Merge branch 'master' into master

Philippe Lagadec · GitHub
2 parents 82bb3107 7909381f
Showing 65 changed files with 2463 additions and 677 deletions
.travis.yml
README.md
cheatsheet/oletools_cheatsheet.docx
cheatsheet/oletools_cheatsheet.pdf
oletools/DocVarDump.vba
oletools/LICENSE.txt
oletools/README.html
oletools/README.rst
oletools/doc/Home.html
oletools/doc/Home.md
oletools/doc/License.html
oletools/doc/License.md
oletools/doc/mraptor.html
oletools/doc/olebrowse.html
oletools/doc/oledir.html
oletools/doc/oleid.html
oletools/doc/olemap.html
oletools/doc/olemeta.html
oletools/doc/olevba.html
oletools/doc/rtfobj.html
+language: python
+
+python:
+  - "2.7"
+  - "3.6"
+  - "nightly"
+cache: pip
+script:
+  - python setup.py test
 python-oletools
 ===============
+[![PyPI](https://img.shields.io/pypi/v/oletools.svg)](https://pypi.python.org/pypi/oletools)
+[![Build Status](https://travis-ci.org/decalage2/oletools.svg?branch=master)](https://travis-ci.org/decalage2/oletools)
  
 [oletools](http://www.decalage.info/python/oletools) is a package of python tools to analyze
 [Microsoft OLE2 files](http://en.wikipedia.org/wiki/Compound_File_Binary_Format) 
@@ -22,7 +24,17 @@ Note: python-oletools is not related to OLETools published by BeCubed Software.
 News
 ----
  
-- **2016-11-01 v0.50**: all oletools now support python 2 and 3.
+- **2017-06-29 v0.51**:
+    - added the [oletools cheatsheet](https://github.com/decalage2/oletools/blob/master/cheatsheet/oletools_cheatsheet.pdf)
+    - improved [rtfobj](https://github.com/decalage2/oletools/wiki/rtfobj) to handle malformed RTF files, detect vulnerability CVE-2017-0199
+    - olevba: improved deobfuscation and Mac files support
+    - [mraptor](https://github.com/decalage2/oletools/wiki/mraptor): added more ActiveX macro triggers
+    - added [DocVarDump.vba](https://github.com/decalage2/oletools/blob/master/oletools/DocVarDump.vba) to dump document variables using Word
+    - olemap: can now detect and extract [extra data at end of file](http://decalage.info/en/ole_extradata), improved display
+    - oledir, olemeta, oletimes: added support for zip files and wildcards
+    - many [bugfixes](https://github.com/decalage2/oletools/milestone/3?closed=1) in all the tools
+    - improved Python 2+3 support
+- 2016-11-01 v0.50: all oletools now support python 2 and 3.
     - olevba: several bugfixes and improvements.
     - mraptor: improved detection, added mraptor_milter for Sendmail/Postfix integration.
     - rtfobj: brand new RTF parser, obfuscation-aware, improved display, detect
@@ -33,13 +45,6 @@ improved handling of malformed/incomplete documents, improved error handling and
 now returns an exit code based on analysis results, new --relaxed option.
 [rtfobj](https://github.com/decalage2/oletools/wiki/rtfobj): improved parsing to handle obfuscated RTF documents,
 added -d option to set output dir. Moved repository and documentation to GitHub.
-- 2016-04-19 v0.46: [olevba](https://github.com/decalage2/oletools/wiki/olevba)
-does not deobfuscate VBA expressions by default (much faster), new option --deobf
-to enable it. Fixed color display bug on Windows for several tools.
-- 2016-04-12 v0.45: improved [rtfobj](https://github.com/decalage2/oletools/wiki/rtfobj)
-to handle several [anti-analysis tricks](http://www.decalage.info/rtf_tricks),
-improved [olevba](https://github.com/decalage2/oletools/wiki/olevba)
-to export results in JSON format.
  
 See the [full changelog](https://github.com/decalage2/oletools/wiki/Changelog) for more information.
  
@@ -67,6 +72,7 @@ Projects using oletools:
  
 oletools are used by a number of projects and online malware analysis services,
 including [Viper](http://viper.li/), [REMnux](https://remnux.org/),
+[FAME](https://certsocietegenerale.github.io/fame/),
 [Hybrid-analysis.com](https://www.hybrid-analysis.com/),
 [Joe Sandbox](https://www.document-analyzer.net/),
 [Deepviz](https://sandbox.deepviz.com/),
@@ -129,7 +135,7 @@ License
 This license applies to the python-oletools package, apart from the thirdparty folder which contains third-party files 
 published with their own license.
  
-The python-oletools package is copyright (c) 2012-2016 Philippe Lagadec (http://www.decalage.info)
+The python-oletools package is copyright (c) 2012-2017 Philippe Lagadec (http://www.decalage.info)
  
 All rights reserved.
  
+' DocVarDump.vba
+'
+' DocVarDump is a VBA macro that can be used to dump the content of all document
+' variables stored in a MS Word document.
+'
+' USAGE:
+'  1. Open the document to be analyzed in MS Word
+'  2. Do NOT click on "Enable Content", to avoid running malicious macros
+'  3. Save the document with a new name, using the DOCX format (not doc, not docm)
+'     This will remove all VBA macro code.
+'  4. Close the file, and reopen the DOCX file you just saved
+'  5. Press Alt+F11 to open the VBA Editor
+'  6. Double-click on "This Document" under Project
+'  7. Copy and Paste all the code from DocVarDump.vba
+'  8. Move the cursor on the line "Sub DocVarDump()"
+'  9. Press F5: This should run the code, and create a file "docvardump.txt"
+'     containing a hex dump of all document variables.
+'
+' ALTERNATIVE: Open the document in LibreOffice/OpenOffice,
+' then go to File / Properties / Custom Properties
+'
+' Author: Philippe Lagadec - http://www.decalage.info
+' License: BSD, see source code or documentation
+'
+' DocVarDump is part of the python-oletools package:
+' http://www.decalage.info/python/oletools
+
+' CHANGELOG:
+' 2016-09-21 v0.01 PL: - First working version
+' 2017-04-10 v0.02 PL: - Added usage instructions
+
+Sub DocVarDump()
+    intFileNum = FreeFile
+    FName = Environ("TEMP") & "\docvardump.txt"
+    Open FName For Output As intFileNum
+        For Each myvar In ActiveDocument.Variables
+            Write #intFileNum, "Name = " & myvar.Name
+            'TODO: check VarType, and only use hexdump for strings with non-printable chars
+            Write #intFileNum, "Value = " & HexDump(myvar.value)
+            Write #intFileNum,
+        Next myvar
+    Close intFileNum
+    Documents.Open (FName)
+End Sub
+
+Function Hex2(value As Integer)
+    h = Hex(value)
+    If Len(h) < 2 Then
+        h = "0" & h
+    End If
+    Hex2 = h
+End Function
+
+Function HexN(value As Integer, nchars As Integer)
+    h = Hex(value)
+    Do While Len(h) < nchars
+        h = "0" & h
+    Loop
+    HexN = h
+End Function
+
+Function ReplaceClean1(sText As String)
+    Dim J As Integer
+    Dim vAddText
+
+    vAddText = Array(Chr(129), Chr(141), Chr(143), Chr(144), Chr(157))
+    For J = 0 To 31
+        sText = Replace(sText, Chr(J), "\x" & Hex2(J))
+    Next
+    For J = 0 To UBound(vAddText)
+        c = vAddText(J)
+        a = Asc(c)
+        sText = Replace(sText, c, "\x" & Hex2(a))
+    Next
+    ReplaceClean1 = sText
+End Function
+
+Function ReplaceClean3(sText As String)
+    Dim J As Integer
+    For J = 0 To 31
+        sText = Replace(sText, Chr(J), ".")
+    Next
+    For J = 127 To 255
+        sText = Replace(sText, Chr(J), ".")
+    Next
+    ReplaceClean3 = sText
+End Function
+
+Function HexBytes(sText As String)
+    Dim i As Integer
+    HexBytes = ""
+    For i = 1 To Len(sText)
+        HexBytes = HexBytes & Hex2(Asc(Mid(sText, i))) & " "
+    Next
+End Function
+
+
+Function HexDump(sText As String)
+    Dim chunk As String
+    Dim i As Long
+    ' "\" is integer division, "/" is normal division (float)
+    nbytes = 8
+    nchunks = Len(sText) \ nbytes
+    lastchunk = Len(sText) Mod nbytes
+    HexDump = ""
+    For i = 0 To nchunks - 1
+        Offset = HexN(i * nbytes, 8)
+        chunk = Mid(sText, i * nbytes + 1, nbytes)
+        HexDump = HexDump & Offset & "  " & HexBytes(chunk) & " " & ReplaceClean3(chunk) & vbCrLf
+    Next i
+    'TODO: LAST CHUNK!
+    If lastchunk > 0 Then
+        Offset = HexN(nchunks * nbytes, 8)
+        chunk = Mid(sText, nchunks * nbytes + 1, lastchunk)
+        HexDump = HexDump & Offset & "  " & HexBytes(chunk) & " " & ReplaceClean3(chunk) & vbCrLf
+    End If
+End Function
@@ -3,7 +3,7 @@ LICENSE for the python-oletools package:
 This license applies to the python-oletools package, apart from the thirdparty
 folder which contains third-party files published with their own license.
  
-The python-oletools package is copyright (c) 2012-2016 Philippe Lagadec (http://www.decalage.info)
+The python-oletools package is copyright (c) 2012-2017 Philippe Lagadec (http://www.decalage.info)
  
 All rights reserved.
  
@@ -9,12 +9,24 @@
 </head>
 <body>
 <h1 id="python-oletools">python-oletools</h1>
-<p><a href="http://www.decalage.info/python/oletools">oletools</a> is a package of python tools to analyze <a href="http://en.wikipedia.org/wiki/Compound_File_Binary_Format">Microsoft OLE2 files</a> (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging. It is based on the <a href="http://www.decalage.info/olefile">olefile</a> parser. See <a href="http://www.decalage.info/python/oletools">http://www.decalage.info/python/oletools</a> for more info.</p>
+<p><a href="http://www.decalage.info/python/oletools">oletools</a> is a package of python tools to analyze <a href="http://en.wikipedia.org/wiki/Compound_File_Binary_Format">Microsoft OLE2 files</a> (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging. It is based on the <a href="http://www.decalage.info/olefile">olefile</a> parser. See <a href="http://www.decalage.info/python/oletools" class="uri">http://www.decalage.info/python/oletools</a> for more info.</p>
 <p><strong>Quick links:</strong> <a href="http://www.decalage.info/python/oletools">Home page</a> - <a href="https://github.com/decalage2/oletools/wiki/Install">Download/Install</a> - <a href="https://github.com/decalage2/oletools/wiki">Documentation</a> - <a href="https://github.com/decalage2/oletools/issues">Report Issues/Suggestions/Questions</a> - <a href="http://decalage.info/contact">Contact the Author</a> - <a href="https://github.com/decalage2/oletools">Repository</a> - <a href="https://twitter.com/decalage2">Updates on Twitter</a></p>
 <p>Note: python-oletools is not related to OLETools published by BeCubed Software.</p>
 <h2 id="news">News</h2>
 <ul>
-<li><strong>2016-11-01 v0.50</strong>: all oletools now support python 2 and 3.
+<li><strong>2017-06-29 v0.51</strong>:
+<ul>
+<li>added the <a href="https://github.com/decalage2/oletools/blob/master/cheatsheet/oletools_cheatsheet.pdf">oletools cheatsheet</a></li>
+<li>improved <a href="https://github.com/decalage2/oletools/wiki/rtfobj">rtfobj</a> to handle malformed RTF files, detect vulnerability CVE-2017-0199</li>
+<li>olevba: improved deobfuscation and Mac files support</li>
+<li><a href="https://github.com/decalage2/oletools/wiki/mraptor">mraptor</a>: added more ActiveX macro triggers</li>
+<li>added <a href="https://github.com/decalage2/oletools/blob/master/oletools/DocVarDump.vba">DocVarDump.vba</a> to dump document variables using Word</li>
+<li>olemap: can now detect and extract <a href="http://decalage.info/en/ole_extradata">extra data at end of file</a>, improved display</li>
+<li>oledir, olemeta, oletimes: added support for zip files and wildcards</li>
+<li>many <a href="https://github.com/decalage2/oletools/milestone/3?closed=1">bugfixes</a> in all the tools</li>
+<li>improved Python 2+3 support</li>
+</ul></li>
+<li>2016-11-01 v0.50: all oletools now support python 2 and 3.
 <ul>
 <li>olevba: several bugfixes and improvements.</li>
 <li>mraptor: improved detection, added mraptor_milter for Sendmail/Postfix integration.</li>
@@ -22,28 +34,9 @@
 <li>setup: now creates handy command-line scripts to run oletools from any directory.</li>
 </ul></li>
 <li>2016-06-10 v0.47: <a href="https://github.com/decalage2/oletools/wiki/olevba">olevba</a> added PPT97 macros support, improved handling of malformed/incomplete documents, improved error handling and JSON output, now returns an exit code based on analysis results, new --relaxed option. <a href="https://github.com/decalage2/oletools/wiki/rtfobj">rtfobj</a>: improved parsing to handle obfuscated RTF documents, added -d option to set output dir. Moved repository and documentation to GitHub.</li>
-<li>2016-04-19 v0.46: <a href="https://github.com/decalage2/oletools/wiki/olevba">olevba</a> does not deobfuscate VBA expressions by default (much faster), new option --deobf to enable it. Fixed color display bug on Windows for several tools.</li>
-<li>2016-04-12 v0.45: improved <a href="https://github.com/decalage2/oletools/wiki/rtfobj">rtfobj</a> to handle several <a href="http://www.decalage.info/rtf_tricks">anti-analysis tricks</a>, improved <a href="https://github.com/decalage2/oletools/wiki/olevba">olevba</a> to export results in JSON format.</li>
-<li>2016-03-11 v0.44: improved <a href="https://github.com/decalage2/oletools/wiki/olevba">olevba</a> to extract and analyse strings from VBA Forms.</li>
-<li>2016-03-04 v0.43: added new tool <a href="https://github.com/decalage2/oletools/wiki/mraptor">MacroRaptor</a> (mraptor) to detect malicious macros, bugfix and slight improvements in <a href="https://github.com/decalage2/oletools/wiki/olevba">olevba</a>.</li>
-<li>2016-02-07 v0.42: added two new tools oledir and olemap, better handling of malformed files and several bugfixes in <a href="https://github.com/decalage2/oletools/wiki/olevba">olevba</a>, improved display for <a href="https://github.com/decalage2/oletools/wiki/olemeta">olemeta</a>.</li>
-<li>2015-09-22 v0.41: added new --reveal option to <a href="https://github.com/decalage2/oletools/wiki/olevba">olevba</a>, to show the macro code with VBA strings deobfuscated.</li>
-<li>2015-09-17 v0.40: Improved macro deobfuscation in <a href="https://github.com/decalage2/oletools/wiki/olevba">olevba</a>, to decode Hex and Base64 within VBA expressions. Display printable deobfuscated strings by default. Improved the VBA_Parser API. Improved performance. Fixed <a href="https://github.com/decalage2/oletools/issues/23">issue #23</a> with sys.stderr.</li>
-<li>2015-06-19 v0.12: <a href="https://github.com/decalage2/oletools/wiki/olevba">olevba</a> can now deobfuscate VBA expressions with any combination of Chr, Asc, Val, StrReverse, Environ, +, &amp;, using a VBA parser built with <a href="http://pyparsing.wikispaces.com">pyparsing</a>. New options to display only the analysis results or only the macros source code. The analysis is now done on all the VBA modules at once.</li>
-<li>2015-05-29 v0.11: Improved parsing of MHTML and ActiveMime/MSO files in <a href="https://github.com/decalage2/oletools/wiki/olevba">olevba</a>, added several suspicious keywords to VBA scanner (thanks to <span class="citation">@ozhermit</span> and Davy Douhine for the suggestions)</li>
-<li>2015-05-06 v0.10: <a href="https://github.com/decalage2/oletools/wiki/olevba">olevba</a> now supports Word MHTML files with macros, aka &quot;Single File Web Page&quot; (.mht) - see <a href="https://github.com/decalage2/oletools/issues/10">issue #10</a> for more info</li>
-<li>2015-03-23 v0.09: <a href="https://github.com/decalage2/oletools/wiki/olevba">olevba</a> now supports Word 2003 XML files, added anti-sandboxing/VM detection</li>
-<li>2015-02-08 v0.08: <a href="https://github.com/decalage2/oletools/wiki/olevba">olevba</a> can now decode strings obfuscated with Hex/StrReverse/Base64/Dridex and extract IOCs. Added new triage mode, support for non-western codepages with olefile 0.42, improved API and display, several bugfixes.</li>
-<li>2015-01-05 v0.07: improved <a href="https://github.com/decalage2/oletools/wiki/olevba">olevba</a> to detect suspicious keywords and IOCs in VBA macros, can now scan several files and open password-protected zip archives, added a Python API, upgraded OleFileIO_PL to olefile v0.41</li>
-<li>2014-08-28 v0.06: added <a href="https://github.com/decalage2/oletools/wiki/olevba">olevba</a>, a new tool to extract VBA Macro source code from MS Office documents (97-2003 and 2007+). Improved <a href="https://github.com/decalage2/oletools/wiki">documentation</a></li>
-<li>2013-07-24 v0.05: added new tools <a href="https://github.com/decalage2/oletools/wiki/olemeta">olemeta</a> and <a href="https://github.com/decalage2/oletools/wiki/oletimes">oletimes</a></li>
-<li>2013-04-18 v0.04: fixed bug in rtfobj, added documentation for <a href="https://github.com/decalage2/oletools/wiki/rtfobj">rtfobj</a></li>
-<li>2012-11-09 v0.03: Improved <a href="https://github.com/decalage2/oletools/wiki/pyxswf">pyxswf</a> to extract Flash objects from RTF</li>
-<li>2012-10-29 v0.02: Added <a href="https://github.com/decalage2/oletools/wiki/oleid">oleid</a></li>
-<li>2012-10-09 v0.01: Initial version of <a href="https://github.com/decalage2/oletools/wiki/olebrowse">olebrowse</a> and pyxswf</li>
-<li>see changelog in source code for more info.</li>
 </ul>
-<h2 id="tools-in-python-oletools">Tools in python-oletools:</h2>
+<p>See the <a href="https://github.com/decalage2/oletools/wiki/Changelog">full changelog</a> for more information.</p>
+<h2 id="tools">Tools:</h2>
 <ul>
 <li><a href="https://github.com/decalage2/oletools/wiki/olebrowse">olebrowse</a>: A simple GUI to browse OLE files (e.g. MS Word, Excel, Powerpoint documents), to view and extract individual data streams.</li>
 <li><a href="https://github.com/decalage2/oletools/wiki/oleid">oleid</a>: to analyze OLE files to detect specific characteristics usually found in malicious files.</li>
@@ -59,13 +52,20 @@
 <li>and a few others (coming soon)</li>
 </ul>
 <h2 id="projects-using-oletools">Projects using oletools:</h2>
-<p>oletools are used by a number of projects and online malware analysis services, including <a href="http://viper.li/">Viper</a>, <a href="https://remnux.org/">REMnux</a>, <a href="https://www.hybrid-analysis.com/">Hybrid-analysis.com</a>, <a href="https://www.document-analyzer.net/">Joe Sandbox</a>, <a href="https://sandbox.deepviz.com/">Deepviz</a>, <a href="https://github.com/lmco/laikaboss">Laika BOSS</a>, <a href="https://github.com/cuckoosandbox/cuckoo">Cuckoo Sandbox</a>, <a href="https://sandbox.anlyz.io/">Anlyz.io</a>, <a href="https://github.com/bontchev/pcodedmp">pcodedmp</a> and probably <a href="https://www.virustotal.com">VirusTotal</a>. (Please <a href="(http://decalage.info/contact)">contact me</a> if you have or know a project using oletools)</p>
+<p>oletools are used by a number of projects and online malware analysis services, including <a href="http://viper.li/">Viper</a>, <a href="https://remnux.org/">REMnux</a>, <a href="https://certsocietegenerale.github.io/fame/">FAME</a>, <a href="https://www.hybrid-analysis.com/">Hybrid-analysis.com</a>, <a href="https://www.document-analyzer.net/">Joe Sandbox</a>, <a href="https://sandbox.deepviz.com/">Deepviz</a>, <a href="https://github.com/lmco/laikaboss">Laika BOSS</a>, <a href="https://github.com/cuckoosandbox/cuckoo">Cuckoo Sandbox</a>, <a href="https://sandbox.anlyz.io/">Anlyz.io</a>, <a href="https://github.com/decalage2/ViperMonkey">ViperMonkey</a>, <a href="https://github.com/bontchev/pcodedmp">pcodedmp</a>, <a href="https://dridex.malwareconfig.com">dridex.malwareconfig.com</a>, and probably <a href="https://www.virustotal.com">VirusTotal</a>. (Please <a href="(http://decalage.info/contact)">contact me</a> if you have or know a project using oletools)</p>
 <h2 id="download-and-install">Download and Install:</h2>
-<p>To use python-oletools from the command line as analysis tools, you may simply <a href="https://github.com/decalage2/oletools/releases">download the latest release archive</a> and extract the files into the directory of your choice.</p>
-<p>You may also download the <a href="https://github.com/decalage2/oletools/archive/master.zip">latest development version</a> with the most recent features.</p>
-<p>Another possibility is to use a git client to clone the repository (https://github.com/decalage2/oletools.git) into a folder. You can then update it easily in the future.</p>
-<p>If you plan to use python-oletools with other Python applications or your own scripts, then the simplest solution is to use &quot;<strong>pip install oletools</strong>&quot; or &quot;<strong>easy_install oletools</strong>&quot; to download and install in one go. Otherwise you may download/extract the zip archive and run &quot;<strong>setup.py install</strong>&quot;.</p>
-<p><strong>Important: to update oletools</strong> if it is already installed, you must run <strong>&quot;pip install -U oletools&quot;</strong>, otherwise pip will not update it.</p>
+<p>The recommended way to download and install/update the <strong>latest stable release</strong> of oletools is to use <a href="https://pip.pypa.io/en/stable/installing/">pip</a>:</p>
+<ul>
+<li>On Linux/Mac: <code>sudo -H pip install -U oletools</code></li>
+<li>On Windows: <code>pip install -U oletools</code></li>
+</ul>
+<p>This should automatically create command-line scripts to run each tool from any directory: <code>olevba</code>, <code>mraptor</code>, <code>rtfobj</code>, etc.</p>
+<p>To get the <strong>latest development version</strong> instead:</p>
+<ul>
+<li>On Linux/Mac: <code>sudo -H pip install -U https://github.com/decalage2/oletools/archive/master.zip</code></li>
+<li>On Windows: <code>pip install -U https://github.com/decalage2/oletools/archive/master.zip</code></li>
+</ul>
+<p>See the <a href="https://github.com/decalage2/oletools/wiki/Install">documentation</a> for other installation options.</p>
 <h2 id="documentation">Documentation:</h2>
 <p>The latest version of the documentation can be found <a href="https://github.com/decalage2/oletools/wiki">online</a>, otherwise a copy is provided in the doc subfolder of the package.</p>
 <h2 id="how-to-suggest-improvements-report-issues-or-contribute">How to Suggest Improvements, Report Issues or Contribute:</h2>
@@ -75,7 +75,7 @@
 <p>The code is available in <a href="https://github.com/decalage2/oletools">a GitHub repository</a>. You may use it to submit enhancements using forks and pull requests.</p>
 <h2 id="license">License</h2>
 <p>This license applies to the python-oletools package, apart from the thirdparty folder which contains third-party files published with their own license.</p>
-<p>The python-oletools package is copyright (c) 2012-2016 Philippe Lagadec (http://www.decalage.info)</p>
+<p>The python-oletools package is copyright (c) 2012-2017 Philippe Lagadec (http://www.decalage.info)</p>
 <p>All rights reserved.</p>
 <p>Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:</p>
 <ul>
@@ -26,7 +26,29 @@ Software.
 News
 ----
  
--  **2016-11-01 v0.50**: all oletools now support python 2 and 3.
+-  **2017-06-29 v0.51**:
+
+   -  added the `oletools
+      cheatsheet <https://github.com/decalage2/oletools/blob/master/cheatsheet/oletools_cheatsheet.pdf>`__
+   -  improved
+      `rtfobj <https://github.com/decalage2/oletools/wiki/rtfobj>`__ to
+      handle malformed RTF files, detect vulnerability CVE-2017-0199
+   -  olevba: improved deobfuscation and Mac files support
+   -  `mraptor <https://github.com/decalage2/oletools/wiki/mraptor>`__:
+      added more ActiveX macro triggers
+   -  added
+      `DocVarDump.vba <https://github.com/decalage2/oletools/blob/master/oletools/DocVarDump.vba>`__
+      to dump document variables using Word
+   -  olemap: can now detect and extract `extra data at end of
+      file <http://decalage.info/en/ole_extradata>`__, improved display
+   -  oledir, olemeta, oletimes: added support for zip files and
+      wildcards
+   -  many
+      `bugfixes <https://github.com/decalage2/oletools/milestone/3?closed=1>`__
+      in all the tools
+   -  improved Python 2+3 support
+
+-  2016-11-01 v0.50: all oletools now support python 2 and 3.
  
