in each embedded
26 -  
27 object 25 object
28 -  
29 -x, --extract Extracts the embedded SWF(s), names it MD5HASH.swf &amp; 26 -x, --extract Extracts the embedded SWF(s), names it MD5HASH.swf &amp;
30 -  
31 saves it in the working dir. No addition args needed 27 saves it in the working dir. No addition args needed
32 -  
33 -h, --help show this help message and exit 28 -h, --help show this help message and exit
34 -  
35 -y, --yara Scans the SWF(s) with yara. If the SWF(s) is 29 -y, --yara Scans the SWF(s) with yara. If the SWF(s) is
36 -  
37 compressed it will be deflated. No addition args 30 compressed it will be deflated. No addition args
38 -  
39 needed 31 needed
40 -  
41 -s, --md5scan Scans the SWF(s) for MD5 signatures. Please see func 32 -s, --md5scan Scans the SWF(s) for MD5 signatures. Please see func
42 -  
43 checkMD5 to define hashes. No addition args needed 33 checkMD5 to define hashes. No addition args needed
44 -  
45 -H, --header Displays the SWFs file header. No addition args needed 34 -H, --header Displays the SWFs file header. No addition args needed
46 -  
47 -d, --decompress Deflates compressed SWFS(s) 35 -d, --decompress Deflates compressed SWFS(s)
48 -  
49 -r PATH, --recdir=PATH 36 -r PATH, --recdir=PATH
50 -  
51 Will recursively scan a directory for files that 37 Will recursively scan a directory for files that
52 -  
53 contain SWFs. Must provide path in quotes 38 contain SWFs. Must provide path in quotes
54 -  
55 -c, --compress Compresses the SWF using Zlib</code></pre> 39 -c, --compress Compresses the SWF using Zlib</code></pre>
56 <h3 id="example-1---detecting-and-extracting-a-swf-file-from-a-word-document-on-windows">Example 1 - detecting and extracting a SWF file from a Word document on Windows:</h3> 40 <h3 id="example-1---detecting-and-extracting-a-swf-file-from-a-word-document-on-windows">Example 1 - detecting and extracting a SWF file from a Word document on Windows:</h3>
57 <pre><code>C:\oletools&gt;pyxswf.py -o word_flash.doc 41 <pre><code>C:\oletools&gt;pyxswf.py -o word_flash.doc
58 -  
59 OLE stream: &#39;Contents&#39; 42 OLE stream: &#39;Contents&#39;
60 -  
61 [SUMMARY] 1 SWF(s) in MD5:993664cc86f60d52d671b6610813cfd1:Contents 43 [SUMMARY] 1 SWF(s) in MD5:993664cc86f60d52d671b6610813cfd1:Contents
62 -  
63 [ADDR] SWF 1 at 0x8 - FWS Header 44 [ADDR] SWF 1 at 0x8 - FWS Header
64 45
65 -  
66 -  
67 C:\oletools&gt;pyxswf.py -xo word_flash.doc 46 C:\oletools&gt;pyxswf.py -xo word_flash.doc
68 -  
69 OLE stream: &#39;Contents&#39; 47 OLE stream: &#39;Contents&#39;
70 -  
71 [SUMMARY] 1 SWF(s) in MD5:993664cc86f60d52d671b6610813cfd1:Contents 48 [SUMMARY] 1 SWF(s) in MD5:993664cc86f60d52d671b6610813cfd1:Contents
72 -  
73 [ADDR] SWF 1 at 0x8 - FWS Header 49 [ADDR] SWF 1 at 0x8 - FWS Header
74 -  
75 [FILE] Carved SWF MD5: 2498e9c0701dc0e461ab4358f9102bc5.swf</code></pre> 50 [FILE] Carved SWF MD5: 2498e9c0701dc0e461ab4358f9102bc5.swf</code></pre>
76 <h3 id="example-2---detecting-and-extracting-a-swf-file-from-a-rtf-document-on-windows">Example 2 - detecting and extracting a SWF file from a RTF document on Windows:</h3> 51 <h3 id="example-2---detecting-and-extracting-a-swf-file-from-a-rtf-document-on-windows">Example 2 - detecting and extracting a SWF file from a RTF document on Windows:</h3>
77 <pre><code>C:\oletools&gt;pyxswf.py -xf &quot;rtf_flash.rtf&quot; 52 <pre><code>C:\oletools&gt;pyxswf.py -xf &quot;rtf_flash.rtf&quot;
78 -  
79 RTF embedded object size 1498557 at index 000036DD 53 RTF embedded object size 1498557 at index 000036DD
80 -  