    -  olevba: several bugfixes and improvements.
    -  mraptor: improved detection, added mraptor\_milter for
@@ -44,92 +66,13 @@ News
    `rtfobj <https://github.com/decalage2/oletools/wiki/rtfobj>`__:
    improved parsing to handle obfuscated RTF documents, added -d option
    to set output dir. Moved repository and documentation to GitHub.
--  2016-04-19 v0.46:
-   `olevba <https://github.com/decalage2/oletools/wiki/olevba>`__ does
-   not deobfuscate VBA expressions by default (much faster), new option
-   --deobf to enable it. Fixed color display bug on Windows for several
-   tools.
--  2016-04-12 v0.45: improved
-   `rtfobj <https://github.com/decalage2/oletools/wiki/rtfobj>`__ to
-   handle several `anti-analysis
-   tricks <http://www.decalage.info/rtf_tricks>`__, improved
-   `olevba <https://github.com/decalage2/oletools/wiki/olevba>`__ to
-   export results in JSON format.
--  2016-03-11 v0.44: improved
-   `olevba <https://github.com/decalage2/oletools/wiki/olevba>`__ to
-   extract and analyse strings from VBA Forms.
--  2016-03-04 v0.43: added new tool
-   `MacroRaptor <https://github.com/decalage2/oletools/wiki/mraptor>`__
-   (mraptor) to detect malicious macros, bugfix and slight improvements
-   in `olevba <https://github.com/decalage2/oletools/wiki/olevba>`__.
--  2016-02-07 v0.42: added two new tools oledir and olemap, better
-   handling of malformed files and several bugfixes in
-   `olevba <https://github.com/decalage2/oletools/wiki/olevba>`__,
-   improved display for
-   `olemeta <https://github.com/decalage2/oletools/wiki/olemeta>`__.
--  2015-09-22 v0.41: added new --reveal option to
-   `olevba <https://github.com/decalage2/oletools/wiki/olevba>`__, to
-   show the macro code with VBA strings deobfuscated.
--  2015-09-17 v0.40: Improved macro deobfuscation in
-   `olevba <https://github.com/decalage2/oletools/wiki/olevba>`__, to
-   decode Hex and Base64 within VBA expressions. Display printable
-   deobfuscated strings by default. Improved the VBA\_Parser API.
-   Improved performance. Fixed `issue
-   #23 <https://github.com/decalage2/oletools/issues/23>`__ with
-   sys.stderr.
--  2015-06-19 v0.12:
-   `olevba <https://github.com/decalage2/oletools/wiki/olevba>`__ can
-   now deobfuscate VBA expressions with any combination of Chr, Asc,
-   Val, StrReverse, Environ, +, &, using a VBA parser built with
-   `pyparsing <http://pyparsing.wikispaces.com>`__. New options to
-   display only the analysis results or only the macros source code. The
-   analysis is now done on all the VBA modules at once.
--  2015-05-29 v0.11: Improved parsing of MHTML and ActiveMime/MSO files
-   in `olevba <https://github.com/decalage2/oletools/wiki/olevba>`__,
-   added several suspicious keywords to VBA scanner (thanks to @ozhermit
-   and Davy Douhine for the suggestions)
--  2015-05-06 v0.10:
-   `olevba <https://github.com/decalage2/oletools/wiki/olevba>`__ now
-   supports Word MHTML files with macros, aka "Single File Web Page"
-   (.mht) - see `issue
-   #10 <https://github.com/decalage2/oletools/issues/10>`__ for more
-   info
--  2015-03-23 v0.09:
-   `olevba <https://github.com/decalage2/oletools/wiki/olevba>`__ now
-   supports Word 2003 XML files, added anti-sandboxing/VM detection
--  2015-02-08 v0.08:
-   `olevba <https://github.com/decalage2/oletools/wiki/olevba>`__ can
-   now decode strings obfuscated with Hex/StrReverse/Base64/Dridex and
-   extract IOCs. Added new triage mode, support for non-western
-   codepages with olefile 0.42, improved API and display, several
-   bugfixes.
--  2015-01-05 v0.07: improved
-   `olevba <https://github.com/decalage2/oletools/wiki/olevba>`__ to
-   detect suspicious keywords and IOCs in VBA macros, can now scan
-   several files and open password-protected zip archives, added a
-   Python API, upgraded OleFileIO\_PL to olefile v0.41
--  2014-08-28 v0.06: added
-   `olevba <https://github.com/decalage2/oletools/wiki/olevba>`__, a new
-   tool to extract VBA Macro source code from MS Office documents
-   (97-2003 and 2007+). Improved
-   `documentation <https://github.com/decalage2/oletools/wiki>`__
--  2013-07-24 v0.05: added new tools
-   `olemeta <https://github.com/decalage2/oletools/wiki/olemeta>`__ and
-   `oletimes <https://github.com/decalage2/oletools/wiki/oletimes>`__
--  2013-04-18 v0.04: fixed bug in rtfobj, added documentation for
-   `rtfobj <https://github.com/decalage2/oletools/wiki/rtfobj>`__
--  2012-11-09 v0.03: Improved
-   `pyxswf <https://github.com/decalage2/oletools/wiki/pyxswf>`__ to
-   extract Flash objects from RTF
--  2012-10-29 v0.02: Added
-   `oleid <https://github.com/decalage2/oletools/wiki/oleid>`__
--  2012-10-09 v0.01: Initial version of
-   `olebrowse <https://github.com/decalage2/oletools/wiki/olebrowse>`__
-   and pyxswf
--  see changelog in source code for more info.
-
-Tools in python-oletools:
--------------------------
+
+See the `full
+changelog <https://github.com/decalage2/oletools/wiki/Changelog>`__ for
+more information.
+
+Tools:
+------
  
 -  `olebrowse <https://github.com/decalage2/oletools/wiki/olebrowse>`__:
    A simple GUI to browse OLE files (e.g. MS Word, Excel, Powerpoint
@@ -168,41 +111,43 @@ Projects using oletools:
 oletools are used by a number of projects and online malware analysis
 services, including `Viper <http://viper.li/>`__,
 `REMnux <https://remnux.org/>`__,
+`FAME <https://certsocietegenerale.github.io/fame/>`__,
 `Hybrid-analysis.com <https://www.hybrid-analysis.com/>`__, `Joe
 Sandbox <https://www.document-analyzer.net/>`__,
 `Deepviz <https://sandbox.deepviz.com/>`__, `Laika
 BOSS <https://github.com/lmco/laikaboss>`__, `Cuckoo
 Sandbox <https://github.com/cuckoosandbox/cuckoo>`__,
 `Anlyz.io <https://sandbox.anlyz.io/>`__,
-`pcodedmp <https://github.com/bontchev/pcodedmp>`__ and probably
-`VirusTotal <https://www.virustotal.com>`__. (Please `contact
+`ViperMonkey <https://github.com/decalage2/ViperMonkey>`__,
+`pcodedmp <https://github.com/bontchev/pcodedmp>`__,
+`dridex.malwareconfig.com <https://dridex.malwareconfig.com>`__, and
+probably `VirusTotal <https://www.virustotal.com>`__. (Please `contact
 me <(http://decalage.info/contact)>`__ if you have or know a project
 using oletools)
  
 Download and Install:
 ---------------------
  
-To use python-oletools from the command line as analysis tools, you may
-simply `download the latest release
-archive <https://github.com/decalage2/oletools/releases>`__ and extract
-the files into the directory of your choice.
+The recommended way to download and install/update the **latest stable
+release** of oletools is to use
+`pip <https://pip.pypa.io/en/stable/installing/>`__:
+
+-  On Linux/Mac: ``sudo -H pip install -U oletools``
+-  On Windows: ``pip install -U oletools``
  
-You may also download the `latest development
-version <https://github.com/decalage2/oletools/archive/master.zip>`__
-with the most recent features.
+This should automatically create command-line scripts to run each tool
+from any directory: ``olevba``, ``mraptor``, ``rtfobj``, etc.
  
-Another possibility is to use a git client to clone the repository
-(https://github.com/decalage2/oletools.git) into a folder. You can then
-update it easily in the future.
+To get the **latest development version** instead:
  
-If you plan to use python-oletools with other Python applications or
-your own scripts, then the simplest solution is to use "**pip install
-oletools**\ " or "**easy\_install oletools**\ " to download and install
-in one go. Otherwise you may download/extract the zip archive and run
-"**setup.py install**\ ".
+-  On Linux/Mac:
+   ``sudo -H pip install -U https://github.com/decalage2/oletools/archive/master.zip``
+-  On Windows:
+   ``pip install -U https://github.com/decalage2/oletools/archive/master.zip``
  
-**Important: to update oletools** if it is already installed, you must
-run **"pip install -U oletools"**, otherwise pip will not update it.
+See the
+`documentation <https://github.com/decalage2/oletools/wiki/Install>`__
+for other installation options.
  
 Documentation:
 --------------
@@ -235,7 +180,7 @@ This license applies to the python-oletools package, apart from the
 thirdparty folder which contains third-party files published with their
 own license.
  
-The python-oletools package is copyright (c) 2012-2016 Philippe Lagadec
+The python-oletools package is copyright (c) 2012-2017 Philippe Lagadec
 (http://www.decalage.info)
  
 All rights reserved.
@@ -8,9 +8,9 @@
   <style type="text/css">code{white-space: pre;}</style>
 </head>
 <body>
-<h1 id="python-oletools-v0.50-documentation">python-oletools v0.50 documentation</h1>
+<h1 id="python-oletools-v0.51-documentation">python-oletools v0.51 documentation</h1>
 <p>This is the home page of the documentation for python-oletools. The latest version can be found <a href="https://github.com/decalage2/oletools/wiki">online</a>, otherwise a copy is provided in the doc subfolder of the package.</p>
-<p><a href="http://www.decalage.info/python/oletools">python-oletools</a> is a package of python tools to analyze <a href="http://en.wikipedia.org/wiki/Compound_File_Binary_Format">Microsoft OLE2 files</a> (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging. It is based on the <a href="http://www.decalage.info/olefile">olefile</a> parser. See <a href="http://www.decalage.info/python/oletools">http://www.decalage.info/python/oletools</a> for more info.</p>
+<p><a href="http://www.decalage.info/python/oletools">python-oletools</a> is a package of python tools to analyze <a href="http://en.wikipedia.org/wiki/Compound_File_Binary_Format">Microsoft OLE2 files</a> (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging. It is based on the <a href="http://www.decalage.info/olefile">olefile</a> parser. See <a href="http://www.decalage.info/python/oletools" class="uri">http://www.decalage.info/python/oletools</a> for more info.</p>
 <p><strong>Quick links:</strong> <a href="http://www.decalage.info/python/oletools">Home page</a> - <a href="https://github.com/decalage2/oletools/wiki/Install">Download/Install</a> - <a href="https://github.com/decalage2/oletools/wiki">Documentation</a> - <a href="https://github.com/decalage2/oletools/issues">Report Issues/Suggestions/Questions</a> - <a href="http://decalage.info/contact">Contact the Author</a> - <a href="https://github.com/decalage2/oletools">Repository</a> - <a href="https://twitter.com/decalage2">Updates on Twitter</a></p>
 <p>Note: python-oletools is not related to OLETools published by BeCubed Software.</p>
 <h2 id="tools-in-python-oletools">Tools in python-oletools:</h2>
-python-oletools v0.50 documentation
+python-oletools v0.51 documentation
 ===================================
  
 This is the home page of the documentation for python-oletools. The latest version can be found 
@@ -10,7 +10,7 @@
 <body>
 <h1 id="license-for-python-oletools">License for python-oletools</h1>
 <p>This license applies to the <a href="http://www.decalage.info/python/oletools">python-oletools</a> package, apart from the thirdparty folder which contains third-party files published with their own license.</p>
-<p>The python-oletools package is copyright (c) 2012-2016 Philippe Lagadec (<a href="http://www.decalage.info">http://www.decalage.info</a>)</p>
+<p>The python-oletools package is copyright (c) 2012-2017 Philippe Lagadec (<a href="http://www.decalage.info" class="uri">http://www.decalage.info</a>)</p>
 <p>All rights reserved.</p>
 <p>Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:</p>
 <ul>
@@ -21,7 +21,7 @@
 <table>
 <tbody>
 <tr class="odd">
-<td align="left">License for officeparser</td>
+<td>License for officeparser</td>
 </tr>
 </tbody>
 </table>
@@ -4,7 +4,7 @@ License for python-oletools
 This license applies to the [python-oletools](http://www.decalage.info/python/oletools) package, apart from the 
 thirdparty folder which contains third-party files published with their own license.
  
-The python-oletools package is copyright (c) 2012-2016 Philippe Lagadec ([http://www.decalage.info](http://www.decalage.info))
+The python-oletools package is copyright (c) 2012-2017 Philippe Lagadec ([http://www.decalage.info](http://www.decalage.info))
  
 All rights reserved.
  
@@ -49,6 +49,7 @@ An exit code is returned based on the analysis result:
 <p><strong>Important</strong>: on Linux/MacOSX, always add double quotes around a file name when you use wildcards such as <code>*</code> and <code>?</code>. Otherwise, the shell may replace the argument with the actual list of files matching the wildcards before starting the script.</p>
 <div class="figure">
 <img src="mraptor1.png" />
+
 </div>
 <h2 id="python-3-support---mraptor3">Python 3 support - mraptor3</h2>
 <p>As of v0.50, mraptor has been ported to Python 3 thanks to <span class="citation">@sebdraven</span>. However, the differences between Python 2 and 3 are significant and for now there is a separate version of mraptor named mraptor3 to be used with Python 3.</p>
@@ -24,14 +24,17 @@
 <p>Main menu, showing all streams in the OLE file:</p>
 <div class="figure">
 <img src="olebrowse1_menu.png" />
+
 </div>
 <p>Menu with actions for a stream:</p>
 <div class="figure">
 <img src="olebrowse2_stream.png" />
+
 </div>
 <p>Hex view for a stream:</p>
 <div class="figure">
 <img src="olebrowse3_hexview.png" />
+
 </div>
 <hr />
 <h2 id="python-oletools-documentation">python-oletools documentation</h2>
@@ -19,6 +19,7 @@
 <pre class="text"><code>oledir.py file.doc</code></pre>
 <div class="figure">
 <img src="oledir.png" />
+
 </div>
 <hr />
 <h2 id="how-to-use-oledir-in-python-applications">How to use oledir in Python applications</h2>
@@ -7,23 +7,41 @@
   <title></title>
   <style type="text/css">code{white-space: pre;}</style>
   <style type="text/css">
+div.sourceCode { overflow-x: auto; }
 table.sourceCode, tr.sourceCode, td.lineNumbers, td.sourceCode {
   margin: 0; padding: 0; vertical-align: baseline; border: none; }
 table.sourceCode { width: 100%; line-height: 100%; }
 td.lineNumbers { text-align: right; padding-right: 4px; padding-left: 4px; color: #aaaaaa; border-right: 1px solid #aaaaaa; }
 td.sourceCode { padding-left: 5px; }
-code > span.kw { color: #007020; font-weight: bold; }
-code > span.dt { color: #902000; }
-code > span.dv { color: #40a070; }
-code > span.bn { color: #40a070; }
-code > span.fl { color: #40a070; }
-code > span.ch { color: #4070a0; }
-code > span.st { color: #4070a0; }
-code > span.co { color: #60a0b0; font-style: italic; }
-code > span.ot { color: #007020; }
-code > span.al { color: #ff0000; font-weight: bold; }
-code > span.fu { color: #06287e; }
-code > span.er { color: #ff0000; font-weight: bold; }
+code > span.kw { color: #007020; font-weight: bold; } /* Keyword */
+code > span.dt { color: #902000; } /* DataType */
+code > span.dv { color: #40a070; } /* DecVal */
+code > span.bn { color: #40a070; } /* BaseN */
+code > span.fl { color: #40a070; } /* Float */
+code > span.ch { color: #4070a0; } /* Char */
+code > span.st { color: #4070a0; } /* String */
+code > span.co { color: #60a0b0; font-style: italic; } /* Comment */
+code > span.ot { color: #007020; } /* Other */
+code > span.al { color: #ff0000; font-weight: bold; } /* Alert */
+code > span.fu { color: #06287e; } /* Function */
+code > span.er { color: #ff0000; font-weight: bold; } /* Error */
+code > span.wa { color: #60a0b0; font-weight: bold; font-style: italic; } /* Warning */
+code > span.cn { color: #880000; } /* Constant */
+code > span.sc { color: #4070a0; } /* SpecialChar */
+code > span.vs { color: #4070a0; } /* VerbatimString */
+code > span.ss { color: #bb6688; } /* SpecialString */
+code > span.im { } /* Import */
+code > span.va { color: #19177c; } /* Variable */
+code > span.cf { color: #007020; font-weight: bold; } /* ControlFlow */
+code > span.op { color: #666666; } /* Operator */
+code > span.bu { } /* BuiltIn */
+code > span.ex { } /* Extension */
+code > span.pp { color: #bc7a00; } /* Preprocessor */
+code > span.at { color: #7d9029; } /* Attribute */
+code > span.do { color: #ba2121; font-style: italic; } /* Documentation */
+code > span.an { color: #60a0b0; font-weight: bold; font-style: italic; } /* Annotation */
+code > span.cv { color: #60a0b0; font-weight: bold; font-style: italic; } /* CommentVar */
+code > span.in { color: #60a0b0; font-weight: bold; font-style: italic; } /* Information */
   </style>
 </head>
 <body>
@@ -76,9 +94,9 @@ Filename: word_flash_vba.doc
 +-------------------------------+-----------------------+</code></pre>
 <h2 id="how-to-use-oleid-in-your-python-applications">How to use oleid in your Python applications</h2>
 <p>First, import oletools.oleid, and create an <strong>OleID</strong> object to scan a file:</p>
-<pre class="sourceCode python"><code class="sourceCode python"><span class="ch">import</span> oletools.oleid
+<div class="sourceCode"><pre class="sourceCode python"><code class="sourceCode python"><span class="im">import</span> oletools.oleid
  
-oid = oletools.oleid.OleID(filename)</code></pre>
+oid <span class="op">=</span> oletools.oleid.OleID(filename)</code></pre></div>
 <p>Note: filename can be a filename, a file-like object, or a bytes string containing the file to be analyzed.</p>
 <p>Second, call the <strong>check()</strong> method. It returns a list of <strong>Indicator</strong> objects.</p>
 <p>Each Indicator object has the following attributes:</p>
@@ -90,11 +108,11 @@ oid = oletools.oleid.OleID(filename)&lt;/code&gt;&lt;/pre&gt;
 <li><strong>value</strong>: value of the indicator</li>
 </ul>
 <p>For example, the following code displays all the indicators:</p>
-<pre class="sourceCode python"><code class="sourceCode python">indicators = oid.check()
-<span class="kw">for</span> i in indicators:
-    <span class="dt">print</span> <span class="st">&#39;Indicator id=</span><span class="ot">%s</span><span class="st"> name=&quot;</span><span class="ot">%s</span><span class="st">&quot; type=</span><span class="ot">%s</span><span class="st"> value=</span><span class="ot">%s</span><span class="st">&#39;</span> % (i.<span class="dt">id</span>, i.name, i.<span class="dt">type</span>, <span class="dt">repr</span>(i.value))
-    <span class="dt">print</span> <span class="st">&#39;description:&#39;</span>, i.description
-    <span class="dt">print</span> <span class="st">&#39;&#39;</span></code></pre>
+<div class="sourceCode"><pre class="sourceCode python"><code class="sourceCode python">indicators <span class="op">=</span> oid.check()
+<span class="cf">for</span> i <span class="kw">in</span> indicators:
+    <span class="bu">print</span> <span class="st">&#39;Indicator id=</span><span class="sc">%s</span><span class="st"> name=&quot;</span><span class="sc">%s</span><span class="st">&quot; type=</span><span class="sc">%s</span><span class="st"> value=</span><span class="sc">%s</span><span class="st">&#39;</span> <span class="op">%</span> (i.<span class="bu">id</span>, i.name, i.<span class="bu">type</span>, <span class="bu">repr</span>(i.value))
+    <span class="bu">print</span> <span class="st">&#39;description:&#39;</span>, i.description
+    <span class="bu">print</span> <span class="st">&#39;&#39;</span></code></pre></div>
 <p>See the source code of oleid.py for more details.</p>
 <hr />
 <h2 id="python-oletools-documentation">python-oletools documentation</h2>
@@ -19,9 +19,11 @@
 <pre class="text"><code>olemap.py file.doc</code></pre>
 <div class="figure">
 <img src="olemap1.png" />
+
 </div>
 <div class="figure">
 <img src="olemap2.png" />
+
 </div>
 <hr />
 <h2 id="how-to-use-olemap-in-python-applications">How to use olemap in Python applications</h2>
@@ -16,6 +16,7 @@
 <h3 id="example">Example</h3>
 <div class="figure">
 <img src="olemeta1.png" />
+
 </div>
 <h2 id="how-to-use-olemeta-in-python-applications">How to use olemeta in Python applications</h2>
 <p>TODO</p>
@@ -7,23 +7,41 @@
   <title></title>
   <style type="text/css">code{white-space: pre;}</style>
   <style type="text/css">
+div.sourceCode { overflow-x: auto; }
 table.sourceCode, tr.sourceCode, td.lineNumbers, td.sourceCode {
   margin: 0; padding: 0; vertical-align: baseline; border: none; }
 table.sourceCode { width: 100%; line-height: 100%; }
 td.lineNumbers { text-align: right; padding-right: 4px; padding-left: 4px; color: #aaaaaa; border-right: 1px solid #aaaaaa; }
 td.sourceCode { padding-left: 5px; }
-code > span.kw { color: #007020; font-weight: bold; }
-code > span.dt { color: #902000; }
-code > span.dv { color: #40a070; }
-code > span.bn { color: #40a070; }
-code > span.fl { color: #40a070; }
-code > span.ch { color: #4070a0; }
-code > span.st { color: #4070a0; }
-code > span.co { color: #60a0b0; font-style: italic; }
-code > span.ot { color: #007020; }
-code > span.al { color: #ff0000; font-weight: bold; }
-code > span.fu { color: #06287e; }
-code > span.er { color: #ff0000; font-weight: bold; }
+code > span.kw { color: #007020; font-weight: bold; } /* Keyword */
+code > span.dt { color: #902000; } /* DataType */
+code > span.dv { color: #40a070; } /* DecVal */
+code > span.bn { color: #40a070; } /* BaseN */
+code > span.fl { color: #40a070; } /* Float */
+code > span.ch { color: #4070a0; } /* Char */
+code > span.st { color: #4070a0; } /* String */
+code > span.co { color: #60a0b0; font-style: italic; } /* Comment */
+code > span.ot { color: #007020; } /* Other */
+code > span.al { color: #ff0000; font-weight: bold; } /* Alert */
+code > span.fu { color: #06287e; } /* Function */
+code > span.er { color: #ff0000; font-weight: bold; } /* Error */
+code > span.wa { color: #60a0b0; font-weight: bold; font-style: italic; } /* Warning */
+code > span.cn { color: #880000; } /* Constant */
+code > span.sc { color: #4070a0; } /* SpecialChar */
+code > span.vs { color: #4070a0; } /* VerbatimString */
+code > span.ss { color: #bb6688; } /* SpecialString */
+code > span.im { } /* Import */
+code > span.va { color: #19177c; } /* Variable */
+code > span.cf { color: #007020; font-weight: bold; } /* ControlFlow */
+code > span.op { color: #666666; } /* Operator */
+code > span.bu { } /* BuiltIn */
+code > span.ex { } /* Extension */
+code > span.pp { color: #bc7a00; } /* Preprocessor */
+code > span.at { color: #7d9029; } /* Attribute */
+code > span.do { color: #ba2121; font-style: italic; } /* Documentation */
+code > span.an { color: #60a0b0; font-weight: bold; font-style: italic; } /* Annotation */
+code > span.cv { color: #60a0b0; font-weight: bold; font-style: italic; } /* CommentVar */
+code > span.in { color: #60a0b0; font-weight: bold; font-style: italic; } /* Information */
   </style>
 </head>
 <body>
@@ -219,22 +237,22 @@ OLE:MA----- \MalwareZoo\VBA\samples\Word within Word macro auto.doc&lt;/code&gt;&lt;/pre&gt;
 <p>IMPORTANT: olevba is currently under active development, therefore this API is likely to change.</p>
 <h3 id="import-olevba">Import olevba</h3>
 <p>First, import the <strong>oletools.olevba</strong> package, using at least the VBA_Parser and VBA_Scanner classes:</p>
-<pre class="sourceCode python"><code class="sourceCode python"><span class="ch">from</span> oletools.olevba <span class="ch">import</span> VBA_Parser, TYPE_OLE, TYPE_OpenXML, TYPE_Word2003_XML, TYPE_MHTML</code></pre>
+<div class="sourceCode"><pre class="sourceCode python"><code class="sourceCode python"><span class="im">from</span> oletools.olevba <span class="im">import</span> VBA_Parser, TYPE_OLE, TYPE_OpenXML, TYPE_Word2003_XML, TYPE_MHTML</code></pre></div>
 <h3 id="parse-a-ms-office-file---vba_parser">Parse a MS Office file - VBA_Parser</h3>
 <p>To parse a file on disk, create an instance of the <strong>VBA_Parser</strong> class, providing the name of the file to open as parameter. For example:</p>
-<pre class="sourceCode python"><code class="sourceCode python">vbaparser = VBA_Parser(<span class="st">&#39;my_file_with_macros.doc&#39;</span>)</code></pre>
+<div class="sourceCode"><pre class="sourceCode python"><code class="sourceCode python">vbaparser <span class="op">=</span> VBA_Parser(<span class="st">&#39;my_file_with_macros.doc&#39;</span>)</code></pre></div>
 <p>The file may also be provided as a bytes string containing its data. In that case, the actual filename must be provided for reference, and the file content with the data parameter. For example:</p>
-<pre class="sourceCode python"><code class="sourceCode python">myfile = <span class="st">&#39;my_file_with_macros.doc&#39;</span>
-filedata = <span class="dt">open</span>(myfile, <span class="st">&#39;rb&#39;</span>).read()
-vbaparser = VBA_Parser(myfile, data=filedata)</code></pre>
+<div class="sourceCode"><pre class="sourceCode python"><code class="sourceCode python">myfile <span class="op">=</span> <span class="st">&#39;my_file_with_macros.doc&#39;</span>
+filedata <span class="op">=</span> <span class="bu">open</span>(myfile, <span class="st">&#39;rb&#39;</span>).read()
+vbaparser <span class="op">=</span> VBA_Parser(myfile, data<span class="op">=</span>filedata)</code></pre></div>
 <p>VBA_Parser will raise an exception if the file is not a supported format, such as OLE (MS Office 97-2003), OpenXML (MS Office 2007+), MHTML or Word 2003 XML.</p>
 <p>After parsing the file, the attribute <strong>VBA_Parser.type</strong> is a string indicating the file type. It can be either TYPE_OLE, TYPE_OpenXML, TYPE_Word2003_XML or TYPE_MHTML. (constants defined in the olevba module)</p>
 <h3 id="detect-vba-macros">Detect VBA macros</h3>
 <p>The method <strong>detect_vba_macros</strong> of a VBA_Parser object returns True if VBA macros have been found in the file, False otherwise.</p>
-<pre class="sourceCode python"><code class="sourceCode python"><span class="kw">if</span> vbaparser.detect_vba_macros():
-    <span class="dt">print</span> <span class="st">&#39;VBA Macros found&#39;</span>
-<span class="kw">else</span>:
-    <span class="dt">print</span> <span class="st">&#39;No VBA Macros found&#39;</span></code></pre>
+<div class="sourceCode"><pre class="sourceCode python"><code class="sourceCode python"><span class="cf">if</span> vbaparser.detect_vba_macros():
+    <span class="bu">print</span> <span class="st">&#39;VBA Macros found&#39;</span>
+<span class="cf">else</span>:
+    <span class="bu">print</span> <span class="st">&#39;No VBA Macros found&#39;</span></code></pre></div>
 <p>Note: The detection algorithm looks for streams and storage with specific names in the OLE structure, which works fine for all the supported formats listed above. However, for some formats such as PowerPoint 97-2003, this method will always return False because VBA Macros are stored in a different way which is not yet supported by olevba.</p>
 <p>Moreover, if the file contains an embedded document (e.g. an Excel workbook inserted into a Word document), this method may return True if the embedded document contains VBA Macros, even if the main document does not.</p>
 <h3 id="extract-vba-macro-source-code">Extract VBA Macro Source Code</h3>
@@ -246,13 +264,13 @@ vbaparser = VBA_Parser(myfile, data=filedata)&lt;/code&gt;&lt;/pre&gt;
 <li>vba_code: string containing the VBA source code in clear text</li>
 </ul>
 <p>Example:</p>
-<pre class="sourceCode python"><code class="sourceCode python"><span class="kw">for</span> (filename, stream_path, vba_filename, vba_code) in vbaparser.extract_macros():
-    <span class="dt">print</span> <span class="st">&#39;-&#39;</span>*<span class="dv">79</span>
-    <span class="dt">print</span> <span class="st">&#39;Filename    :&#39;</span>, filename
-    <span class="dt">print</span> <span class="st">&#39;OLE stream  :&#39;</span>, stream_path
-    <span class="dt">print</span> <span class="st">&#39;VBA filename:&#39;</span>, vba_filename
-    <span class="dt">print</span> <span class="st">&#39;- &#39;</span>*<span class="dv">39</span>
-    <span class="dt">print</span> vba_code</code></pre>
+<div class="sourceCode"><pre class="sourceCode python"><code class="sourceCode python"><span class="cf">for</span> (filename, stream_path, vba_filename, vba_code) <span class="kw">in</span> vbaparser.extract_macros():
+    <span class="bu">print</span> <span class="st">&#39;-&#39;</span><span class="op">*</span><span class="dv">79</span>
+    <span class="bu">print</span> <span class="st">&#39;Filename    :&#39;</span>, filename
+    <span class="bu">print</span> <span class="st">&#39;OLE stream  :&#39;</span>, stream_path
+    <span class="bu">print</span> <span class="st">&#39;VBA filename:&#39;</span>, vba_filename
+    <span class="bu">print</span> <span class="st">&#39;- &#39;</span><span class="op">*</span><span class="dv">39</span>
+    <span class="bu">print</span> vba_code</code></pre></div>
 <p>Alternatively, the VBA_Parser method <strong>extract_all_macros</strong> returns the same results as a list of tuples.</p>
 <h3 id="analyze-vba-source-code">Analyze VBA Source Code</h3>
 <p>Since version 0.40, the VBA_Parser class provides simpler methods than VBA_Scanner to analyze all macros contained in a file:</p>
@@ -265,24 +283,24 @@ vbaparser = VBA_Parser(myfile, data=filedata)&lt;/code&gt;&lt;/pre&gt;
 <li>description provides a description of the keyword. For obfuscated strings, it is the encoded value of the string.</li>
 </ul>
 <p>Example:</p>
-<pre class="sourceCode python"><code class="sourceCode python">results = vbaparser.analyze_macros()
-<span class="kw">for</span> kw_type, keyword, description in results:
-    <span class="dt">print</span> <span class="st">&#39;type=</span><span class="ot">%s</span><span class="st"> - keyword=</span><span class="ot">%s</span><span class="st"> - description=</span><span class="ot">%s</span><span class="st">&#39;</span> % (kw_type, keyword, description)</code></pre>
+<div class="sourceCode"><pre class="sourceCode python"><code class="sourceCode python">results <span class="op">=</span> vbaparser.analyze_macros()
+<span class="cf">for</span> kw_type, keyword, description <span class="kw">in</span> results:
+    <span class="bu">print</span> <span class="st">&#39;type=</span><span class="sc">%s</span><span class="st"> - keyword=</span><span class="sc">%s</span><span class="st"> - description=</span><span class="sc">%s</span><span class="st">&#39;</span> <span class="op">%</span> (kw_type, keyword, description)</code></pre></div>
 <p>After calling analyze_macros, the following VBA_Parser attributes also provide the number of items found for each category:</p>
-<pre class="sourceCode python"><code class="sourceCode python"><span class="dt">print</span> <span class="st">&#39;AutoExec keywords: </span><span class="ot">%d</span><span class="st">&#39;</span> % vbaparser.nb_autoexec
-<span class="dt">print</span> <span class="st">&#39;Suspicious keywords: </span><span class="ot">%d</span><span class="st">&#39;</span> % vbaparser.nb_suspicious
-<span class="dt">print</span> <span class="st">&#39;IOCs: </span><span class="ot">%d</span><span class="st">&#39;</span> % vbaparser.nb_iocs
-<span class="dt">print</span> <span class="st">&#39;Hex obfuscated strings: </span><span class="ot">%d</span><span class="st">&#39;</span> % vbaparser.nb_hexstrings
-<span class="dt">print</span> <span class="st">&#39;Base64 obfuscated strings: </span><span class="ot">%d</span><span class="st">&#39;</span> % vbaparser.nb_base64strings
-<span class="dt">print</span> <span class="st">&#39;Dridex obfuscated strings: </span><span class="ot">%d</span><span class="st">&#39;</span> % vbaparser.nb_dridexstrings
-<span class="dt">print</span> <span class="st">&#39;VBA obfuscated strings: </span><span class="ot">%d</span><span class="st">&#39;</span> % vbaparser.nb_vbastrings</code></pre>
+<div class="sourceCode"><pre class="sourceCode python"><code class="sourceCode python"><span class="bu">print</span> <span class="st">&#39;AutoExec keywords: </span><span class="sc">%d</span><span class="st">&#39;</span> <span class="op">%</span> vbaparser.nb_autoexec
+<span class="bu">print</span> <span class="st">&#39;Suspicious keywords: </span><span class="sc">%d</span><span class="st">&#39;</span> <span class="op">%</span> vbaparser.nb_suspicious
+<span class="bu">print</span> <span class="st">&#39;IOCs: </span><span class="sc">%d</span><span class="st">&#39;</span> <span class="op">%</span> vbaparser.nb_iocs
+<span class="bu">print</span> <span class="st">&#39;Hex obfuscated strings: </span><span class="sc">%d</span><span class="st">&#39;</span> <span class="op">%</span> vbaparser.nb_hexstrings
+<span class="bu">print</span> <span class="st">&#39;Base64 obfuscated strings: </span><span class="sc">%d</span><span class="st">&#39;</span> <span class="op">%</span> vbaparser.nb_base64strings
+<span class="bu">print</span> <span class="st">&#39;Dridex obfuscated strings: </span><span class="sc">%d</span><span class="st">&#39;</span> <span class="op">%</span> vbaparser.nb_dridexstrings
+<span class="bu">print</span> <span class="st">&#39;VBA obfuscated strings: </span><span class="sc">%d</span><span class="st">&#39;</span> <span class="op">%</span> vbaparser.nb_vbastrings</code></pre></div>
 <h3 id="deobfuscate-vba-macro-source-code">Deobfuscate VBA Macro Source Code</h3>
 <p>The method <strong>reveal</strong> attempts to deobfuscate the macro source code by replacing all the obfuscated strings by their decoded content. Returns a single string.</p>
 <p>Example:</p>
-<pre class="sourceCode python"><code class="sourceCode python"><span class="dt">print</span> vbaparser.reveal()</code></pre>
+<div class="sourceCode"><pre class="sourceCode python"><code class="sourceCode python"><span class="bu">print</span> vbaparser.reveal()</code></pre></div>
 <h3 id="close-the-vba_parser">Close the VBA_Parser</h3>
 <p>After usage, it is better to call the <strong>close</strong> method of the VBA_Parser object, to make sure the file is closed, especially if your application is parsing many files.</p>
-<pre class="sourceCode python"><code class="sourceCode python">vbaparser.close()</code></pre>
+<div class="sourceCode"><pre class="sourceCode python"><code class="sourceCode python">vbaparser.close()</code></pre></div>
 <hr />
 <h2 id="deprecated-api">Deprecated API</h2>
 <p>The following methods and functions are still functional, but their usage is not recommended since they have been replaced by better solutions.</p>
@@ -297,54 +315,54 @@ vbaparser = VBA_Parser(myfile, data=filedata)&lt;/code&gt;&lt;/pre&gt;
 <li>description provides a description of the keyword. For obfuscated strings, it is the encoded value of the string.</li>
 </ul>
 <p>Example:</p>
-<pre class="sourceCode python"><code class="sourceCode python">vba_scanner = VBA_Scanner(vba_code)
-results = vba_scanner.scan(include_decoded_strings=<span class="ot">True</span>)
-<span class="kw">for</span> kw_type, keyword, description in results:
-    <span class="dt">print</span> <span class="st">&#39;type=</span><span class="ot">%s</span><span class="st"> - keyword=</span><span class="ot">%s</span><span class="st"> - description=</span><span class="ot">%s</span><span class="st">&#39;</span> % (kw_type, keyword, description)</code></pre>
+<div class="sourceCode"><pre class="sourceCode python"><code class="sourceCode python">vba_scanner <span class="op">=</span> VBA_Scanner(vba_code)
+results <span class="op">=</span> vba_scanner.scan(include_decoded_strings<span class="op">=</span><span class="va">True</span>)
+<span class="cf">for</span> kw_type, keyword, description <span class="kw">in</span> results:
+    <span class="bu">print</span> <span class="st">&#39;type=</span><span class="sc">%s</span><span class="st"> - keyword=</span><span class="sc">%s</span><span class="st"> - description=</span><span class="sc">%s</span><span class="st">&#39;</span> <span class="op">%</span> (kw_type, keyword, description)</code></pre></div>
 <p>The function <strong>scan_vba</strong> is a shortcut for VBA_Scanner(vba_code).scan():</p>
-<pre class="sourceCode python"><code class="sourceCode python">results = scan_vba(vba_code, include_decoded_strings=<span class="ot">True</span>)
-<span class="kw">for</span> kw_type, keyword, description in results:
-    <span class="dt">print</span> <span class="st">&#39;type=</span><span class="ot">%s</span><span class="st"> - keyword=</span><span class="ot">%s</span><span class="st"> - description=</span><span class="ot">%s</span><span class="st">&#39;</span> % (kw_type, keyword, description)</code></pre>
+<div class="sourceCode"><pre class="sourceCode python"><code class="sourceCode python">results <span class="op">=</span> scan_vba(vba_code, include_decoded_strings<span class="op">=</span><span class="va">True</span>)
+<span class="cf">for</span> kw_type, keyword, description <span class="kw">in</span> results:
+    <span class="bu">print</span> <span class="st">&#39;type=</span><span class="sc">%s</span><span class="st"> - keyword=</span><span class="sc">%s</span><span class="st"> - description=</span><span class="sc">%s</span><span class="st">&#39;</span> <span class="op">%</span> (kw_type, keyword, description)</code></pre></div>
 <p><strong>scan_summary</strong> returns a tuple with the number of items found for each category: (autoexec, suspicious, IOCs, hex, base64, dridex).</p>
 <h3 id="detect-auto-executable-macros-deprecated">Detect auto-executable macros (deprecated)</h3>
 <p><strong>Deprecated</strong>: It is preferable to use either scan_vba or VBA_Scanner to get all results at once.</p>
 <p>The function <strong>detect_autoexec</strong> checks if VBA macro code contains specific macro names that will be triggered when the document/workbook is opened, closed, changed, etc.</p>
 <p>It returns a list of tuples containing two strings, the detected keyword, and the description of the trigger. (See the malware example above)</p>
 <p>Sample usage:</p>
-<pre class="sourceCode python"><code class="sourceCode python"><span class="ch">from</span> oletools.olevba <span class="ch">import</span> detect_autoexec
-autoexec_keywords = detect_autoexec(vba_code)
-<span class="kw">if</span> autoexec_keywords:
-    <span class="dt">print</span> <span class="st">&#39;Auto-executable macro keywords found:&#39;</span>
-    <span class="kw">for</span> keyword, description in autoexec_keywords:
-        <span class="dt">print</span> <span class="st">&#39;</span><span class="ot">%s</span><span class="st">: </span><span class="ot">%s</span><span class="st">&#39;</span> % (keyword, description)
-<span class="kw">else</span>:
-    <span class="dt">print</span> <span class="st">&#39;Auto-executable macro keywords: None found&#39;</span></code></pre>
+<div class="sourceCode"><pre class="sourceCode python"><code class="sourceCode python"><span class="im">from</span> oletools.olevba <span class="im">import</span> detect_autoexec
+autoexec_keywords <span class="op">=</span> detect_autoexec(vba_code)
+<span class="cf">if</span> autoexec_keywords:
+    <span class="bu">print</span> <span class="st">&#39;Auto-executable macro keywords found:&#39;</span>
+    <span class="cf">for</span> keyword, description <span class="kw">in</span> autoexec_keywords:
+        <span class="bu">print</span> <span class="st">&#39;</span><span class="sc">%s</span><span class="st">: </span><span class="sc">%s</span><span class="st">&#39;</span> <span class="op">%</span> (keyword, description)
+<span class="cf">else</span>:
+    <span class="bu">print</span> <span class="st">&#39;Auto-executable macro keywords: None found&#39;</span></code></pre></div>
 <h3 id="detect-suspicious-vba-keywords-deprecated">Detect suspicious VBA keywords (deprecated)</h3>
 <p><strong>Deprecated</strong>: It is preferable to use either scan_vba or VBA_Scanner to get all results at once.</p>
 <p>The function <strong>detect_suspicious</strong> checks if VBA macro code contains specific keywords often used by malware to act on the system (create files, run commands or applications, write to the registry, etc).</p>
 <p>It returns a list of tuples containing two strings, the detected keyword, and the description of the corresponding malicious behaviour. (See the malware example above)</p>
 <p>Sample usage:</p>
-<pre class="sourceCode python"><code class="sourceCode python"><span class="ch">from</span> oletools.olevba <span class="ch">import</span> detect_suspicious
-suspicious_keywords = detect_suspicious(vba_code)
-<span class="kw">if</span> suspicious_keywords:
-    <span class="dt">print</span> <span class="st">&#39;Suspicious VBA keywords found:&#39;</span>
-    <span class="kw">for</span> keyword, description in suspicious_keywords:
-        <span class="dt">print</span> <span class="st">&#39;</span><span class="ot">%s</span><span class="st">: </span><span class="ot">%s</span><span class="st">&#39;</span> % (keyword, description)
-<span class="kw">else</span>:
-    <span class="dt">print</span> <span class="st">&#39;Suspicious VBA keywords: None found&#39;</span></code></pre>
+<div class="sourceCode"><pre class="sourceCode python"><code class="sourceCode python"><span class="im">from</span> oletools.olevba <span class="im">import</span> detect_suspicious
+suspicious_keywords <span class="op">=</span> detect_suspicious(vba_code)
+<span class="cf">if</span> suspicious_keywords:
+    <span class="bu">print</span> <span class="st">&#39;Suspicious VBA keywords found:&#39;</span>
+    <span class="cf">for</span> keyword, description <span class="kw">in</span> suspicious_keywords:
+        <span class="bu">print</span> <span class="st">&#39;</span><span class="sc">%s</span><span class="st">: </span><span class="sc">%s</span><span class="st">&#39;</span> <span class="op">%</span> (keyword, description)
+<span class="cf">else</span>:
+    <span class="bu">print</span> <span class="st">&#39;Suspicious VBA keywords: None found&#39;</span></code></pre></div>
 <h3 id="extract-potential-iocs-deprecated">Extract potential IOCs (deprecated)</h3>
 <p><strong>Deprecated</strong>: It is preferable to use either scan_vba or VBA_Scanner to get all results at once.</p>
 <p>The function <strong>detect_patterns</strong> checks if VBA macro code contains specific patterns of interest, that may be useful for malware analysis and detection (potential Indicators of Compromise): IP addresses, e-mail addresses, URLs, executable file names.</p>
 <p>It returns a list of tuples containing two strings, the pattern type, and the extracted value. (See the malware example above)</p>
 <p>Sample usage:</p>
-<pre class="sourceCode python"><code class="sourceCode python"><span class="ch">from</span> oletools.olevba <span class="ch">import</span> detect_patterns
-patterns = detect_patterns(vba_code)
-<span class="kw">if</span> patterns:
-    <span class="dt">print</span> <span class="st">&#39;Patterns found:&#39;</span>
-    <span class="kw">for</span> pattern_type, value in patterns:
-        <span class="dt">print</span> <span class="st">&#39;</span><span class="ot">%s</span><span class="st">: </span><span class="ot">%s</span><span class="st">&#39;</span> % (pattern_type, value)
-<span class="kw">else</span>:
-    <span class="dt">print</span> <span class="st">&#39;Patterns: None found&#39;</span></code></pre>
+<div class="sourceCode"><pre class="sourceCode python"><code class="sourceCode python"><span class="im">from</span> oletools.olevba <span class="im">import</span> detect_patterns
+patterns <span class="op">=</span> detect_patterns(vba_code)
+<span class="cf">if</span> patterns:
+    <span class="bu">print</span> <span class="st">&#39;Patterns found:&#39;</span>
+    <span class="cf">for</span> pattern_type, value <span class="kw">in</span> patterns:
+        <span class="bu">print</span> <span class="st">&#39;</span><span class="sc">%s</span><span class="st">: </span><span class="sc">%s</span><span class="st">&#39;</span> <span class="op">%</span> (pattern_type, value)
+<span class="cf">else</span>:
+    <span class="bu">print</span> <span class="st">&#39;Patterns: None found&#39;</span></code></pre></div>
 <hr />
 <h2 id="python-oletools-documentation">python-oletools documentation</h2>
 <ul>
@@ -7,23 +7,41 @@
   <title></title>
   <style type="text/css">code{white-space: pre;}</style>
   <style type="text/css">
+div.sourceCode { overflow-x: auto; }
 table.sourceCode, tr.sourceCode, td.lineNumbers, td.sourceCode {
   margin: 0; padding: 0; vertical-align: baseline; border: none; }
 table.sourceCode { width: 100%; line-height: 100%; }
 td.lineNumbers { text-align: right; padding-right: 4px; padding-left: 4px; color: #aaaaaa; border-right: 1px solid #aaaaaa; }
 td.sourceCode { padding-left: 5px; }
-code > span.kw { color: #007020; font-weight: bold; }
-code > span.dt { color: #902000; }
-code > span.dv { color: #40a070; }
-code > span.bn { color: #40a070; }
-code > span.fl { color: #40a070; }
-code > span.ch { color: #4070a0; }
-code > span.st { color: #4070a0; }
-code > span.co { color: #60a0b0; font-style: italic; }
-code > span.ot { color: #007020; }
-code > span.al { color: #ff0000; font-weight: bold; }
-code > span.fu { color: #06287e; }
-code > span.er { color: #ff0000; font-weight: bold; }
+code > span.kw { color: #007020; font-weight: bold; } /* Keyword */
+code > span.dt { color: #902000; } /* DataType */
+code > span.dv { color: #40a070; } /* DecVal */
+code > span.bn { color: #40a070; } /* BaseN */
+code > span.fl { color: #40a070; } /* Float */
+code > span.ch { color: #4070a0; } /* Char */
+code > span.st { color: #4070a0; } /* String */
+code > span.co { color: #60a0b0; font-style: italic; } /* Comment */
+code > span.ot { color: #007020; } /* Other */
+code > span.al { color: #ff0000; font-weight: bold; } /* Alert */
+code > span.fu { color: #06287e; } /* Function */
+code > span.er { color: #ff0000; font-weight: bold; } /* Error */
+code > span.wa { color: #60a0b0; font-weight: bold; font-style: italic; } /* Warning */
+code > span.cn { color: #880000; } /* Constant */
+code > span.sc { color: #4070a0; } /* SpecialChar */
+code > span.vs { color: #4070a0; } /* VerbatimString */
+code > span.ss { color: #bb6688; } /* SpecialString */
+code > span.im { } /* Import */
+code > span.va { color: #19177c; } /* Variable */
+code > span.cf { color: #007020; font-weight: bold; } /* ControlFlow */
+code > span.op { color: #666666; } /* Operator */
+code > span.bu { } /* BuiltIn */
+code > span.ex { } /* Extension */
+code > span.pp { color: #bc7a00; } /* Preprocessor */
+code > span.at { color: #7d9029; } /* Attribute */
+code > span.do { color: #ba2121; font-style: italic; } /* Documentation */
+code > span.an { color: #60a0b0; font-weight: bold; font-style: italic; } /* Annotation */
+code > span.cv { color: #60a0b0; font-weight: bold; font-style: italic; } /* CommentVar */
+code > span.in { color: #60a0b0; font-weight: bold; font-style: italic; } /* Information */
   </style>
 </head>
 <body>
@@ -57,6 +75,7 @@ Options:
 <p>When an OLE Package object contains an executable file or script, it is highlighted as such. For example:</p>
 <div class="figure">
 <img src="rtfobj1.png" />
+
 </div>
 <p>To extract an object or file, use the option -s followed by the object number as shown in the table.</p>
 <p>Example:</p>
@@ -67,9 +86,9 @@ Options:
 <h3 id="deprecated-api-still-functional">Deprecated API (still functional):</h3>
 <p>rtf_iter_objects(filename) is an iterator which yields a tuple (index, orig_len, object) providing the index of each hexadecimal stream in the RTF file, and the corresponding decoded object.</p>
 <p>Example:</p>
-<pre class="sourceCode python"><code class="sourceCode python"><span class="ch">from</span> oletools <span class="ch">import</span> rtfobj
-<span class="kw">for</span> index, orig_len, data in rtfobj.rtf_iter_objects(<span class="st">&quot;myfile.rtf&quot;</span>):
-    <span class="dt">print</span>(<span class="st">&#39;found object size </span><span class="ot">%d</span><span class="st"> at index </span><span class="ot">%08X</span><span class="st">&#39;</span> % (<span class="dt">len</span>(data), index))</code></pre>
+<div class="sourceCode"><pre class="sourceCode python"><code class="sourceCode python"><span class="im">from</span> oletools <span class="im">import</span> rtfobj
+<span class="cf">for</span> index, orig_len, data <span class="kw">in</span> rtfobj.rtf_iter_objects(<span class="st">&quot;myfile.rtf&quot;</span>):
+    <span class="bu">print</span>(<span class="st">&#39;found object size </span><span class="sc">%d</span><span class="st"> at index </span><span class="sc">%08X</span><span class="st">&#39;</span> <span class="op">%</span> (<span class="bu">len</span>(data), index))</code></pre></div>
 <hr />
 <h2 id="python-oletools-documentation">python-oletools documentation</h2>
 <ul>
@@ -16,7 +16,7 @@ Usage in a python application:
  