81 [SUMMARY] 1 SWF(s) in MD5:46a110548007e04f4043785ac4184558:RTF_embedded_object_0 54 [SUMMARY] 1 SWF(s) in MD5:46a110548007e04f4043785ac4184558:RTF_embedded_object_0
82 -  
83 00036DD 55 00036DD
84 -  
85 [ADDR] SWF 1 at 0xc40 - FWS Header 56 [ADDR] SWF 1 at 0xc40 - FWS Header
86 -  
87 - [FILE] Carved SWF MD5: 2498e9c0701dc0e461ab4358f9102bc5.swf</code></pre> 57 + [FILE] Carved SWF MD5: 2498e9c0701dc0e461ab4358f9102bc5.swf
  58 + </code></pre>
88 <h2 id="how-to-use-pyxswf-in-python-applications">How to use pyxswf in Python applications</h2> 59 <h2 id="how-to-use-pyxswf-in-python-applications">How to use pyxswf in Python applications</h2>
89 <p>TODO</p> 60 <p>TODO</p>
90 <hr /> 61 <hr />
91 -<p>python-oletools documentation</p>  
92 -<hr /> 62 +<h2 id="python-oletools-documentation">python-oletools documentation</h2>
93 <ul> 63 <ul>
94 -<li><p><a href="Home.html">Home</a></p></li>  
95 -<li><p><a href="License.html">License</a></p></li>  
96 -<li><p><a href="Install.html">Install</a></p></li>  
97 -<li><p><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</p></li>  
98 -<li><p>Tools:</p> 64 +<li><a href="Home.html">Home</a></li>
  65 +<li><a href="License.html">License</a></li>
  66 +<li><a href="Install.html">Install</a></li>
  67 +<li><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</li>
  68 +<li>Tools:
99 <ul> 69 <ul>
100 -<li><p><a href="olebrowse.html">olebrowse</a></p></li>  
101 -<li><p><a href="oleid.html">oleid</a></p></li>  
102 -<li><p><a href="olemeta.html">olemeta</a></p></li>  
103 -<li><p><a href="oletimes.html">oletimes</a></p></li>  
104 -<li><p><a href="olevba.html">olevba</a></p></li>  
105 -<li><p><a href="pyxswf.html">pyxswf</a></p></li>  
106 -<li><p><a href="rtfobj.html">rtfobj</a></p></li> 70 +<li><a href="olebrowse.html">olebrowse</a></li>
  71 +<li><a href="oleid.html">oleid</a></li>
  72 +<li><a href="olemeta.html">olemeta</a></li>
  73 +<li><a href="oletimes.html">oletimes</a></li>
  74 +<li><a href="oledir.html">oledir</a></li>
  75 +<li><a href="olemap.html">olemap</a></li>
  76 +<li><a href="olevba.html">olevba</a></li>
  77 +<li><a href="mraptor.html">mraptor</a></li>
  78 +<li><a href="pyxswf.html">pyxswf</a></li>
  79 +<li><a href="oleobj.html">oleobj</a></li>
  80 +<li><a href="rtfobj.html">rtfobj</a></li>
107 </ul></li> 81 </ul></li>
108 </ul> 82 </ul>
  83 +</body>
  84 +</html>
oletools/doc/pyxswf.md
  View file @836b191
@@ -87,6 +87,10 @@ python-oletools documentation @@ -87,6 +87,10 @@ python-oletools documentation
87 - [[oleid]] 87 - [[oleid]]
88 - [[olemeta]] 88 - [[olemeta]]
89 - [[oletimes]] 89 - [[oletimes]]
  90 + - [[oledir]]
  91 + - [[olemap]]
90 - [[olevba]] 92 - [[olevba]]
  93 + - [[mraptor]]
91 - [[pyxswf]] 94 - [[pyxswf]]
92 - - [[rtfobj]]  
93 \ No newline at end of file 95 \ No newline at end of file
  96 + - [[oleobj]]
  97 + - [[rtfobj]]
oletools/doc/rtfobj.html
  View file @836b191
1 -<p>rtfobj</p>  
2 -<p>======</p>  
3 -<p>rtfobj is a Python module to extract embedded objects from RTF files, such as</p>  
4 -<p>OLE ojects. It can be used as a Python library or a command-line tool.</p> 1 +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  2 +<html xmlns="http://www.w3.org/1999/xhtml">
  3 +<head>
  4 + <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
  5 + <meta http-equiv="Content-Style-Type" content="text/css" />
  6 + <meta name="generator" content="pandoc" />
  7 + <title></title>
  8 + <style type="text/css">code{white-space: pre;}</style>
  9 +</head>
  10 +<body>
  11 +<h1 id="rtfobj">rtfobj</h1>