 ezhexviewer project website: http://www.decalage.info/python/ezhexviewer
  
-ezhexviewer is copyright (c) 2012-2016, Philippe Lagadec (http://www.decalage.info)
+ezhexviewer is copyright (c) 2012-2017, Philippe Lagadec (http://www.decalage.info)
 All rights reserved.
  
 Redistribution and use in source and binary forms, with or without modification,
@@ -46,16 +46,32 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 # 2012-10-04 v0.02 PL: - added license
 # 2016-09-06 v0.50 PL: - added main function for entry points in setup.py
 # 2016-10-26       PL: - fixed to run on Python 2+3
+# 2017-03-23 v0.51 PL: - fixed display of control characters (issue #151)
+# 2017-04-26       PL: - fixed absolute imports (issue #141)
  
-__version__ = '0.50'
+__version__ = '0.51'
  
-#------------------------------------------------------------------------------
+#-----------------------------------------------------------------------------
 # TODO:
 # + options to set title and msg
  
+# === IMPORTS ================================================================
+
+import sys, os
+
+# IMPORTANT: it should be possible to run oletools directly as scripts
+# in any directory without installing them with pip or setup.py.
+# In that case, relative imports are NOT usable.
+# And to enable Python 2+3 compatibility, we need to use absolute imports,
+# so we add the oletools parent folder to sys.path (absolute+normalized path):
+_thismodule_dir = os.path.normpath(os.path.abspath(os.path.dirname(__file__)))
+# print('_thismodule_dir = %r' % _thismodule_dir)
+_parent_dir = os.path.normpath(os.path.join(_thismodule_dir, '..'))
+# print('_parent_dir = %r' % _thirdparty_dir)
+if not _parent_dir in sys.path:
+    sys.path.insert(0, _parent_dir)
  
-from thirdparty.easygui import easygui
-import sys
+from oletools.thirdparty.easygui import easygui
  
 # === PYTHON 2+3 SUPPORT ======================================================
  
@@ -106,7 +122,7 @@ def bchr(x):
 # PSF license: http://docs.python.org/license.html
 # Copyright (c) 2001-2012 Python Software Foundation; All Rights Reserved
  
-FILTER = b''.join([(len(repr(bchr(x)))<=4 and x != 0x0A) and bchr(x) or b'.' for x in range(256)])
+FILTER = b''.join([(len(repr(bchr(x)))<=4 and x>=0x20) and bchr(x) or b'.' for x in range(256)])
  
 def hexdump3(src, length=8, startindex=0):
     """
@@ -154,4 +170,4 @@ def main():
  
  
 if __name__ == '__main__':
-    main()
 \ No newline at end of file
+    main()
@@ -22,7 +22,7 @@ http://www.decalage.info/python/oletools
  
 # === LICENSE ==================================================================
  
-# MacroRaptor is copyright (c) 2016 Philippe Lagadec (http://www.decalage.info)
+# MacroRaptor is copyright (c) 2016-2017 Philippe Lagadec (http://www.decalage.info)
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without modification,
@@ -55,6 +55,7 @@ http://www.decalage.info/python/oletools
 # 2016-09-05       PL: - added Document_BeforeClose keyword for MS Publisher (.pub)
 # 2016-10-25       PL: - fixed print for Python 3
 # 2016-12-21 v0.51 PL: - added more ActiveX macro triggers
+# 2017-03-08       PL: - fixed absolute imports
  
 __version__ = '0.51'
  
@@ -64,12 +65,24 @@ __version__ = &#39;0.51&#39;
  
 #--- IMPORTS ------------------------------------------------------------------
  
-import sys, logging, optparse, re
+import sys, logging, optparse, re, os
  
-from thirdparty.xglob import xglob
-from thirdparty.tablestream import tablestream
+# IMPORTANT: it should be possible to run oletools directly as scripts
+# in any directory without installing them with pip or setup.py.
+# In that case, relative imports are NOT usable.
+# And to enable Python 2+3 compatibility, we need to use absolute imports,
+# so we add the oletools parent folder to sys.path (absolute+normalized path):
+_thismodule_dir = os.path.normpath(os.path.abspath(os.path.dirname(__file__)))
+# print('_thismodule_dir = %r' % _thismodule_dir)
+_parent_dir = os.path.normpath(os.path.join(_thismodule_dir, '..'))
+# print('_parent_dir = %r' % _thirdparty_dir)
+if not _parent_dir in sys.path:
+    sys.path.insert(0, _parent_dir)
  
-import olevba
+from oletools.thirdparty.xglob import xglob
+from oletools.thirdparty.tablestream import tablestream
+
+from oletools import olevba
  
 # === LOGGING =================================================================
  
@@ -228,7 +241,7 @@ def main():
         'critical': logging.CRITICAL
         }
  
-    usage = 'usage: %prog [options] <filename> [filename2 ...]'
+    usage = 'usage: mraptor [options] <filename> [filename2 ...]'
     parser = optparse.OptionParser(usage=usage)
     parser.add_option("-r", action="store_true", dest="recursive",
                       help='find files recursively in subdirectories.')
@@ -247,6 +260,8 @@ def main():
  
     # Print help if no arguments are passed
     if len(args) == 0:
+        print('MacroRaptor %s - http://decalage.info/python/oletools' % __version__)
+        print('This is work in progress, please report issues at %s' % URL_ISSUES)
         print(__doc__)
         parser.print_help()
         print('\nAn exit code is returned based on the analysis result:')
@@ -11,6 +11,7 @@ Supported formats:
 - PowerPoint 97-2003 (.ppt), PowerPoint 2007+ (.pptm, .ppsm)
 - Word 2003 XML (.xml)
 - Word/Excel Single File Web Page / MHTML (.mht)
+- Publisher (.pub)
  
 Author: Philippe Lagadec - http://www.decalage.info
 License: BSD, see source code or documentation
@@ -21,7 +22,7 @@ http://www.decalage.info/python/oletools
  
 # === LICENSE ==================================================================
  
-# MacroRaptor is copyright (c) 2016 Philippe Lagadec (http://www.decalage.info)
+# MacroRaptor is copyright (c) 2016-2017 Philippe Lagadec (http://www.decalage.info)
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without modification,
@@ -52,8 +53,10 @@ http://www.decalage.info/python/oletools
 # 2016-03-08 v0.04 PL: - collapse long lines before analysis
 # 2016-07-19 v0.50 SL: - converted to Python 3
 # 2016-08-26       PL: - changed imports for Python 3
+# 2017-04-26 v0.51 PL: - fixed absolute imports (issue #141)
+# 2017-06-29       PL: - synced with mraptor.py 0.51
  
-__version__ = '0.50py3'
+__version__ = '0.51'
  
 #------------------------------------------------------------------------------
 # TODO:
@@ -61,15 +64,25 @@ __version__ = &#39;0.50py3&#39;
  
 #--- IMPORTS ------------------------------------------------------------------
  
-import sys, logging, optparse, re
+import sys, os, logging, optparse, re
  
-from thirdparty.xglob import xglob
+# IMPORTANT: it should be possible to run oletools directly as scripts
+# in any directory without installing them with pip or setup.py.
+# In that case, relative imports are NOT usable.
+# And to enable Python 2+3 compatibility, we need to use absolute imports,
+# so we add the oletools parent folder to sys.path (absolute+normalized path):
+_thismodule_dir = os.path.normpath(os.path.abspath(os.path.dirname(__file__)))
+# print('_thismodule_dir = %r' % _thismodule_dir)
+_parent_dir = os.path.normpath(os.path.join(_thismodule_dir, '..'))
+# print('_parent_dir = %r' % _thirdparty_dir)
+if not _parent_dir in sys.path:
+    sys.path.insert(0, _parent_dir)
  
-# import the python 3 version of tablestream:
-from thirdparty.tablestream import tablestream
+from oletools.thirdparty.xglob import xglob
+from oletools.thirdparty.tablestream import tablestream
  
 # import the python 3 version of olevba
-import olevba3 as olevba
+from oletools import olevba3 as olevba
  
 # === LOGGING =================================================================
  
@@ -86,15 +99,24 @@ MSG_ISSUES = &#39;Please report this issue on %s&#39; % URL_ISSUES
  
 # 'AutoExec', 'AutoOpen', 'Auto_Open', 'AutoClose', 'Auto_Close', 'AutoNew', 'AutoExit',
 # 'Document_Open', 'DocumentOpen',
-# 'Document_Close', 'DocumentBeforeClose',
+# 'Document_Close', 'DocumentBeforeClose', 'Document_BeforeClose',
 # 'DocumentChange','Document_New',
 # 'NewDocument'
 # 'Workbook_Open', 'Workbook_Close',
+# *_Painted such as InkPicture1_Painted
+# *_GotFocus|LostFocus|MouseHover for other ActiveX objects
+# reference: http://www.greyhathacker.net/?p=948
  
 # TODO: check if line also contains Sub or Function
 re_autoexec = re.compile(r'(?i)\b(?:Auto(?:Exec|_?Open|_?Close|Exit|New)' +
-                         r'|Document(?:_?Open|_Close|BeforeClose|Change|_New)' +
-                         r'|NewDocument|Workbook(?:_Open|_Activate|_Close))\b')
+                         r'|Document(?:_?Open|_Close|_?BeforeClose|Change|_New)' +
+                         r'|NewDocument|Workbook(?:_Open|_Activate|_Close)' +
+                         r'|\w+_(?:Painted|Painting|GotFocus|LostFocus|MouseHover' +
+                         r'|Layout|Click|Change|Resize|BeforeNavigate2|BeforeScriptExecute' +
+                         r'|DocumentComplete|DownloadBegin|DownloadComplete|FileDownload' +
+                         r'|NavigateComplete2|NavigateError|ProgressChange|PropertyChange' +
+                         r'|SetSecureLockIcon|StatusTextChange|TitleChange|MouseMove' +
+                         r'|MouseEnter|MouseLeave|))\b')
  
 # MS-VBAL 5.4.5.1 Open Statement:
 RE_OPEN_WRITE = r'(?:\bOpen\b[^\n]+\b(?:Write|Append|Binary|Output|Random)\b)'
@@ -238,6 +260,8 @@ def main():
  
     # Print help if no arguments are passed
     if len(args) == 0:
+        print('MacroRaptor %s - http://decalage.info/python/oletools' % __version__)
+        print('This is work in progress, please report issues at %s' % URL_ISSUES)
         print(__doc__)
         parser.print_help()
         print('\nAn exit code is returned based on the analysis result:')
@@ -24,7 +24,7 @@ http://www.decalage.info/python/oletools
  
 # === LICENSE ==================================================================
  
-# mraptor_milter is copyright (c) 2016 Philippe Lagadec (http://www.decalage.info)
+# mraptor_milter is copyright (c) 2016-2017 Philippe Lagadec (http://www.decalage.info)
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without modification,
@@ -53,8 +53,9 @@ http://www.decalage.info/python/oletools
 #                      - archive each e-mail to a file before filtering
 # 2016-08-30 v0.03 PL: - added daemonize to run as a Unix daemon
 # 2016-09-06 v0.50 PL: - fixed issue #20, is_zipfile on Python 2.6
+# 2017-04-26 v0.51 PL: - fixed absolute imports (issue #141)
  
-__version__ = '0.50'
+__version__ = '0.51'
  
 # --- TODO -------------------------------------------------------------------
  
@@ -81,6 +82,18 @@ import StringIO
  
 from socket import AF_INET6
  
+# IMPORTANT: it should be possible to run oletools directly as scripts
+# in any directory without installing them with pip or setup.py.
+# In that case, relative imports are NOT usable.
+# And to enable Python 2+3 compatibility, we need to use absolute imports,
+# so we add the oletools parent folder to sys.path (absolute+normalized path):
+_thismodule_dir = os.path.normpath(os.path.abspath(os.path.dirname(__file__)))
+# print('_thismodule_dir = %r' % _thismodule_dir)
+_parent_dir = os.path.normpath(os.path.join(_thismodule_dir, '..'))
+# print('_parent_dir = %r' % _thirdparty_dir)
+if not _parent_dir in sys.path:
+    sys.path.insert(0, _parent_dir)
+
 from oletools import olevba, mraptor
  
 from Milter.utils import parse_addr
@@ -137,6 +150,7 @@ log.setLevel(logging.CRITICAL+1)
 # === CLASSES ================================================================
  
 # Inspired from https://github.com/jmehnle/pymilter/blob/master/milter-template.py
+# TODO: check https://github.com/sdgathman/pymilter which looks more recent
  
 class MacroRaptorMilter(Milter.Base):
     '''
+#!/usr/bin/env python
+"""
+msodde.py
+
+msodde is a script to parse MS Office documents
+(e.g. Word, Excel), to detect and extract DDE links.
+
+Supported formats:
+- Word 97-2003 (.doc, .dot), Word 2007+ (.docx, .dotx, .docm, .dotm)
+
+Author: Philippe Lagadec - http://www.decalage.info
+License: BSD, see source code or documentation
+
+msodde is part of the python-oletools package:
+http://www.decalage.info/python/oletools
+"""
+
+# === LICENSE ==================================================================
+
+# msodde is copyright (c) 2017 Philippe Lagadec (http://www.decalage.info)
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without modification,
+# are permitted provided that the following conditions are met:
+#
+#  * Redistributions of source code must retain the above copyright notice, this
+#    list of conditions and the following disclaimer.
+#  * Redistributions in binary form must reproduce the above copyright notice,
+#    this list of conditions and the following disclaimer in the documentation
+#    and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+from __future__ import print_function
+
+#------------------------------------------------------------------------------
+# CHANGELOG:
+# 2017-10-18 v0.52 PL: - first version
+# 2017-10-20       PL: - fixed issue #202 (handling empty xml tags)
+# 2017-10-23       ES: - add check for fldSimple codes
+# 2017-10-24       ES: - group tags and track begin/end tags to keep DDE strings together
+# 2017-10-25       CH: - add json output
+# 2017-10-25       CH: - parse doc
+#                  PL: - added logging
+
+__version__ = '0.52dev4'
+
+#------------------------------------------------------------------------------
+# TODO: field codes can be in headers/footers/comments - parse these
+# TODO: add xlsx support
+
+#------------------------------------------------------------------------------
+# REFERENCES:
+
+
+#--- IMPORTS ------------------------------------------------------------------
+
+# import lxml or ElementTree for XML parsing:
+try:
+    # lxml: best performance for XML processing
+    import lxml.etree as ET
+except ImportError:
+    import xml.etree.cElementTree as ET
+
+import argparse
+import zipfile
+import os
+import sys
+import json
+import logging
+
+# little hack to allow absolute imports even if oletools is not installed
+# Copied from olevba.py
+_thismodule_dir = os.path.normpath(os.path.abspath(os.path.dirname(__file__)))
+_parent_dir = os.path.normpath(os.path.join(_thismodule_dir, '..'))
+if not _parent_dir in sys.path:
+    sys.path.insert(0, _parent_dir)
+
+from oletools.thirdparty import olefile
+
+# === PYTHON 2+3 SUPPORT ======================================================
+
+if sys.version_info[0] >= 3:
+    unichr = chr
+
+# === CONSTANTS ==============================================================
+
+
+NS_WORD = 'http://schemas.openxmlformats.org/wordprocessingml/2006/main'
+NO_QUOTES = False
+# XML tag for 'w:instrText'
+TAG_W_INSTRTEXT = '{%s}instrText' % NS_WORD
+TAG_W_FLDSIMPLE = '{%s}fldSimple' % NS_WORD
+TAG_W_FLDCHAR = '{%s}fldChar' % NS_WORD
+TAG_W_P = "{%s}p" % NS_WORD
+TAG_W_R = "{%s}r" % NS_WORD
+ATTR_W_INSTR = '{%s}instr' % NS_WORD
+ATTR_W_FLDCHARTYPE = '{%s}fldCharType' % NS_WORD
+LOCATIONS = ['word/document.xml','word/endnotes.xml','word/footnotes.xml','word/header1.xml','word/footer1.xml','word/header2.xml','word/footer2.xml','word/comments.xml']
+
+# banner to be printed at program start
+BANNER = """msodde %s - http://decalage.info/python/oletools
+THIS IS WORK IN PROGRESS - Check updates regularly!
+Please report any issue at https://github.com/decalage2/oletools/issues
+""" % __version__
+
+BANNER_JSON = dict(type='meta', version=__version__, name='msodde',
+                   link='http://decalage.info/python/oletools',
+                   message='THIS IS WORK IN PROGRESS - Check updates regularly! '
+                           'Please report any issue at '
+                           'https://github.com/decalage2/oletools/issues')
+
+# === LOGGING =================================================================
+
+DEFAULT_LOG_LEVEL = "warning"  # Default log level
+LOG_LEVELS = {
+    'debug': logging.DEBUG,
+    'info': logging.INFO,
+    'warning': logging.WARNING,
+    'error': logging.ERROR,
+    'critical': logging.CRITICAL
+}
+
+class NullHandler(logging.Handler):
+    """
+    Log Handler without output, to avoid printing messages if logging is not
+    configured by the main application.
+    Python 2.7 has logging.NullHandler, but this is necessary for 2.6:
+    see https://docs.python.org/2.6/library/logging.html#configuring-logging-for-a-library
+    """
+    def emit(self, record):
+        pass
+
+def get_logger(name, level=logging.CRITICAL+1):
+    """
+    Create a suitable logger object for this module.
+    The goal is not to change settings of the root logger, to avoid getting
+    other modules' logs on the screen.
+    If a logger exists with same name, reuse it. (Else it would have duplicate
+    handlers and messages would be doubled.)
+    The level is set to CRITICAL+1 by default, to avoid any logging.
+    """
+    # First, test if there is already a logger with the same name, else it
+    # will generate duplicate messages (due to duplicate handlers):
+    if name in logging.Logger.manager.loggerDict:
+        #NOTE: another less intrusive but more "hackish" solution would be to
+        # use getLogger then test if its effective level is not default.
+        logger = logging.getLogger(name)
+        # make sure level is OK:
+        logger.setLevel(level)
+        return logger
+    # get a new logger:
+    logger = logging.getLogger(name)
+    # only add a NullHandler for this logger, it is up to the application
+    # to configure its own logging:
+    logger.addHandler(NullHandler())
+    logger.setLevel(level)
+    return logger
+
+# a global logger object used for debugging:
+log = get_logger('msodde')
+
+
+# === UNICODE IN PY2 =========================================================
+
+def ensure_stdout_handles_unicode():
+    """ Ensure stdout can handle unicode by wrapping it if necessary
+
+    Required e.g. if output of this script is piped or redirected in a linux
+    shell, since then sys.stdout.encoding is ascii and cannot handle
+    print(unicode). In that case we need to find some compatible encoding and
+    wrap sys.stdout into a encoder following (many thanks!)
+    https://stackoverflow.com/a/1819009 or https://stackoverflow.com/a/20447935
+
+    Can be undone by setting sys.stdout = sys.__stdout__
+    """
+    import codecs
+    import locale
+
+    # do not re-wrap
+    if isinstance(sys.stdout, codecs.StreamWriter):
+        return
+
+    # try to find encoding for sys.stdout
+    encoding = None
+    try:
+        encoding = sys.stdout.encoding  # variable encoding might not exist
+    except Exception:
+        pass
+
+    if encoding not in (None, '', 'ascii'):
+        return   # no need to wrap
+
+    # try to find an encoding that can handle unicode
+    try:
+        encoding = locale.getpreferredencoding()
+    except Exception:
+        pass
+
+    # fallback if still no encoding available
+    if encoding in (None, '', 'ascii'):
+        encoding = 'utf8'
+
+    # logging is probably not initialized yet, but just in case
+    log.debug('wrapping sys.stdout with encoder using {0}'.format(encoding))
+
+    wrapper = codecs.getwriter(encoding)
+    sys.stdout = wrapper(sys.stdout)
+
+
+ensure_stdout_handles_unicode()   # e.g. for print(text) in main()
+
+
+# === ARGUMENT PARSING =======================================================
+
+class ArgParserWithBanner(argparse.ArgumentParser):
+    """ Print banner before showing any error """
+    def error(self, message):
+        print(BANNER)
+        super(ArgParserWithBanner, self).error(message)
+
+
+def existing_file(filename):
+    """ called by argument parser to see whether given file exists """
+    if not os.path.exists(filename):
+        raise argparse.ArgumentTypeError('File {0} does not exist.'
+                                         .format(filename))
+    return filename
+
+
+def process_args(cmd_line_args=None):
+    """ parse command line arguments (given ones or per default sys.argv) """
+    parser = ArgParserWithBanner(description='A python tool to detect and extract DDE links in MS Office files')
+    parser.add_argument("filepath", help="path of the file to be analyzed",
+                        type=existing_file, metavar='FILE')
+    parser.add_argument("--json", '-j', action='store_true',
+                        help="Output in json format. Do not use with -ldebug")
+    parser.add_argument("--nounquote", help="don't unquote values",action='store_true')
+    parser.add_argument('-l', '--loglevel', dest="loglevel", action="store", default=DEFAULT_LOG_LEVEL,
+                        help="logging level debug/info/warning/error/critical (default=%(default)s)")
+
+    return parser.parse_args(cmd_line_args)
+
+
+# === FUNCTIONS ==============================================================
+
+# from [MS-DOC], section 2.8.25 (PlcFld):
+# A field consists of two parts: field instructions and, optionally, a result. All fields MUST begin with
+# Unicode character 0x0013 with sprmCFSpec applied with a value of 1. This is the field begin
+# character. All fields MUST end with a Unicode character 0x0015 with sprmCFSpec applied with a value
+# of 1. This is the field end character. If the field has a result, then there MUST be a Unicode character
+# 0x0014 with sprmCFSpec applied with a value of 1 somewhere between the field begin character and
+# the field end character. This is the field separator. The field result is the content between the field
+# separator and the field end character. The field instructions are the content between the field begin
+# character and the field separator, if one is present, or between the field begin character and the field
+# end character if no separator is present. The field begin character, field end character, and field
+# separator are collectively referred to as field characters.
+
+
+def process_ole_field(data):
+    """ check if field instructions start with DDE
+
+    expects unicode input, returns unicode output (empty if not dde) """
+    #log.debug('processing field \'{0}\''.format(data))
+
+    if data.lstrip().lower().startswith(u'dde'):
+        #log.debug('--> is DDE!')
+        return data
+    elif data.lstrip().lower().startswith(u'\x00d\x00d\x00e\x00'):
+        return data
+    else:
+        return u''
+
+
+OLE_FIELD_START = 0x13
+OLE_FIELD_SEP = 0x14
+OLE_FIELD_END = 0x15
+OLE_FIELD_MAX_SIZE = 1000   # max field size to analyze, rest is ignored
+
+
+def process_ole_stream(stream):
+    """ find dde links in single ole stream
+
+    since ole file stream are subclasses of io.BytesIO, they are buffered, so
+    reading char-wise is not that bad performanc-wise """
+
+    have_start = False
+    have_sep = False
+    field_contents = None
+    result_parts = []
+    max_size_exceeded = False
+    idx = -1
+    while True:
+        idx += 1
+        char = stream.read(1)    # loop over every single byte
+        if len(char) == 0:
+            break
+        else:
+            char = ord(char)
+
+        if char == OLE_FIELD_START:
+            have_start = True
+            have_sep = False
+            max_size_exceeded = False
+            field_contents = u''
+            continue
+        elif not have_start:
+            continue
+
+        # now we are after start char but not at end yet
+        if char == OLE_FIELD_SEP:
+            have_sep = True
+        elif char == OLE_FIELD_END:
+            # have complete field now, process it
+            result_parts.append(process_ole_field(field_contents))
+
+            # re-set variables for next field
+            have_start = False
+            have_sep = False
+            field_contents = None
+        elif not have_sep:
+            # check that array does not get too long by accident
+            if max_size_exceeded:
+                pass
+            elif len(field_contents) > OLE_FIELD_MAX_SIZE:
+                log.debug('field exceeds max size of {0}. Ignore rest'
+                          .format(OLE_FIELD_MAX_SIZE))
+                max_size_exceeded = True
+
+            # appending a raw byte to a unicode string here. Not clean but
+            # all we do later is check for the ascii-sequence 'DDE' later...
+            elif char < 128:
+                field_contents += unichr(char)
+            else:
+                field_contents += u'?'
+    log.debug('Checked {0} characters, found {1} fields'
+              .format(idx, len(result_parts)))
+
+    return result_parts
+
+
+def process_ole_storage(ole):
+    """ process a "directory" inside an ole file; recursive """
+    results = []
+    for st in ole.listdir(streams=True, storages=True):
+        st_type = ole.get_type(st)
+        if st_type == olefile.STGTY_STREAM:      # a stream
+            stream = None
+            links = []
+            try:
+                stream = ole.openstream(st)
+                log.debug('Checking stream {0}'.format(st))
+                links = process_ole_stream(stream)
+            except Exception:
+                raise
+            finally:
+                if stream:
+                    stream.close()
+            if links:
+                results.extend(links)
+        elif st_type == olefile.STGTY_STORAGE:   # a storage
+            log.debug('Checking storage {0}'.format(st))
+            links = process_ole_storage(st)
+            if links:
+                results.extend(links)
+        else:
+            log.info('unexpected type {0} for entry {1}. Ignore it'
+                     .format(st_type, st))
+            continue
+    return results
+
+
+def process_ole(filepath):
+    """
+    find dde links in ole file
+
+    like process_xml, returns a concatenated unicode string of dde links or
+    empty if none were found. dde-links will still being with the dde[auto] key
+    word (possibly after some whitespace)
+    """
+    log.debug('process_ole')
+    ole = olefile.OleFileIO(filepath, path_encoding=None)
+    text_parts = process_ole_storage(ole)
+
+    # mimic behaviour of process_openxml: combine links to single text string
+    return u'\n'.join(text_parts)
+
+
+def process_openxml(filepath):
+    log.debug('process_openxml')
+    all_fields = []
+    z = zipfile.ZipFile(filepath)
+    for filepath in z.namelist():
+        if filepath in LOCATIONS:
+            data = z.read(filepath)
+            fields = process_xml(data)
+            if len(fields) > 0:
+                #print ('DDE Links in %s:'%filepath)
+                #for f in fields:
+                #    print(f)
+                all_fields.extend(fields)
+    z.close()
+    return u'\n'.join(all_fields)
+    
+def process_xml(data):
+    # parse the XML data:
+    root = ET.fromstring(data)
+    fields = []
+    ddetext = u''
+    level = 0
+    # find all the tags 'w:p':
+    # parse each for begin and end tags, to group DDE strings
+    # fldChar can be in either a w:r element, floating alone in the w:p or spread accross w:p tags
+    # escape DDE if quoted etc
+    # (each is a chunk of a DDE link)
+
+    for subs in root.iter(TAG_W_P):
+        elem = None
+        for e in subs:
+            #check if w:r and if it is parse children elements to pull out the first FLDCHAR or INSTRTEXT
+            if e.tag == TAG_W_R:
+                for child in e:
+                    if child.tag == TAG_W_FLDCHAR or child.tag == TAG_W_INSTRTEXT:
+                        elem = child
+                        break
+            else:
+                elem = e
+            #this should be an error condition
+            if elem is None:
+                continue
+    
+            #check if FLDCHARTYPE and whether "begin" or "end" tag
+            if elem.attrib.get(ATTR_W_FLDCHARTYPE) is not None:
+                if elem.attrib[ATTR_W_FLDCHARTYPE] == "begin":
+                    level += 1    
+                if elem.attrib[ATTR_W_FLDCHARTYPE] == "end":
+                    level -= 1
+                    if level == 0 or level == -1 : # edge-case where level becomes -1
+                        fields.append(ddetext)
+                        ddetext = u''
+                        level = 0 # reset edge-case
+        
+            # concatenate the text of the field, if present:
+            if elem.tag == TAG_W_INSTRTEXT and elem.text is not None:
+                #expand field code if QUOTED
+                ddetext += unquote(elem.text)
+
+    for elem in root.iter(TAG_W_FLDSIMPLE):
+        # concatenate the attribute of the field, if present:
+        if elem.attrib is not None:
+            fields.append(elem.attrib[ATTR_W_INSTR])
+ 
+    return fields
+
+def unquote(field): 
+    if "QUOTE" not in field or NO_QUOTES:
+        return field
+    #split into components
+    parts = field.strip().split(" ")
+    ddestr = ""
+    for p in parts[1:]:
+        try: 
+             ch = chr(int(p))
+        except ValueError:
+            ch = p
+        ddestr += ch 
+    return ddestr
+
+
+def process_file(filepath):
+    """ decides to either call process_openxml or process_ole """
+    if olefile.isOleFile(filepath):
+        return process_ole(filepath)
+    else:
+        return process_openxml(filepath)
+
+
+#=== MAIN =================================================================
+
+def main(cmd_line_args=None):
+    """ Main function, called if this file is called as a script
+
+    Optional argument: command line arguments to be forwarded to ArgumentParser
+    in process_args. Per default (cmd_line_args=None), sys.argv is used. Option
+    mainly added for unit-testing
+    """
+    args = process_args(cmd_line_args)
+
+    # Setup logging to the console:
+    # here we use stdout instead of stderr by default, so that the output
+    # can be redirected properly.
+    logging.basicConfig(level=LOG_LEVELS[args.loglevel], stream=sys.stdout,
+                        format='%(levelname)-8s %(message)s')
+    # enable logging in the modules:
+    log.setLevel(logging.NOTSET)
+
+    if args.json and args.loglevel.lower() == 'debug':
+        log.warning('Debug log output will not be json-compatible!')
+
+    if args.nounquote :
+        global NO_QUOTES
+        NO_QUOTES = True
+        
+    if args.json:
+        jout = []
+        jout.append(BANNER_JSON)
+    else:
+        # print banner with version
+        print(BANNER)
+
+    if not args.json:
+        print('Opening file: %s' % args.filepath)
+
+    text = ''
+    return_code = 1
+    try:
+        text = process_file(args.filepath)
+        return_code = 0
+    except Exception as exc:
+        if args.json:
+            jout.append(dict(type='error', error=type(exc).__name__,
+                             message=str(exc)))  # strange: str(exc) is enclosed in ""
+        else:
+            raise
+
+    if args.json:
+        for line in text.splitlines():
+            if line.strip():
+                jout.append(dict(type='dde-link', link=line.strip()))
+        json.dump(jout, sys.stdout, check_circular=False, indent=4)
+        print()   # add a newline after closing "]"
+        return return_code  # required if we catch an exception in json-mode
+    else:
+        print ('DDE Links:')
+        print(text)
+
+    return return_code
+
+
+if __name__ == '__main__':
+    sys.exit(main())
@@ -12,7 +12,7 @@ olebrowse project website: http://www.decalage.info/python/olebrowse
 olebrowse is part of the python-oletools package:
 http://www.decalage.info/python/oletools
  
-olebrowse is copyright (c) 2012-2015, Philippe Lagadec (http://www.decalage.info)
+olebrowse is copyright (c) 2012-2017, Philippe Lagadec (http://www.decalage.info)
 All rights reserved.
  
 Redistribution and use in source and binary forms, with or without modification,
@@ -36,12 +36,13 @@ OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 """
  
-__version__ = '0.02'
-
 #------------------------------------------------------------------------------
 # CHANGELOG:
 # 2012-09-17 v0.01 PL: - first version
 # 2014-11-29 v0.02 PL: - use olefile instead of OleFileIO_PL
+# 2017-04-26 v0.51 PL: - fixed absolute imports (issue #141)
+
+__version__ = '0.51'
  
 #------------------------------------------------------------------------------
 # TODO:
@@ -51,10 +52,25 @@ __version__ = &#39;0.02&#39;
 # - for a stream, display info: size, path, etc
 # - stream info: magic, entropy, ... ?
  
+# === IMPORTS ================================================================
+
 import optparse, sys, os
-from thirdparty.easygui import easygui
-import thirdparty.olefile as olefile
-import ezhexviewer
+
+# IMPORTANT: it should be possible to run oletools directly as scripts
+# in any directory without installing them with pip or setup.py.
+# In that case, relative imports are NOT usable.
+# And to enable Python 2+3 compatibility, we need to use absolute imports,
+# so we add the oletools parent folder to sys.path (absolute+normalized path):
+_thismodule_dir = os.path.normpath(os.path.abspath(os.path.dirname(__file__)))
+# print('_thismodule_dir = %r' % _thismodule_dir)
+_parent_dir = os.path.normpath(os.path.join(_thismodule_dir, '..'))
+# print('_parent_dir = %r' % _thirdparty_dir)
+if not _parent_dir in sys.path:
+    sys.path.insert(0, _parent_dir)
+
+from oletools.thirdparty.easygui import easygui
+from oletools.thirdparty import olefile
+from oletools import ezhexviewer
  
 ABOUT = '~ About olebrowse'
 QUIT  = '~ Quit'
@@ -2,7 +2,7 @@
 """
 oledir.py
  
-oledir parses OLE files to display technical information about its directory
+oledir parses OLE files to display technical information about their directory
 entries, including deleted/orphan streams/storages and unused entries.
  
 Author: Philippe Lagadec - http://www.decalage.info
@@ -14,7 +14,7 @@ http://www.decalage.info/python/oletools
  
 #=== LICENSE ==================================================================
  
-# oledir is copyright (c) 2015-2016 Philippe Lagadec (http://www.decalage.info)
+# oledir is copyright (c) 2015-2017 Philippe Lagadec (http://www.decalage.info)
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without modification,
@@ -37,6 +37,7 @@ http://www.decalage.info/python/oletools
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  
+from __future__ import print_function
  
 #------------------------------------------------------------------------------
 # CHANGELOG:
@@ -45,8 +46,10 @@ http://www.decalage.info/python/oletools
 # 2016-01-13 v0.03 PL: - replaced prettytable by tablestream, added colors
 # 2016-07-20 v0.50 SL: - added Python 3 support
 # 2016-08-09       PL: - fixed issue #77 (imports from thirdparty dir)
+# 2017-03-08 v0.51 PL: - fixed absolute imports, added optparse
+#                      - added support for zip files and wildcards
  
-__version__ = '0.50'
+__version__ = '0.51'
  
 #------------------------------------------------------------------------------
 # TODO:
@@ -55,12 +58,22 @@ __version__ = &#39;0.50&#39;
  
 # === IMPORTS ================================================================
  
-import sys, os
+import sys, os, optparse
  
-# add the thirdparty subfolder to sys.path (absolute+normalized path):
+# IMPORTANT: it should be possible to run oletools directly as scripts
+# in any directory without installing them with pip or setup.py.
+# In that case, relative imports are NOT usable.
+# And to enable Python 2+3 compatibility, we need to use absolute imports,
+# so we add the oletools parent folder to sys.path (absolute+normalized path):
 _thismodule_dir = os.path.normpath(os.path.abspath(os.path.dirname(__file__)))
 # print('_thismodule_dir = %r' % _thismodule_dir)
-# assumption: the thirdparty dir is a subfolder:
+_parent_dir = os.path.normpath(os.path.join(_thismodule_dir, '..'))
+# print('_parent_dir = %r' % _parent_dir)
+if not _parent_dir in sys.path:
+    sys.path.insert(0, _parent_dir)
+
+# we also need the thirdparty dir for colorclass
+# TODO: remove colorclass from thirdparty, make it a dependency
 _thirdparty_dir = os.path.normpath(os.path.join(_thismodule_dir, 'thirdparty'))
 # print('_thirdparty_dir = %r' % _thirdparty_dir)
 if not _thirdparty_dir in sys.path:
@@ -72,12 +85,15 @@ import colorclass
 if os.name == 'nt':
     colorclass.Windows.enable(auto_colors=True)
  
-import olefile
-from tablestream import tablestream
+from oletools.thirdparty import olefile
+from oletools.thirdparty.tablestream import tablestream
+from oletools.thirdparty.xglob import xglob
  
  
 # === CONSTANTS ==============================================================
  
+BANNER = 'oledir %s - http://decalage.info/python/oletools' % __version__
+
 STORAGE_NAMES = {
     olefile.STGTY_EMPTY:     'Empty',
     olefile.STGTY_STORAGE:   'Storage',
@@ -115,72 +131,104 @@ def sid_display(sid):
 # === MAIN ===================================================================
  
 def main():
+    usage = 'usage: oledir [options] <filename> [filename2 ...]'
+    parser = optparse.OptionParser(usage=usage)
+    parser.add_option("-r", action="store_true", dest="recursive",
+                      help='find files recursively in subdirectories.')
+    parser.add_option("-z", "--zip", dest='zip_password', type='str', default=None,
+                      help='if the file is a zip archive, open all files from it, using the provided password (requires Python 2.6+)')
+    parser.add_option("-f", "--zipfname", dest='zip_fname', type='str', default='*',
+                      help='if the file is a zip archive, file(s) to be opened within the zip. Wildcards * and ? are supported. (default:*)')
+    # parser.add_option('-l', '--loglevel', dest="loglevel", action="store", default=DEFAULT_LOG_LEVEL,
+    #                         help="logging level debug/info/warning/error/critical (default=%default)")
+
+    # TODO: add logfile option
+
+    (options, args) = parser.parse_args()
+
+    # Print help if no arguments are passed
+    if len(args) == 0:
+        print(BANNER)
+        print(__doc__)
+        parser.print_help()
+        sys.exit()
+
     # print banner with version
-    print('oledir %s - http://decalage.info/python/oletools' % __version__)
+    print(BANNER)
  
     if os.name == 'nt':
         colorclass.Windows.enable(auto_colors=True, reset_atexit=True)
  