  12 +<p>rtfobj is a Python module to extract embedded objects from RTF files, such as OLE ojects. It can be used as a Python library or a command-line tool.</p>
5 <p>It is part of the <a href="http://www.decalage.info/python/oletools">python-oletools</a> package.</p> 13 <p>It is part of the <a href="http://www.decalage.info/python/oletools">python-oletools</a> package.</p>
6 <h2 id="usage">Usage</h2> 14 <h2 id="usage">Usage</h2>
7 <pre><code>rtfobj.py &lt;file.rtf&gt;</code></pre> 15 <pre><code>rtfobj.py &lt;file.rtf&gt;</code></pre>
@@ -11,26 +19,29 @@ @@ -11,26 +19,29 @@
11 <p>rtf_iter_objects(filename) is an iterator which yields a tuple (index, object) providing the index of each hexadecimal stream in the RTF file, and the corresponding decoded object.</p> 19 <p>rtf_iter_objects(filename) is an iterator which yields a tuple (index, object) providing the index of each hexadecimal stream in the RTF file, and the corresponding decoded object.</p>
12 <p>Example:</p> 20 <p>Example:</p>
13 <pre><code>import rtfobj 21 <pre><code>import rtfobj
14 -  
15 for index, data in rtfobj.rtf_iter_objects(&quot;myfile.rtf&quot;): 22 for index, data in rtfobj.rtf_iter_objects(&quot;myfile.rtf&quot;):
16 -  
17 print &#39;found object size %d at index %08X&#39; % (len(data), index)</code></pre> 23 print &#39;found object size %d at index %08X&#39; % (len(data), index)</code></pre>
18 <hr /> 24 <hr />
19 -<p>python-oletools documentation</p>  
20 -<hr /> 25 +<h2 id="python-oletools-documentation">python-oletools documentation</h2>
21 <ul> 26 <ul>
22 -<li><p><a href="Home.html">Home</a></p></li>  
23 -<li><p><a href="License.html">License</a></p></li>  
24 -<li><p><a href="Install.html">Install</a></p></li>  
25 -<li><p><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</p></li>  
26 -<li><p>Tools:</p> 27 +<li><a href="Home.html">Home</a></li>
  28 +<li><a href="License.html">License</a></li>
  29 +<li><a href="Install.html">Install</a></li>
  30 +<li><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</li>
  31 +<li>Tools:
27 <ul> 32 <ul>
28 -<li><p><a href="olebrowse.html">olebrowse</a></p></li>  
29 -<li><p><a href="oleid.html">oleid</a></p></li>  
30 -<li><p><a href="olemeta.html">olemeta</a></p></li>  
31 -<li><p><a href="oletimes.html">oletimes</a></p></li>  
32 -<li><p><a href="olevba.html">olevba</a></p></li>  
33 -<li><p><a href="pyxswf.html">pyxswf</a></p></li>  
34 -<li><p><a href="rtfobj.html">rtfobj</a></p></li> 33 +<li><a href="olebrowse.html">olebrowse</a></li>
  34 +<li><a href="oleid.html">oleid</a></li>
  35 +<li><a href="olemeta.html">olemeta</a></li>
  36 +<li><a href="oletimes.html">oletimes</a></li>
  37 +<li><a href="oledir.html">oledir</a></li>
  38 +<li><a href="olemap.html">olemap</a></li>
  39 +<li><a href="olevba.html">olevba</a></li>
  40 +<li><a href="mraptor.html">mraptor</a></li>
  41 +<li><a href="pyxswf.html">pyxswf</a></li>
  42 +<li><a href="oleobj.html">oleobj</a></li>
  43 +<li><a href="rtfobj.html">rtfobj</a></li>
35 </ul></li> 44 </ul></li>
36 </ul> 45 </ul>
  46 +</body>
  47 +</html>
oletools/doc/rtfobj.md
  View file @836b191
@@ -42,6 +42,10 @@ python-oletools documentation @@ -42,6 +42,10 @@ python-oletools documentation
42 - [[oleid]] 42 - [[oleid]]
43 - [[olemeta]] 43 - [[olemeta]]
44 - [[oletimes]] 44 - [[oletimes]]
  45 + - [[oledir]]
  46 + - [[olemap]]
45 - [[olevba]] 47 - [[olevba]]
  48 + - [[mraptor]]
46 - [[pyxswf]] 49 - [[pyxswf]]
47 - - [[rtfobj]]  
48 \ No newline at end of file 50 \ No newline at end of file
  51 + - [[oleobj]]
  52 + - [[rtfobj]]