-    fname = sys.argv[1]
-    print('OLE directory entries in file %s:' % fname)
-    ole = olefile.OleFileIO(fname)
-    # ole.dumpdirectory()
-
-    # t = prettytable.PrettyTable(('id', 'Status', 'Type', 'Name', 'Left', 'Right', 'Child', '1st Sect', 'Size'))
-    # t.align = 'l'
-    # t.max_width['id'] = 4
-    # t.max_width['Status'] = 6
-    # t.max_width['Type'] = 10
-    # t.max_width['Name'] = 10
-    # t.max_width['Left'] = 5
-    # t.max_width['Right'] = 5
-    # t.max_width['Child'] = 5
-    # t.max_width['1st Sect'] = 8
-    # t.max_width['Size'] = 6
-
-    table = tablestream.TableStream(column_width=[4, 6, 7, 22, 5, 5, 5, 8, 6],
-        header_row=('id', 'Status', 'Type', 'Name', 'Left', 'Right', 'Child', '1st Sect', 'Size'),
-        style=tablestream.TableStyleSlim)
-
-    # TODO: read ALL the actual directory entries from the directory stream, because olefile does not!
-    # TODO: OR fix olefile!
-    # TODO: olefile should store or give access to the raw direntry data on demand
-    # TODO: oledir option to hexdump the raw direntries
-    # TODO: olefile should be less picky about incorrect directory structures
-
-    for id in range(len(ole.direntries)):
-        d = ole.direntries[id]
-        if d is None:
-            # this direntry is not part of the tree: either unused or an orphan
-            d = ole._load_direntry(id) #ole.direntries[id]
-            # print('%03d: %s *** ORPHAN ***' % (id, d.name))
-            if d.entry_type == olefile.STGTY_EMPTY:
-                status = 'unused'
-            else:
-                status = 'ORPHAN'
+    for container, filename, data in xglob.iter_files(args, recursive=options.recursive,
+                                                      zip_password=options.zip_password, zip_fname=options.zip_fname):
+        # ignore directory names stored in zip files:
+        if container and filename.endswith('/'):
+            continue
+        full_name = '%s in %s' % (filename, container) if container else filename
+        print('OLE directory entries in file %s:' % full_name)
+        if data is not None:
+            # data extracted from zip file
+            ole = olefile.OleFileIO(data)
         else:
-            # print('%03d: %s' % (id, d.name))
-            status = '<Used>'
-        if d.name.startswith('\x00'):
-            # this may happen with unused entries, the name may be filled with zeroes
-            name = ''
-        else:
-            # handle non-printable chars using repr(), remove quotes:
-            name = repr(d.name)[1:-1]
-        left  = sid_display(d.sid_left)
-        right = sid_display(d.sid_right)
-        child = sid_display(d.sid_child)
-        entry_type = STORAGE_NAMES.get(d.entry_type, 'Unknown')
-        etype_color = STORAGE_COLORS.get(d.entry_type, 'red')
-        status_color = STATUS_COLORS.get(status, 'red')
-
-        # print('      type=%7s sid_left=%s sid_right=%s sid_child=%s'
-        #       %(entry_type, left, right, child))
-        # t.add_row((id, status, entry_type, name, left, right, child, hex(d.isectStart), d.size))
-        table.write_row((id, status, entry_type, name, left, right, child, '%X' % d.isectStart, d.size),
-            colors=(None, status_color, etype_color, None, None, None, None, None, None))
-    ole.close()
-    # print t
+            # normal filename
+            ole = olefile.OleFileIO(filename)
+        # ole.dumpdirectory()
+
+        # t = prettytable.PrettyTable(('id', 'Status', 'Type', 'Name', 'Left', 'Right', 'Child', '1st Sect', 'Size'))
+        # t.align = 'l'
+        # t.max_width['id'] = 4
+        # t.max_width['Status'] = 6
+        # t.max_width['Type'] = 10
+        # t.max_width['Name'] = 10
+        # t.max_width['Left'] = 5
+        # t.max_width['Right'] = 5
+        # t.max_width['Child'] = 5
+        # t.max_width['1st Sect'] = 8
+        # t.max_width['Size'] = 6
+
+        table = tablestream.TableStream(column_width=[4, 6, 7, 22, 5, 5, 5, 8, 6],
+            header_row=('id', 'Status', 'Type', 'Name', 'Left', 'Right', 'Child', '1st Sect', 'Size'),
+            style=tablestream.TableStyleSlim)
+
+        # TODO: read ALL the actual directory entries from the directory stream, because olefile does not!
+        # TODO: OR fix olefile!
+        # TODO: olefile should store or give access to the raw direntry data on demand
+        # TODO: oledir option to hexdump the raw direntries
+        # TODO: olefile should be less picky about incorrect directory structures
+
+        for id in range(len(ole.direntries)):
+            d = ole.direntries[id]
+            if d is None:
+                # this direntry is not part of the tree: either unused or an orphan
+                d = ole._load_direntry(id) #ole.direntries[id]
+                # print('%03d: %s *** ORPHAN ***' % (id, d.name))
+                if d.entry_type == olefile.STGTY_EMPTY:
+                    status = 'unused'
+                else:
+                    status = 'ORPHAN'
+            else:
+                # print('%03d: %s' % (id, d.name))
+                status = '<Used>'
+            if d.name.startswith('\x00'):
+                # this may happen with unused entries, the name may be filled with zeroes
+                name = ''
+            else:
+                # handle non-printable chars using repr(), remove quotes:
+                name = repr(d.name)[1:-1]
+            left  = sid_display(d.sid_left)
+            right = sid_display(d.sid_right)
+            child = sid_display(d.sid_child)
+            entry_type = STORAGE_NAMES.get(d.entry_type, 'Unknown')
+            etype_color = STORAGE_COLORS.get(d.entry_type, 'red')
+            status_color = STATUS_COLORS.get(status, 'red')
+
+            # print('      type=%7s sid_left=%s sid_right=%s sid_child=%s'
+            #       %(entry_type, left, right, child))
+            # t.add_row((id, status, entry_type, name, left, right, child, hex(d.isectStart), d.size))
+            table.write_row((id, status, entry_type, name, left, right, child, '%X' % d.isectStart, d.size),
+                colors=(None, status_color, etype_color, None, None, None, None, None, None))
+        ole.close()
+        # print t
  
  
 if __name__ == '__main__':
@@ -18,7 +18,7 @@ http://www.decalage.info/python/oletools
  
 #=== LICENSE =================================================================
  
-# oleid is copyright (c) 2012-2016, Philippe Lagadec (http://www.decalage.info)
+# oleid is copyright (c) 2012-2017, Philippe Lagadec (http://www.decalage.info)
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without modification,
@@ -53,6 +53,7 @@ from __future__ import print_function
 # 2014-11-30 v0.03 PL: - improved output with prettytable
 # 2016-10-25 v0.50 PL: - fixed print and bytes strings for Python 3
 # 2016-12-12 v0.51 PL: - fixed relative imports for Python 3 (issue #115)
+# 2017-04-26       PL: - fixed absolute imports (issue #141)
  
 __version__ = '0.51'
  
@@ -77,19 +78,20 @@ __version__ = &#39;0.51&#39;
  
 import optparse, sys, os, re, zlib, struct
  
-try:
-    # Relative imports (only works when imported from package):
-    from .thirdparty import olefile
-    from .thirdparty.prettytable import prettytable
-except:
-    # if it does not work, fall back to absolute imports:
-    # add this module's folder to sys.path (absolute+normalized path):
-    _thismodule_dir = os.path.normpath(os.path.abspath(os.path.dirname(__file__)))
-    if not _thismodule_dir in sys.path:
-        sys.path.insert(0, _thismodule_dir)
-    # absolute imports:
-    from thirdparty import olefile
-    from thirdparty.prettytable import prettytable
+# IMPORTANT: it should be possible to run oletools directly as scripts
+# in any directory without installing them with pip or setup.py.
+# In that case, relative imports are NOT usable.
+# And to enable Python 2+3 compatibility, we need to use absolute imports,
+# so we add the oletools parent folder to sys.path (absolute+normalized path):
+_thismodule_dir = os.path.normpath(os.path.abspath(os.path.dirname(__file__)))
+# print('_thismodule_dir = %r' % _thismodule_dir)
+_parent_dir = os.path.normpath(os.path.join(_thismodule_dir, '..'))
+# print('_parent_dir = %r' % _thirdparty_dir)
+if not _parent_dir in sys.path:
+    sys.path.insert(0, _parent_dir)
+
+from oletools.thirdparty import olefile
+from oletools.thirdparty.prettytable import prettytable
  
  
  
@@ -13,7 +13,7 @@ http://www.decalage.info/python/oletools
  
 #=== LICENSE ==================================================================
  
-# olemap is copyright (c) 2015-2016 Philippe Lagadec (http://www.decalage.info)
+# olemap is copyright (c) 2015-2017 Philippe Lagadec (http://www.decalage.info)
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without modification,
@@ -43,25 +43,45 @@ http://www.decalage.info/python/oletools
 # 2016-01-13 v0.02 PL: - improved display with tablestream, added colors
 # 2016-07-20 v0.50 SL: - added Python 3 support
 # 2016-09-05       PL: - added main entry point for setup.py
+# 2017-03-20 v0.51 PL: - fixed absolute imports, added optparse
+#                      - added support for zip files and wildcards
+#                      - improved MiniFAT display with tablestream
+# 2017-03-21       PL: - added header display
+#                      - added options --header, --fat and --minifat
+# 2017-03-22       PL: - added extra data detection, completed header display
+# 2017-03-23       PL: - only display the header by default
+#                      - added option --exdata to display extra data in hex
  
-__version__ = '0.50'
+
+__version__ = '0.51'
  
 #------------------------------------------------------------------------------
 # TODO:
  
 # === IMPORTS ================================================================
  
-import sys
-from thirdparty.olefile import olefile
-from thirdparty.tablestream import tablestream
+import sys, os, optparse, binascii
  
+# IMPORTANT: it should be possible to run oletools directly as scripts
+# in any directory without installing them with pip or setup.py.
+# In that case, relative imports are NOT usable.
+# And to enable Python 2+3 compatibility, we need to use absolute imports,
+# so we add the oletools parent folder to sys.path (absolute+normalized path):
+_thismodule_dir = os.path.normpath(os.path.abspath(os.path.dirname(__file__)))
+# print('_thismodule_dir = %r' % _thismodule_dir)
+_parent_dir = os.path.normpath(os.path.join(_thismodule_dir, '..'))
+# print('_parent_dir = %r' % _thirdparty_dir)
+if not _parent_dir in sys.path:
+    sys.path.insert(0, _parent_dir)
  
+from oletools.thirdparty.olefile import olefile
+from oletools.thirdparty.tablestream import tablestream
+from oletools.thirdparty.xglob import xglob
+from oletools.ezhexviewer import hexdump3
  
-def sid_display(sid):
-    if sid == olefile.NOSTREAM:
-        return None
-    else:
-        return sid
+# === CONSTANTS ==============================================================
+
+BANNER = 'olemap %s - http://decalage.info/python/oletools' % __version__
  
 STORAGE_NAMES = {
     olefile.STGTY_EMPTY:     'Empty',
@@ -88,37 +108,188 @@ FAT_COLORS = {
     }
  
  
-# === MAIN ===================================================================
+# === FUNCTIONS ==============================================================
  
-def main():
-    # print banner with version
-    print('olemap %s - http://decalage.info/python/oletools' % __version__)
+def sid_display(sid):
+    if sid == olefile.NOSTREAM:
+        return None
+    else:
+        return sid
+
+
+def show_header(ole, extra_data=False):
+    print("OLE HEADER:")
+    t = tablestream.TableStream([24, 16, 79-(4+24+16)], header_row=['Attribute', 'Value', 'Description'])
+    t.write_row(['OLE Signature (hex)', binascii.b2a_hex(ole.header_signature).upper(), 'Should be D0CF11E0A1B11AE1'])
+    t.write_row(['Header CLSID (hex)', binascii.b2a_hex(ole.header_clsid).upper(), 'Should be 0'])
+    t.write_row(['Minor Version', '%04X' % ole.minor_version, 'Should be 003E'])
+    t.write_row(['Major Version', '%04X' % ole.dll_version, 'Should be 3 or 4'])
+    t.write_row(['Byte Order', '%04X' % ole.byte_order, 'Should be FFFE (little endian)'])
+    t.write_row(['Sector Shift', '%04X' % ole.sector_shift, 'Should be 0009 or 000C'])
+    t.write_row(['# of Dir Sectors', ole.num_dir_sectors, 'Should be 0 if major version is 3'])
+    t.write_row(['# of FAT Sectors', ole.num_fat_sectors, ''])
+    t.write_row(['First Dir Sector', '%08X' % ole.first_dir_sector, '(hex)'])
+    t.write_row(['Transaction Sig Number', ole.transaction_signature_number, 'Should be 0'])
+    t.write_row(['MiniStream cutoff', ole.mini_stream_cutoff_size, 'Should be 4096 bytes'])
+    t.write_row(['First MiniFAT Sector', '%08X' % ole.first_mini_fat_sector, '(hex)'])
+    t.write_row(['# of MiniFAT Sectors', ole.num_mini_fat_sectors, ''])
+    t.write_row(['First DIFAT Sector', '%08X' % ole.first_difat_sector, '(hex)'])
+    t.write_row(['# of DIFAT Sectors', ole.num_difat_sectors, ''])
+    t.close()
+    print('')
+    print("CALCULATED ATTRIBUTES:")
+    t = tablestream.TableStream([24, 16, 79-(4+24+16)], header_row=['Attribute', 'Value', 'Description'])
+    t.write_row(['Sector Size (bytes)', ole.sector_size, 'Should be 512 or 4096 bytes'])
+    t.write_row(['Actual File Size (bytes)', ole._filesize, 'Real file size on disk'])
+    num_sectors_per_fat_sector = ole.sector_size/4
+    num_sectors_in_fat = num_sectors_per_fat_sector * ole.num_fat_sectors
+    # Need to add one sector for the header:
+    max_filesize_fat = (num_sectors_in_fat + 1) * ole.sector_size
+    t.write_row(['Max File Size in FAT', max_filesize_fat, 'Max file size covered by FAT'])
+    if ole._filesize > max_filesize_fat:
+        extra_size_beyond_fat = ole._filesize - max_filesize_fat
+        color = 'red'
+    else:
+        extra_size_beyond_fat = 0
+        color = None
+    t.write_row(['Extra data beyond FAT', extra_size_beyond_fat, 'Only if file is larger than FAT coverage'],
+                colors=[color, color, color])
+    # Find the last used sector:
+    # By default, it's the last sector in the FAT
+    last_used_sector = len(ole.fat)-1
+    for i in range(len(ole.fat)-1, 0, -1):
+        last_used_sector = i
+        if ole.fat[i] != olefile.FREESECT:
+            break
+    # Extra data would start at the next sector
+    offset_extra_data = ole.sectorsize * (last_used_sector + 2)
+    t.write_row(['Extra data offset in FAT', '%08X' % offset_extra_data, 'Offset of the 1st free sector at end of FAT'])
+    extra_data_size = ole._filesize - offset_extra_data
+    color = 'red' if extra_data_size > 0 else None
+    t.write_row(['Extra data size', extra_data_size, 'Size of data starting at the 1st free sector at end of FAT'],
+                colors=[color, color, color])
+    t.close()
+    print('')
  
-    fname = sys.argv[1]
-    ole = olefile.OleFileIO(fname)
+    if extra_data:
+        # hex dump of extra data
+        print('HEX DUMP OF EXTRA DATA:\n')
+        if extra_data_size <= 0:
+            print('No extra data found at end of file.')
+        else:
+            ole.fp.seek(offset_extra_data)
+            # read until end of file:
+            exdata = ole.fp.read()
+            assert len(exdata) == extra_data_size
+            print(hexdump3(exdata, length=16, startindex=offset_extra_data))
+        print('')
  
+
+def show_fat(ole):
     print('FAT:')
     t = tablestream.TableStream([8, 12, 8, 8], header_row=['Sector #', 'Type', 'Offset', 'Next #'])
-    for i in range(ole.nb_sect):
+    for i in range(len(ole.fat)):
         fat_value = ole.fat[i]
         fat_type = FAT_TYPES.get(fat_value, '<Data>')
         color_type = FAT_COLORS.get(fat_value, FAT_COLORS['default'])
         # compute offset based on sector size:
-        offset = ole.sectorsize * (i+1)
+        offset = ole.sectorsize * (i + 1)
         # print '%8X: %-12s offset=%08X next=%8X' % (i, fat_type, 0, fat_value)
         t.write_row(['%8X' % i, fat_type, '%08X' % offset, '%8X' % fat_value],
-            colors=[None, color_type, None, None])
+                    colors=[None, color_type, None, None])
+    t.close()
     print('')
  
+
+def show_minifat(ole):
     print('MiniFAT:')
     # load MiniFAT if it wasn't already done:
     ole.loadminifat()
+    t = tablestream.TableStream([8, 12, 8, 8], header_row=['Sector #', 'Type', 'Offset', 'Next #'])
     for i in range(len(ole.minifat)):
         fat_value = ole.minifat[i]
         fat_type = FAT_TYPES.get(fat_value, 'Data')
-        print('%8X: %-12s offset=%08X next=%8X' % (i, fat_type, 0, fat_value))
+        color_type = FAT_COLORS.get(fat_value, FAT_COLORS['default'])
+        # TODO: compute offset
+        # print('%8X: %-12s offset=%08X next=%8X' % (i, fat_type, 0, fat_value))
+        t.write_row(['%8X' % i, fat_type, 'N/A', '%8X' % fat_value],
+                    colors=[None, color_type, None, None])
+    t.close()
+    print('')
+
+# === MAIN ===================================================================
+
+def main():
+    usage = 'usage: olemap [options] <filename> [filename2 ...]'
+    parser = optparse.OptionParser(usage=usage)
+    parser.add_option("-r", action="store_true", dest="recursive",
+                      help='find files recursively in subdirectories.')
+    parser.add_option("-z", "--zip", dest='zip_password', type='str', default=None,
+                      help='if the file is a zip archive, open all files from it, using the provided password (requires Python 2.6+)')
+    parser.add_option("-f", "--zipfname", dest='zip_fname', type='str', default='*',
+                      help='if the file is a zip archive, file(s) to be opened within the zip. Wildcards * and ? are supported. (default:*)')
+    # parser.add_option('-l', '--loglevel', dest="loglevel", action="store", default=DEFAULT_LOG_LEVEL,
+    #                         help="logging level debug/info/warning/error/critical (default=%default)")
+    parser.add_option("--header", action="store_true", dest="header",
+                      help='Display the OLE header (default: yes)')
+    parser.add_option("--fat", action="store_true", dest="fat",
+                      help='Display the FAT (default: no)')
+    parser.add_option("--minifat", action="store_true", dest="minifat",
+                      help='Display the MiniFAT (default: no)')
+    parser.add_option('-x', "--exdata", action="store_true", dest="extra_data",
+                      help='Display a hex dump of extra data at end of file')
+
+    # TODO: add logfile option
+
+    (options, args) = parser.parse_args()
+
+    # Print help if no arguments are passed
+    if len(args) == 0:
+        print(BANNER)
+        print(__doc__)
+        parser.print_help()
+        sys.exit()
+
+    # if no display option is provided, set defaults:
+    default_options = False
+    if not (options.header or options.fat or options.minifat):
+        options.header = True
+        # options.fat = True
+        # options.minifat = True
+        default_options = True
+
+    # print banner with version
+    print(BANNER)
+
+    for container, filename, data in xglob.iter_files(args, recursive=options.recursive,
+                                                      zip_password=options.zip_password, zip_fname=options.zip_fname):
+        # TODO: handle xglob errors
+        # ignore directory names stored in zip files:
+        if container and filename.endswith('/'):
+            continue
+        full_name = '%s in %s' % (filename, container) if container else filename
+        print("-" * 79)
+        print('FILE: %s\n' % full_name)
+        if data is not None:
+            # data extracted from zip file
+            ole = olefile.OleFileIO(data)
+        else:
+            # normal filename
+            ole = olefile.OleFileIO(filename)
+
+        if options.header:
+            show_header(ole, extra_data=options.extra_data)
+        if options.fat:
+            show_fat(ole)
+        if options.minifat:
+            show_minifat(ole)
+
+        ole.close()
+
+    # if no display option is provided, print a tip:
+    if default_options:
+        print('To display the FAT or MiniFAT structures, use options --fat or --minifat, and -h for help.')
  
-    ole.close()
  
 if __name__ == '__main__':
     main()
@@ -15,7 +15,7 @@ http://www.decalage.info/python/oletools
  
 #=== LICENSE =================================================================
  
-# olemeta is copyright (c) 2013-2016, Philippe Lagadec (http://www.decalage.info)
+# olemeta is copyright (c) 2013-2017, Philippe Lagadec (http://www.decalage.info)
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without modification,
@@ -47,31 +47,42 @@ http://www.decalage.info/python/oletools
 # 2016-09-06 v0.50 PL: - added main entry point for setup.py
 # 2016-10-25       PL: - fixed print for Python 3
 # 2016-10-28       PL: - removed the UTF8 codec for console display
+# 2017-04-26 v0.51 PL: - fixed absolute imports (issue #141)
+# 2017-05-04       PL: - added optparse and xglob (issue #141)
  
-__version__ = '0.50'
+__version__ = '0.51'
  
 #------------------------------------------------------------------------------
 # TODO:
-# + optparse
 # + nicer output: table with fixed columns, datetime, etc
 # + CSV output
 # + option to only show available properties (by default)
+# + display codepage names
  
 #=== IMPORTS =================================================================
  
-import sys, codecs
-import thirdparty.olefile as olefile
-from thirdparty.tablestream import tablestream
+import sys, os, optparse
  
+# IMPORTANT: it should be possible to run oletools directly as scripts
+# in any directory without installing them with pip or setup.py.
+# In that case, relative imports are NOT usable.
+# And to enable Python 2+3 compatibility, we need to use absolute imports,
+# so we add the oletools parent folder to sys.path (absolute+normalized path):
+_thismodule_dir = os.path.normpath(os.path.abspath(os.path.dirname(__file__)))
+# print('_thismodule_dir = %r' % _thismodule_dir)
+_parent_dir = os.path.normpath(os.path.join(_thismodule_dir, '..'))
+# print('_parent_dir = %r' % _thirdparty_dir)
+if not _parent_dir in sys.path:
+    sys.path.insert(0, _parent_dir)
  
-#=== MAIN =================================================================
+from oletools.thirdparty import olefile
+from oletools.thirdparty import xglob
+from oletools.thirdparty.tablestream import tablestream
  
-def main():
-    try:
-        ole = olefile.OleFileIO(sys.argv[1])
-    except IndexError:
-        sys.exit(__doc__)
  
+#=== MAIN =================================================================
+
+def process_ole(ole):
     # parse and display metadata:
     meta = ole.get_metadata()
  
@@ -114,7 +125,53 @@ def main():
             t.write_row([prop, value], colors=[None, 'yellow'])
     t.close()
  
-    ole.close()
+
+# === MAIN ===================================================================
+
+def main():
+    # print banner with version
+    print('olemeta %s - http://decalage.info/python/oletools' % __version__)
+    print ('THIS IS WORK IN PROGRESS - Check updates regularly!')
+    print ('Please report any issue at https://github.com/decalage2/oletools/issues')
+
+    usage = 'usage: olemeta [options] <filename> [filename2 ...]'
+    parser = optparse.OptionParser(usage=usage)
+    parser.add_option("-r", action="store_true", dest="recursive",
+                      help='find files recursively in subdirectories.')
+    parser.add_option("-z", "--zip", dest='zip_password', type='str', default=None,
+                      help='if the file is a zip archive, open all files from it, using the provided password (requires Python 2.6+)')
+    parser.add_option("-f", "--zipfname", dest='zip_fname', type='str', default='*',
+                      help='if the file is a zip archive, file(s) to be opened within the zip. Wildcards * and ? are supported. (default:*)')
+
+    # TODO: add logfile option
+    # parser.add_option('-l', '--loglevel', dest="loglevel", action="store", default=DEFAULT_LOG_LEVEL,
+    #                         help="logging level debug/info/warning/error/critical (default=%default)")
+
+    (options, args) = parser.parse_args()
+
+    # Print help if no arguments are passed
+    if len(args) == 0:
+        print(__doc__)
+        parser.print_help()
+        sys.exit()
+
+    for container, filename, data in xglob.iter_files(args, recursive=options.recursive,
+                                                      zip_password=options.zip_password, zip_fname=options.zip_fname):
+        # TODO: handle xglob errors
+        # ignore directory names stored in zip files:
+        if container and filename.endswith('/'):
+            continue
+        full_name = '%s in %s' % (filename, container) if container else filename
+        print("=" * 79)
+        print('FILE: %s\n' % full_name)
+        if data is not None:
+            # data extracted from zip file
+            ole = olefile.OleFileIO(data)
+        else:
+            # normal filename
+            ole = olefile.OleFileIO(filename)
+        process_ole(ole)
+        ole.close()
  
 if __name__ == '__main__':
-    main()
 \ No newline at end of file
+    main()
@@ -15,7 +15,7 @@ http://www.decalage.info/python/oletools
  
 # === LICENSE ==================================================================
  
-# oleobj is copyright (c) 2015-2016 Philippe Lagadec (http://www.decalage.info)
+# oleobj is copyright (c) 2015-2017 Philippe Lagadec (http://www.decalage.info)
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without modification,
@@ -47,6 +47,7 @@ http://www.decalage.info/python/oletools
 # 2016-07-19       PL: - fixed Python 2.6-7 support
 # 2016-11-17 v0.51 PL: - fixed OLE native object extraction
 # 2016-11-18       PL: - added main for setup.py entry point
+# 2017-05-03       PL: - fixed absolute imports (issue #141)
  
 __version__ = '0.51'
  
@@ -70,8 +71,20 @@ __version__ = &#39;0.51&#39;
  
 import logging, struct, optparse, os, re, sys
  
-from thirdparty.olefile import olefile
-from thirdparty.xglob import xglob
+# IMPORTANT: it should be possible to run oletools directly as scripts
+# in any directory without installing them with pip or setup.py.
+# In that case, relative imports are NOT usable.
+# And to enable Python 2+3 compatibility, we need to use absolute imports,
+# so we add the oletools parent folder to sys.path (absolute+normalized path):
+_thismodule_dir = os.path.normpath(os.path.abspath(os.path.dirname(__file__)))
+# print('_thismodule_dir = %r' % _thismodule_dir)
+_parent_dir = os.path.normpath(os.path.join(_thismodule_dir, '..'))
+# print('_parent_dir = %r' % _thirdparty_dir)
+if not _parent_dir in sys.path:
+    sys.path.insert(0, _parent_dir)
+
+from oletools.thirdparty.olefile import olefile
+from oletools.thirdparty.xglob import xglob
  
 # === LOGGING =================================================================
  
@@ -114,6 +127,14 @@ def get_logger(name, level=logging.CRITICAL+1):
 # a global logger object used for debugging:
 log = get_logger('oleobj')
  
+def enable_logging():
+    """
+    Enable logging for this module (disabled by default).
+    This will set the module-specific logger level to NOTSET, which
+    means the main application controls the actual logging level.
+    """
+    log.setLevel(logging.NOTSET)
+
  
 # === CONSTANTS ==============================================================
  
@@ -290,6 +311,9 @@ class OleObject (object):
         :param data: bytes, OLE 1.0 Object structure containing an OLE object
         :return:
         """
+        # from ezhexviewer import hexdump3
+        # print("Parsing OLE object data:")
+        # print(hexdump3(data, length=16))
         # Header: see MS-OLEDS 2.2.4 ObjectHeader
         self.ole_version, data = read_uint32(data)
         self.format_id, data = read_uint32(data)
@@ -16,7 +16,7 @@ http://www.decalage.info/python/oletools
  
 #=== LICENSE =================================================================
  
-# oletimes is copyright (c) 2013-2016, Philippe Lagadec (http://www.decalage.info)
+# oletimes is copyright (c) 2013-2017, Philippe Lagadec (http://www.decalage.info)
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without modification,
@@ -48,61 +48,109 @@ http://www.decalage.info/python/oletools
 # 2014-11-30 v0.03 PL: - improved output with prettytable
 # 2016-07-20 v0.50 SL: - added Python 3 support
 # 2016-09-05       PL: - added main entry point for setup.py
+# 2017-05-03 v0.51 PL: - fixed absolute imports (issue #141)
+# 2017-05-04       PL: - added optparse and xglob (issue #141)
  
-__version__ = '0.50'
+__version__ = '0.51'
  
 #------------------------------------------------------------------------------
 # TODO:
-# + optparse
 # + nicer output: table with fixed columns, datetime, etc
 # + CSV output
 # + option to only show available timestamps (by default?)
  
 #=== IMPORTS =================================================================
  
-import sys, datetime
-import thirdparty.olefile as olefile
-from thirdparty.prettytable import prettytable
+import sys, os, optparse
  
+# IMPORTANT: it should be possible to run oletools directly as scripts
+# in any directory without installing them with pip or setup.py.
+# In that case, relative imports are NOT usable.
+# And to enable Python 2+3 compatibility, we need to use absolute imports,
+# so we add the oletools parent folder to sys.path (absolute+normalized path):
+_thismodule_dir = os.path.normpath(os.path.abspath(os.path.dirname(__file__)))
+# print('_thismodule_dir = %r' % _thismodule_dir)
+_parent_dir = os.path.normpath(os.path.join(_thismodule_dir, '..'))
+# print('_parent_dir = %r' % _thirdparty_dir)
+if not _parent_dir in sys.path:
+    sys.path.insert(0, _parent_dir)
  
-# === MAIN ===================================================================
+from oletools.thirdparty import olefile
+from oletools.thirdparty import xglob
+from oletools.thirdparty.prettytable import prettytable
  
-def main():
-    # print banner with version
-    print('oletimes %s - http://decalage.info/python/oletools' % __version__)
  
-    try:
-        ole = olefile.OleFileIO(sys.argv[1])
-    except IndexError:
-        sys.exit(__doc__)
+# === FUNCTIONS ==============================================================
  
-    def dt2str (dt):
-        """
-        Convert a datetime object to a string for display, without microseconds
+def dt2str(dt):
+    """
+    Convert a datetime object to a string for display, without microseconds
  
-        :param dt: datetime.datetime object, or None
-        :return: str, or None
-        """
-        if dt is None:
-            return None
-        dt = dt.replace(microsecond = 0)
-        return str(dt)
+    :param dt: datetime.datetime object, or None
+    :return: str, or None
+    """
+    if dt is None:
+        return None
+    dt = dt.replace(microsecond=0)
+    return str(dt)
  
+
+def process_ole(ole):
     t = prettytable.PrettyTable(['Stream/Storage name', 'Modification Time', 'Creation Time'])
     t.align = 'l'
     t.max_width = 26
-    #t.border = False
-
-    #print'- Root mtime=%s ctime=%s' % (ole.root.getmtime(), ole.root.getctime())
     t.add_row(('Root', dt2str(ole.root.getmtime()), dt2str(ole.root.getctime())))
-
     for obj in ole.listdir(streams=True, storages=True):
-        #print '- %s: mtime=%s ctime=%s' % (repr('/'.join(obj)), ole.getmtime(obj), ole.getctime(obj))
         t.add_row((repr('/'.join(obj)), dt2str(ole.getmtime(obj)), dt2str(ole.getctime(obj))))
-
     print(t)
  
-    ole.close()
+
+# === MAIN ===================================================================
+
+def main():
+    # print banner with version
+    print('oletimes %s - http://decalage.info/python/oletools' % __version__)
+    print ('THIS IS WORK IN PROGRESS - Check updates regularly!')
+    print ('Please report any issue at https://github.com/decalage2/oletools/issues')
+
+    usage = 'usage: oletimes [options] <filename> [filename2 ...]'
+    parser = optparse.OptionParser(usage=usage)
+    parser.add_option("-r", action="store_true", dest="recursive",
+                      help='find files recursively in subdirectories.')
+    parser.add_option("-z", "--zip", dest='zip_password', type='str', default=None,
+                      help='if the file is a zip archive, open all files from it, using the provided password (requires Python 2.6+)')
+    parser.add_option("-f", "--zipfname", dest='zip_fname', type='str', default='*',
+                      help='if the file is a zip archive, file(s) to be opened within the zip. Wildcards * and ? are supported. (default:*)')
+
+    # TODO: add logfile option
+    # parser.add_option('-l', '--loglevel', dest="loglevel", action="store", default=DEFAULT_LOG_LEVEL,
+    #                         help="logging level debug/info/warning/error/critical (default=%default)")
+
+    (options, args) = parser.parse_args()
+
+    # Print help if no arguments are passed
+    if len(args) == 0:
+        print(__doc__)
+        parser.print_help()
+        sys.exit()
+
+    for container, filename, data in xglob.iter_files(args, recursive=options.recursive,
+                                                      zip_password=options.zip_password, zip_fname=options.zip_fname):
+        # TODO: handle xglob errors
+        # ignore directory names stored in zip files:
+        if container and filename.endswith('/'):
+            continue
+        full_name = '%s in %s' % (filename, container) if container else filename
+        print("=" * 79)
+        print('FILE: %s\n' % full_name)
+        if data is not None:
+            # data extracted from zip file
+            ole = olefile.OleFileIO(data)
+        else:
+            # normal filename
+            ole = olefile.OleFileIO(filename)
+        process_ole(ole)
+        ole.close()
  
 if __name__ == '__main__':
     main()
@@ -26,7 +26,7 @@ https://github.com/unixfreak0037/officeparser
  
 # === LICENSE ==================================================================
  
-# olevba is copyright (c) 2014-2016 Philippe Lagadec (http://www.decalage.info)
+# olevba is copyright (c) 2014-2017 Philippe Lagadec (http://www.decalage.info)
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without modification,
@@ -188,8 +188,18 @@ from __future__ import print_function
 # 2016-09-12       PL: - enabled packrat to improve pyparsing performance
 # 2016-10-25       PL: - fixed raise and print statements for Python 3
 # 2016-11-03 v0.51 PL: - added EnumDateFormats and EnumSystemLanguageGroupsW
-
-__version__ = '0.51a'
+# 2017-02-07       PL: - temporary fix for issue #132
+#                      - added keywords for Mac-specific macros (issue #130)
+# 2017-03-08       PL: - fixed absolute imports
+# 2017-03-16       PL: - fixed issues #148 and #149 for option --reveal
+# 2017-05-19       PL: - added enable_logging to fix issue #154
+# 2017-05-31     c1fe: - PR #135 fixing issue #132 for some Mac files
+# 2017-06-08       PL: - fixed issue #122 Chr() with negative numbers
+# 2017-06-15       PL: - deobfuscation line by line to handle large files
+# 2017-07-11 v0.52 PL: - raise exception instead of sys.exit (issue #180)
+# 2017-11-08       VB: - PR #124 adding user form parsing (Vincent Brillault)
+
+__version__ = '0.52dev3'
  
 #------------------------------------------------------------------------------
 # TODO:
@@ -223,7 +233,9 @@ __version__ = &#39;0.51a&#39;
  
 #--- IMPORTS ------------------------------------------------------------------
  
-import sys, logging
+import sys
+import os
+import logging
 import struct
 import cStringIO
 import math
@@ -256,15 +268,28 @@ except ImportError:
  
 from oleform import extract_OleFormVariables
  
-import thirdparty.olefile as olefile
-from thirdparty.prettytable import prettytable
-from thirdparty.xglob import xglob, PathNotFoundException
-from thirdparty.pyparsing.pyparsing import \
+# IMPORTANT: it should be possible to run oletools directly as scripts
+# in any directory without installing them with pip or setup.py.
+# In that case, relative imports are NOT usable.
+# And to enable Python 2+3 compatibility, we need to use absolute imports,
+# so we add the oletools parent folder to sys.path (absolute+normalized path):
+_thismodule_dir = os.path.normpath(os.path.abspath(os.path.dirname(__file__)))
+# print('_thismodule_dir = %r' % _thismodule_dir)
+_parent_dir = os.path.normpath(os.path.join(_thismodule_dir, '..'))
+# print('_parent_dir = %r' % _thirdparty_dir)
+if not _parent_dir in sys.path:
+    sys.path.insert(0, _parent_dir)
+
+from oletools.thirdparty import olefile
+from oletools.thirdparty.prettytable import prettytable
+from oletools.thirdparty.xglob import xglob, PathNotFoundException
+from oletools.thirdparty.pyparsing.pyparsing import \
         CaselessKeyword, CaselessLiteral, Combine, Forward, Literal, \
         Optional, QuotedString,Regex, Suppress, Word, WordStart, \
         alphanums, alphas, hexnums,nums, opAssoc, srange, \
         infixNotation, ParserElement
-import ppt_parser
+from oletools import ppt_parser
+
  
 # monkeypatch email to fix issue #32:
 # allow header lines without ":"
@@ -330,6 +355,18 @@ def get_logger(name, level=logging.CRITICAL+1):
 log = get_logger('olevba')
  
  
+def enable_logging():
+    """
+    Enable logging for this module (disabled by default).
+    This will set the module-specific logger level to NOTSET, which
+    means the main application controls the actual logging level.
+    """
+    log.setLevel(logging.NOTSET)
+    # Also enable logging in the ppt_parser module:
+    ppt_parser.enable_logging()
+
+
+
 #=== EXCEPTIONS ==============================================================
  
 class OlevbaBaseException(Exception):
@@ -387,10 +424,17 @@ class UnexpectedDataError(OlevbaBaseException):
     """ raised when parsing is strict (=not relaxed) and data is unexpected """
  
     def __init__(self, stream_path, variable, expected, value):
+        if isinstance(expected, int):
+            es = '{0:04X}'.format(expected)
+        elif isinstance(expected, tuple):
+            es = ','.join('{0:04X}'.format(e) for e in expected)
+            es =  '({0})'.format(es)
+        else:
+            raise ValueError('Unknown type encountered: {0}'.format(type(expected)))
         super(UnexpectedDataError, self).__init__(
             'Unexpected value in {0} for variable {1}: '
-            'expected {2:04X} but found {3:04X}!'
-            .format(stream_path, variable, expected, value))
+            'expected {2} but found {3:04X}!'
+            .format(stream_path, variable, es, value))
         self.stream_path = stream_path
         self.variable = variable
         self.expected = expected
@@ -520,6 +564,11 @@ SUSPICIOUS_KEYWORDS = {
     'May run an executable file or a system command':
         ('Shell', 'vbNormal', 'vbNormalFocus', 'vbHide', 'vbMinimizedFocus', 'vbMaximizedFocus', 'vbNormalNoFocus',
          'vbMinimizedNoFocus', 'WScript.Shell', 'Run', 'ShellExecute'),
+    # MacScript: see https://msdn.microsoft.com/en-us/library/office/gg264812.aspx
+    'May run an executable file or a system command on a Mac':
+        ('MacScript',),
+    'May run an executable file or a system command on a Mac (if combined with libc.dylib)':
+        ('system', 'popen', r'exec[lv][ep]?'),
     #Shell: http://msdn.microsoft.com/en-us/library/office/gg278437%28v=office.15%29.aspx
     #WScript.Shell+Run sample: http://pastebin.com/Z4TMyuq6
     'May run PowerShell commands':
@@ -550,8 +599,11 @@ SUSPICIOUS_KEYWORDS = {
     'May enumerate application windows (if combined with Shell.Application object)':
         ('Windows', 'FindWindow'),
     'May run code from a DLL':
-    #TODO: regex to find declare+lib on same line
+    #TODO: regex to find declare+lib on same line - see mraptor
         ('Lib',),
+    'May run code from a library on a Mac':
+    #TODO: regex to find declare+lib on same line - see mraptor
+        ('libc.dylib', 'dylib'),
     'May inject code into another process':
         ('CreateThread', 'VirtualAlloc', # (issue #9) suggested by Davy Douhine - used by MSF payload
         'VirtualAllocEx', 'RtlMoveMemory',
@@ -723,7 +775,7 @@ class VbaExpressionString(str):
 # NOTE: here Combine() is required to avoid spaces between elements
 # NOTE: here WordStart is necessary to avoid matching a number preceded by
 #       letters or underscore (e.g. "VBT1" or "ABC_34"), when using scanString
-decimal_literal = Combine(WordStart(vba_identifier_chars) + Word(nums)
+decimal_literal = Combine(Optional('-') + WordStart(vba_identifier_chars) + Word(nums)
                           + Suppress(Optional(Word('%&^', exact=1))))
 decimal_literal.setParseAction(lambda t: int(t[0]))
  
@@ -1411,15 +1463,27 @@ def _extract_vba(ole, vba_root, project_path, dir_path, relaxed=False):
             reference_sizeof_name = struct.unpack("<L", dir_stream.read(4))[0]
             reference_name = dir_stream.read(reference_sizeof_name)
             reference_reserved = struct.unpack("<H", dir_stream.read(2))[0]
-            if reference_reserved not in (0x003E, 0x000D):
-                raise UnexpectedDataError(dir_path, 'REFERENCE_Reserved',
-                                          (0x003E, 0x000D), reference_reserved)
-            reference_sizeof_name_unicode = struct.unpack("<L", dir_stream.read(4))[0]
-            reference_name_unicode = dir_stream.read(reference_sizeof_name_unicode)
-            unused = reference_id
-            unused = reference_name
-            unused = reference_name_unicode
-            continue
+            # According to [MS-OVBA] 2.3.4.2.2.2 REFERENCENAME Record:
+            # "Reserved (2 bytes): MUST be 0x003E. MUST be ignored."
+            # So let's ignore it, otherwise it crashes on some files (issue #132)
+            # PR #135 by @c1fe:
+            # contrary to the specification I think that the unicode name
+            # is optional. if reference_reserved is not 0x003E I think it
+            # is actually the start of another REFERENCE record
+            # at least when projectsyskind_syskind == 0x02 (Macintosh)
+            if reference_reserved == 0x003E:
+                #if reference_reserved not in (0x003E, 0x000D):
+                #    raise UnexpectedDataError(dir_path, 'REFERENCE_Reserved',
+                #                              0x0003E, reference_reserved)
+                reference_sizeof_name_unicode = struct.unpack("<L", dir_stream.read(4))[0]
+                reference_name_unicode = dir_stream.read(reference_sizeof_name_unicode)
+                unused = reference_id
+                unused = reference_name
+                unused = reference_name_unicode
+                continue
+            else:
+                check = reference_reserved
+                log.debug("reference type = {0:04X}".format(check))
  
         if check == 0x0033:
             # REFERENCEORIGINAL (followed by REFERENCECONTROL)
@@ -1451,15 +1515,16 @@ def _extract_vba(ole, vba_root, project_path, dir_path, relaxed=False):
                 referencecontrol_namerecordextended_name = dir_stream.read(
                     referencecontrol_namerecordextended_sizeof_name)
                 referencecontrol_namerecordextended_reserved = struct.unpack("<H", dir_stream.read(2))[0]
-                check_value('REFERENCECONTROL_NameRecordExtended_Reserved', 0x003E,
-                            referencecontrol_namerecordextended_reserved)
-                referencecontrol_namerecordextended_sizeof_name_unicode = struct.unpack("<L", dir_stream.read(4))[0]
-                referencecontrol_namerecordextended_name_unicode = dir_stream.read(
-                    referencecontrol_namerecordextended_sizeof_name_unicode)
-                referencecontrol_reserved3 = struct.unpack("<H", dir_stream.read(2))[0]
-                unused = referencecontrol_namerecordextended_id
-                unused = referencecontrol_namerecordextended_name
-                unused = referencecontrol_namerecordextended_name_unicode
+                if referencecontrol_namerecordextended_reserved == 0x003E:
+                    referencecontrol_namerecordextended_sizeof_name_unicode = struct.unpack("<L", dir_stream.read(4))[0]
+                    referencecontrol_namerecordextended_name_unicode = dir_stream.read(
+                        referencecontrol_namerecordextended_sizeof_name_unicode)
+                    referencecontrol_reserved3 = struct.unpack("<H", dir_stream.read(2))[0]
+                    unused = referencecontrol_namerecordextended_id
+                    unused = referencecontrol_namerecordextended_name
+                    unused = referencecontrol_namerecordextended_name_unicode
+                else:
+                    referencecontrol_reserved3 = referencecontrol_namerecordextended_reserved
             else:
                 referencecontrol_reserved3 = check2
  
@@ -1513,7 +1578,9 @@ def _extract_vba(ole, vba_root, project_path, dir_path, relaxed=False):
             continue
  
         log.error('invalid or unknown check Id {0:04X}'.format(check))
-        sys.exit(0)
+        # raise an exception instead of stopping abruptly (issue #180)
+        raise UnexpectedDataError(dir_path, 'reference type', (0x0F, 0x16, 0x33, 0x2F, 0x0D, 0x0E), check)
+        #sys.exit(0)
  
     projectmodules_id = check  #struct.unpack("<H", dir_stream.read(2))[0]
     check_value('PROJECTMODULES_Id', 0x000F, projectmodules_id)
@@ -1865,7 +1932,8 @@ def detect_dridex_strings(vba_code):
     :param vba_code: str, VBA source code
     :return: list of str tuples (encoded string, decoded string)
     """
-    from thirdparty.DridexUrlDecoder.DridexUrlDecoder import DridexUrlDecode
+    # TODO: move this at the beginning of script
+    from oletools.thirdparty.DridexUrlDecoder.DridexUrlDecoder import DridexUrlDecode
  
     results = []
     found = set()
@@ -1900,23 +1968,25 @@ def detect_vba_strings(vba_code):
     #            we must expand tabs to have the same string as pyparsing.
     #            Otherwise, start and end offsets are incorrect.
     vba_code = vba_code.expandtabs()
-    for tokens, start, end in vba_expr_str.scanString(vba_code):
-        encoded = vba_code[start:end]
-        decoded = tokens[0]
-        if isinstance(decoded, VbaExpressionString):
-            # This is a VBA expression, not a simple string
-            # print 'VBA EXPRESSION: encoded=%r => decoded=%r' % (encoded, decoded)
-            # remove parentheses and quotes from original string:
-            # if encoded.startswith('(') and encoded.endswith(')'):
-            #     encoded = encoded[1:-1]
-            # if encoded.startswith('"') and encoded.endswith('"'):
-            #     encoded = encoded[1:-1]
-            # avoid duplicates and simple strings:
-            if encoded not in found and decoded != encoded:
-                results.append((encoded, decoded))
-                found.add(encoded)
-        # else:
-            # print 'VBA STRING: encoded=%r => decoded=%r' % (encoded, decoded)
+    # Split the VBA code line by line to avoid MemoryError on large scripts:
+    for vba_line in vba_code.splitlines():
+        for tokens, start, end in vba_expr_str.scanString(vba_line):
+            encoded = vba_line[start:end]
+            decoded = tokens[0]
+            if isinstance(decoded, VbaExpressionString):
+                # This is a VBA expression, not a simple string
+                # print 'VBA EXPRESSION: encoded=%r => decoded=%r' % (encoded, decoded)
+                # remove parentheses and quotes from original string:
+                # if encoded.startswith('(') and encoded.endswith(')'):
+                #     encoded = encoded[1:-1]
+                # if encoded.startswith('"') and encoded.endswith('"'):
+                #     encoded = encoded[1:-1]
+                # avoid duplicates and simple strings:
+                if encoded not in found and decoded != encoded:
+                    results.append((encoded, decoded))
+                    found.add(encoded)
+            # else:
+                # print 'VBA STRING: encoded=%r => decoded=%r' % (encoded, decoded)
     return results
  
  
@@ -1957,19 +2027,19 @@ def json2ascii(json_obj, encoding=&#39;utf8&#39;, errors=&#39;replace&#39;):
     return json_obj
  
  
-_have_printed_json_start = False
-
-def print_json(json_dict=None, _json_is_last=False, **json_parts):
+def print_json(json_dict=None, _json_is_first=False, _json_is_last=False,
+               **json_parts):
     """ line-wise print of json.dumps(json2ascii(..)) with options and indent+1
  
     can use in two ways:
     (1) print_json(some_dict)
     (2) print_json(key1=value1, key2=value2, ...)
  
+    :param bool _json_is_first: set to True only for very first entry to complete
+                                the top-level json-list
     :param bool _json_is_last: set to True only for very last entry to complete
                                the top-level json-list
     """
-    global _have_printed_json_start
  
     if json_dict and json_parts:
         raise ValueError('Invalid json argument: want either single dict or '
@@ -1981,9 +2051,8 @@ def print_json(json_dict=None, _json_is_last=False, **json_parts):
     if json_parts:
         json_dict = json_parts
  
-    if not _have_printed_json_start:
+    if _json_is_first:
         print('[')
-        _have_printed_json_start = True
  
     lines = json.dumps(json2ascii(json_dict), check_circular=False,
                            indent=4, ensure_ascii=False).splitlines()
@@ -2483,7 +2552,6 @@ class VBA_Parser(object):
         """
  
         log.info('Check whether OLE file is PPT')
-        ppt_parser.enable_logging()
         try:
             ppt = ppt_parser.PptParser(self.ole_file, fast_fail=True)
             for vba_data in ppt.iter_vba_data():
@@ -2493,7 +2561,7 @@ class VBA_Parser(object):
             self.ole_file.close()  # just in case
             self.ole_file = None   # required to make other methods look at ole_subfiles
             self.type = TYPE_PPT
-        except Exception as exc:
+        except (ppt_parser.PptUnexpectedData, ValueError) as exc:
             if self.container == 'PptParser':
                 # this is a subfile of a ppt --> to be expected that is no ppt
                 log.debug('PPT subfile is not a PPT file')
@@ -2704,12 +2772,16 @@ class VBA_Parser(object):
             vba_stream_ids = set()
             for vba_root, project_path, dir_path in self.vba_projects:
                 # extract all VBA macros from that VBA root storage:
-                for stream_path, vba_filename, vba_code in \
-                        _extract_vba(self.ole_file, vba_root, project_path,
-                                     dir_path, self.relaxed):
-                    # store direntry ids in a set:
-                    vba_stream_ids.add(self.ole_file._find(stream_path))
-                    yield (self.filename, stream_path, vba_filename, vba_code)
+                # The function _extract_vba may fail on some files (issue #132)
+                try:
+                    for stream_path, vba_filename, vba_code in \
+                            _extract_vba(self.ole_file, vba_root, project_path,
+                                         dir_path, self.relaxed):
+                        # store direntry ids in a set:
+                        vba_stream_ids.add(self.ole_file._find(stream_path))
+                        yield (self.filename, stream_path, vba_filename, vba_code)
+                except Exception as e:
+                    log.exception('Error in _extract_vba')
             # Also look for VBA code in any stream including orphans
             # (happens in some malformed files)
             ole = self.ole_file
@@ -2796,14 +2868,23 @@ class VBA_Parser(object):
         # based on the length of the encoded string, in reverse order:
         analysis = sorted(analysis, key=lambda type_decoded_encoded: len(type_decoded_encoded[2]), reverse=True)
         # normally now self.vba_code_all_modules contains source code from all modules
-        deobf_code = self.vba_code_all_modules
+        # Need to collapse long lines:
+        deobf_code = vba_collapse_long_lines(self.vba_code_all_modules)
+        deobf_code = filter_vba(deobf_code)
         for kw_type, decoded, encoded in analysis:
             if kw_type == 'VBA string':
                 #print '%3d occurences: %r => %r' % (deobf_code.count(encoded), encoded, decoded)
                 # need to add double quotes around the decoded strings
                 # after escaping double-quotes as double-double-quotes for VBA:
                 decoded = decoded.replace('"', '""')
-                deobf_code = deobf_code.replace(encoded, '"%s"' % decoded)
+                decoded = '"%s"' % decoded
+                # if the encoded string is enclosed in parentheses,
+                # keep them in the decoded version:
+                if encoded.startswith('(') and encoded.endswith(')'):
+                    decoded = '(%s)' % decoded
+                deobf_code = deobf_code.replace(encoded, decoded)
+        # # TODO: there is a bug somewhere which creates double returns '\r\r'
+        # deobf_code = deobf_code.replace('\r\r', '\r')
         return deobf_code
         #TODO: repasser l'analyse plusieurs fois si des chaines hex ou base64 sont revelees
  
@@ -3213,10 +3294,9 @@ class VBA_Parser_CLI(VBA_Parser):
  
 #=== MAIN =====================================================================
  
-def main():
-    """
-    Main function, called when olevba is run from the command line
-    """
+def parse_args(cmd_line_args=None):
+    """ parse command line arguments (given ones or per default sys.argv) """
+
     DEFAULT_LOG_LEVEL = "warning" # Default log level
     LOG_LEVELS = {
         'debug':    logging.DEBUG,
@@ -3226,7 +3306,7 @@ def main():
         'critical': logging.CRITICAL
         }
  
-    usage = 'usage: %prog [options] <filename> [filename2 ...]'
+    usage = 'usage: olevba [options] <filename> [filename2 ...]'
     parser = optparse.OptionParser(usage=usage)
     # parser.add_option('-o', '--outfile', dest='outfile',
     #     help='output file')
@@ -3268,26 +3348,43 @@ def main():
     parser.add_option('--relaxed', dest="relaxed", action="store_true", default=False,
                             help="Do not raise errors if opening of substream fails")
  
-    (options, args) = parser.parse_args()
+    (options, args) = parser.parse_args(cmd_line_args)
  
     # Print help if no arguments are passed
     if len(args) == 0:
+        print('olevba %s - http://decalage.info/python/oletools' % __version__)
         print(__doc__)
         parser.print_help()
         sys.exit(RETURN_WRONG_ARGS)
  
+    options.loglevel = LOG_LEVELS[options.loglevel]
+
+    return options, args
+
+
+def main(cmd_line_args=None):
+    """
+    Main function, called when olevba is run from the command line
+
+    Optional argument: command line arguments to be forwarded to ArgumentParser
+    in process_args. Per default (cmd_line_args=None), sys.argv is used. Option
+    mainly added for unit-testing
+    """
+
+    options, args = parse_args(cmd_line_args)
+
     # provide info about tool and its version
     if options.output_mode == 'json':
-        # prints opening [
+        # print first json entry with meta info and opening '['
         print_json(script_name='olevba', version=__version__,
                    url='http://decalage.info/python/oletools',
-                   type='MetaInformation')
+                   type='MetaInformation', _json_is_first=True)
     else:
         print('olevba %s - http://decalage.info/python/oletools' % __version__)
  
-    logging.basicConfig(level=LOG_LEVELS[options.loglevel], format='%(levelname)-8s %(message)s')
+    logging.basicConfig(level=options.loglevel, format='%(levelname)-8s %(message)s')
     # enable logging in the modules:
-    log.setLevel(logging.NOTSET)
+    enable_logging()
  
     # Old display with number of items detected:
     # print '%-8s %-7s %-7s %-7s %-7s %-7s' % ('Type', 'Macros', 'AutoEx', 'Susp.', 'IOCs', 'HexStr')
@@ -26,7 +26,7 @@ https://github.com/unixfreak0037/officeparser
  
 # === LICENSE ==================================================================
  
-# olevba is copyright (c) 2014-2016 Philippe Lagadec (http://www.decalage.info)
+# olevba is copyright (c) 2014-2017 Philippe Lagadec (http://www.decalage.info)
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without modification,
@@ -189,8 +189,9 @@ from __future__ import print_function
 # 2016-10-25       PL: - fixed raise and print statements for Python 3
 # 2016-10-25       PL: - fixed regex bytes strings (PR/issue #100)
 # 2016-11-03 v0.51 PL: - added EnumDateFormats and EnumSystemLanguageGroupsW
+# 2017-04-26       PL: - fixed absolute imports
  
-__version__ = '0.51a'
+__version__ = '0.51'
  
 #------------------------------------------------------------------------------
 # TODO:
@@ -224,7 +225,7 @@ __version__ = &#39;0.51a&#39;
  
 #--- IMPORTS ------------------------------------------------------------------
  
-import sys, logging
+import sys, logging, os
 import struct
 from _io import StringIO,BytesIO
 import math
@@ -255,14 +256,26 @@ except ImportError:
                                + "see http://codespeak.net/lxml " \
                                + "or http://effbot.org/zone/element-index.htm")
  
-import oletools.thirdparty.olefile as olefile
+# IMPORTANT: it should be possible to run oletools directly as scripts
+# in any directory without installing them with pip or setup.py.
+# In that case, relative imports are NOT usable.
+# And to enable Python 2+3 compatibility, we need to use absolute imports,
+# so we add the oletools parent folder to sys.path (absolute+normalized path):
+_thismodule_dir = os.path.normpath(os.path.abspath(os.path.dirname(__file__)))
+# print('_thismodule_dir = %r' % _thismodule_dir)
+_parent_dir = os.path.normpath(os.path.join(_thismodule_dir, '..'))
+# print('_parent_dir = %r' % _thirdparty_dir)
+if not _parent_dir in sys.path:
+    sys.path.insert(0, _parent_dir)
+
+from oletools.thirdparty import olefile
 from oletools.thirdparty.prettytable import prettytable
 from oletools.thirdparty.xglob import xglob, PathNotFoundException
 from oletools.thirdparty.pyparsing.pyparsing import \
         CaselessKeyword, CaselessLiteral, Combine, Forward, Literal, \
         Optional, QuotedString,Regex, Suppress, Word, WordStart, \
         alphanums, alphas, hexnums,nums, opAssoc, srange, \
-        infixNotation
+        infixNotation, ParserElement
 import oletools.ppt_parser as ppt_parser
  
 # monkeypatch email to fix issue #32:
@@ -287,6 +300,25 @@ else:
     # xrange is now called range:
     xrange = range
  
+
+# === PYTHON 3.0 - 3.4 SUPPORT ======================================================
+
+# From https://gist.github.com/ynkdir/867347/c5e188a4886bc2dd71876c7e069a7b00b6c16c61
+
+if sys.version_info >= (3, 0) and sys.version_info < (3, 5):
+    import codecs
+
+    _backslashreplace_errors = codecs.lookup_error("backslashreplace")
+
+    def backslashreplace_errors(exc):
+        if isinstance(exc, UnicodeDecodeError):
+            u = "".join("\\x{0:02x}".format(c) for c in exc.object[exc.start:exc.end])
+            return (u, exc.end)
+        return _backslashreplace_errors(exc)
+
+    codecs.register_error("backslashreplace", backslashreplace_errors)
+
+
 # === LOGGING =================================================================
  
 class NullHandler(logging.Handler):
@@ -1535,7 +1567,7 @@ def _extract_vba(ole, vba_root, project_path, dir_path, relaxed=False):
             modulename_id = struct.unpack("<H", dir_stream.read(2))[0]
             check_value('MODULENAME_Id', 0x0019, modulename_id)
             modulename_sizeof_modulename = struct.unpack("<L", dir_stream.read(4))[0]
-            modulename_modulename = dir_stream.read(modulename_sizeof_modulename)
+            modulename_modulename = dir_stream.read(modulename_sizeof_modulename).decode('utf-8', 'backslashreplace')
             # TODO: preset variables to avoid "referenced before assignment" errors
             modulename_unicode_modulename_unicode = ''
             # account for optional sections
@@ -1781,7 +1813,7 @@ def detect_suspicious(vba_code, obfuscation=None):
     for description, keywords in SUSPICIOUS_KEYWORDS.items():
         for keyword in keywords:
             # search using regex to detect word boundaries:
-            match = re.search(r'(?i)\b' + keyword + r'\b', vba_code)
+            match = re.search(r'(?i)\b' + re.escape(keyword) + r'\b', vba_code)
             if match:
                 #if keyword.lower() in vba_code:
                 found_keyword = match.group()
@@ -1824,7 +1856,7 @@ def detect_hex_strings(vba_code):
         value = match.group()
         if value not in found:
             decoded = binascii.unhexlify(value)
-            results.append((value, decoded.decode('utf-8','replace')))
+            results.append((value, decoded.decode('utf-8', 'backslashreplace')))
             found.add(value)
     return results
  
@@ -1956,20 +1988,19 @@ def json2ascii(json_obj, encoding=&#39;utf8&#39;, errors=&#39;replace&#39;):
     return json_obj
  
  
-_have_printed_json_start = False
-
-def print_json(json_dict=None, _json_is_last=False, **json_parts):
+def print_json(json_dict=None, _json_is_first=False, _json_is_last=False,
+               **json_parts):
     """ line-wise print of json.dumps(json2ascii(..)) with options and indent+1
  
     can use in two ways:
     (1) print_json(some_dict)
     (2) print_json(key1=value1, key2=value2, ...)
  
+    :param bool _json_is_first: set to True only for very first entry to complete
+                                the top-level json-list
     :param bool _json_is_last: set to True only for very last entry to complete
                                the top-level json-list
     """
-    global _have_printed_json_start
-
     if json_dict and json_parts:
         raise ValueError('Invalid json argument: want either single dict or '
                          'key=value parts but got both)')
@@ -1980,9 +2011,8 @@ def print_json(json_dict=None, _json_is_last=False, **json_parts):
     if json_parts:
         json_dict = json_parts
  
-    if not _have_printed_json_start:
+    if _json_is_first:
         print('[')
-        _have_printed_json_start = True
  
     lines = json.dumps(json2ascii(json_dict), check_circular=False,
                            indent=4, ensure_ascii=False).splitlines()
@@ -2007,6 +2037,8 @@ class VBA_Scanner(object):
  
         :param vba_code: str, VBA source code to be analyzed
         """
+        if isinstance(vba_code, bytes):
+            vba_code = vba_code.decode('utf-8', 'backslashreplace')
         # join long lines ending with " _":
         self.code = vba_collapse_long_lines(vba_code)
         self.code_hex = ''
@@ -2084,7 +2116,7 @@ class VBA_Scanner(object):
                 (self.code_vba, 'VBA expression'),
         ):
             if isinstance(code,bytes):
-                code=code.decode('utf-8','replace')
+                code=code.decode('utf-8','backslashreplace')
             self.autoexec_keywords += detect_autoexec(code, obfuscation)
             self.suspicious_keywords += detect_suspicious(code, obfuscation)
             self.iocs += detect_patterns(code, obfuscation)
@@ -2411,7 +2443,7 @@ class VBA_Parser(object):
         log.info('Opening MHTML file %s' % self.filename)
         try:
             if isinstance(data,bytes):
-                data = data.decode('utf8', 'replace')
+                data = data.decode('utf8', 'backslashreplace')
             # parse the MIME content
             # remove any leading whitespace or newline (workaround for issue in email package)
             stripped_data = data.lstrip('\r\n\t ')
@@ -2514,7 +2546,7 @@ class VBA_Parser(object):
         log.info('Opening text file %s' % self.filename)
         # directly store the source code:
         if isinstance(data,bytes):
-            data=data.decode('utf8','replace')
+            data=data.decode('utf8','backslashreplace')
         self.vba_code_all_modules = data
         self.contains_macros = True
         # set type only if parsing succeeds
@@ -2671,7 +2703,7 @@ class VBA_Parser(object):
                         log.debug('%r...[much more data]...%r' % (data[:100], data[-50:]))
                     else:
                         log.debug(repr(data))
-                    if 'Attribut' in data.decode('utf-8','ignore'):
+                    if 'Attribut' in data.decode('utf-8', 'ignore'):
                         log.debug('Found VBA compressed code')
                         self.contains_macros = True
                 except IOError as exc:
@@ -3026,7 +3058,7 @@ class VBA_Parser_CLI(VBA_Parser):
                     if hide_attributes:
                         # hide attribute lines:
                         if isinstance(vba_code,bytes):
-                            vba_code =vba_code.decode('utf-8','replace')
+                            vba_code =vba_code.decode('utf-8','backslashreplace')
                         vba_code_filtered = filter_vba(vba_code)
                     else:
                         vba_code_filtered = vba_code
@@ -3105,9 +3137,12 @@ class VBA_Parser_CLI(VBA_Parser):
             if self.detect_vba_macros():
                 for (subfilename, stream_path, vba_filename, vba_code) in self.extract_all_macros():
                     curr_macro = {}
+                    if isinstance(vba_code, bytes):
+                        vba_code = vba_code.decode('utf-8', 'backslashreplace')
+
                     if hide_attributes:
                         # hide attribute lines:
-                        vba_code_filtered = filter_vba(vba_code.decode('utf-8','replace'))
+                        vba_code_filtered = filter_vba(vba_code)
                     else:
                         vba_code_filtered = vba_code
  
@@ -3198,10 +3233,9 @@ class VBA_Parser_CLI(VBA_Parser):
  
 #=== MAIN =====================================================================
  
-def main():
-    """
-    Main function, called when olevba is run from the command line
-    """
+def parse_args(cmd_line_args=None):
+    """ parse command line arguments (given ones or per default sys.argv) """
+
     DEFAULT_LOG_LEVEL = "warning" # Default log level
     LOG_LEVELS = {
         'debug':    logging.DEBUG,
@@ -3253,7 +3287,7 @@ def main():
     parser.add_option('--relaxed', dest="relaxed", action="store_true", default=False,
                             help="Do not raise errors if opening of substream fails")
  
-    (options, args) = parser.parse_args()
+    (options, args) = parser.parse_args(cmd_line_args)
  
     # Print help if no arguments are passed
     if len(args) == 0:
@@ -3261,16 +3295,32 @@ def main():
         parser.print_help()
         sys.exit(RETURN_WRONG_ARGS)
  
+    options.loglevel = LOG_LEVELS[options.loglevel]
+
+    return options, args
+
+
+def main(cmd_line_args=None):
+    """
+    Main function, called when olevba is run from the command line
+
+    Optional argument: command line arguments to be forwarded to ArgumentParser
+    in process_args. Per default (cmd_line_args=None), sys.argv is used. Option
+    mainly added for unit-testing
+    """
+
+    options, args = parse_args(cmd_line_args)
+
     # provide info about tool and its version
     if options.output_mode == 'json':
-        # prints opening [
+        # print first json entry with meta info and opening '['
         print_json(script_name='olevba', version=__version__,
                    url='http://decalage.info/python/oletools',
-                   type='MetaInformation')
+                   type='MetaInformation', _json_is_first=True)
     else:
         print('olevba %s - http://decalage.info/python/oletools' % __version__)
  
-    logging.basicConfig(level=LOG_LEVELS[options.loglevel], format='%(levelname)-8s %(message)s')
+    logging.basicConfig(level=options.loglevel, format='%(levelname)-8s %(message)s')
     # enable logging in the modules:
     log.setLevel(logging.NOTSET)
  
@@ -15,6 +15,8 @@ References:
  
 # === LICENSE =================================================================
 # TODO
+
+
 #------------------------------------------------------------------------------
 # TODO:
 # - make stream optional in PptUnexpectedData
@@ -22,14 +24,16 @@ References:
 # - license
 # - make buffered stream from output of iterative_decompress
 # - maybe can merge the 2 decorators into 1? (with_opened_main_stream)
-#
+
+
 # CHANGELOG:
 # 2016-05-04 v0.01 CH: - start parsing "Current User" stream
 # 2016-07-20 v0.50 SL: - added Python 3 support
 # 2016-09-13       PL: - fixed olefile import for Python 2+3
 #                      - fixed format strings for Python 2.6 (issue #75)
+# 2017-04-23 v0.51 PL: - fixed absolute imports and issue #101
  
-__version__ = '0.50'
+__version__ = '0.51'
  
  
 # --- IMPORTS ------------------------------------------------------------------
@@ -39,15 +43,21 @@ import logging
 import struct
 import traceback
 import os
+import zlib
  
-try:
-    # absolute import when oletools is installed
-    import oletools.thirdparty.olefile as olefile
-except:
-    # relative import otherwise
-    import thirdparty.olefile as olefile
+# IMPORTANT: it should be possible to run oletools directly as scripts
+# in any directory without installing them with pip or setup.py.
+# In that case, relative imports are NOT usable.
+# And to enable Python 2+3 compatibility, we need to use absolute imports,
+# so we add the oletools parent folder to sys.path (absolute+normalized path):
+_thismodule_dir = os.path.normpath(os.path.abspath(os.path.dirname(__file__)))
+# print('_thismodule_dir = %r' % _thismodule_dir)
+_parent_dir = os.path.normpath(os.path.join(_thismodule_dir, '..'))
+# print('_parent_dir = %r' % _thirdparty_dir)
+if not _parent_dir in sys.path:
+    sys.path.insert(0, _parent_dir)
  
-import zlib
+from oletools.thirdparty.olefile import olefile
  
  
 # a global logger object used for debugging:
@@ -1130,7 +1140,7 @@ class PptParser(object):
             log.debug('using open OleFileIO')
             self.ole = ole
         else:
-            log.debug('Opening file ' + ole)
+            log.debug('Opening file {0}'.format(ole))
             self.ole = olefile.OleFileIO(ole)
  
         self.fast_fail = fast_fail
@@ -74,10 +74,11 @@ __version__ = &#39;0.50&#39;
  
 #=== IMPORTS =================================================================
  
-import optparse, sys, os, rtfobj
+import optparse, sys, os
+from . import rtfobj
 from io import BytesIO
-from thirdparty.xxxswf import xxxswf
-import thirdparty.olefile as olefile
+from .thirdparty.xxxswf import xxxswf
+from .thirdparty import olefile
  
  
 #=== MAIN =================================================================
@@ -17,7 +17,7 @@ http://www.decalage.info/python/oletools
  
 #=== LICENSE =================================================================
  
-# rtfobj is copyright (c) 2012-2016, Philippe Lagadec (http://www.decalage.info)
+# rtfobj is copyright (c) 2012-2017, Philippe Lagadec (http://www.decalage.info)
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without modification,
@@ -65,8 +65,20 @@ http://www.decalage.info/python/oletools
 # 2016-08-09       PL: - fixed issue #78, improved regex
 # 2016-09-06       PL: - fixed issue #83, backward compatible API
 # 2016-11-17 v0.51 PL: - updated call to oleobj.OleNativeStream
-
-__version__ = '0.51'
+# 2017-03-12       PL: - fixed imports for Python 2+3
+#                      - fixed hex decoding bug in RtfObjParser (issue #103)
+# 2017-03-29       PL: - fixed RtfParser to handle issue #152 (control word with
+#                        long parameter)
+# 2017-04-11       PL: - added detection of the OLE2Link vulnerability CVE-2017-0199
+# 2017-05-04       PL: - fixed issue #164 to handle linked OLE objects
+# 2017-06-08       PL: - fixed issue/PR #143: bin object with negative length
+# 2017-06-29       PL: - temporary fix for issue #178
+# 2017-07-14 v0.51.1 PL: - disabled logging of each control word (issue #184)
+# 2017-07-24       PL: - fixed call to RtfParser._end_of_file (issue #185)
+#                      - ignore optional space after \bin (issue #185)
+# 2017-09-06       PL: - fixed issue #196: \pxe is not a destination
+
+__version__ = '0.51.1dev4'
  
 # ------------------------------------------------------------------------------
 # TODO:
@@ -83,12 +95,22 @@ __version__ = &#39;0.51&#39;
 import re, os, sys, binascii, logging, optparse
 import os.path
  
-from thirdparty.xglob import xglob
-from oleobj import OleObject, OleNativeStream
-import oleobj
-
-from thirdparty.tablestream import tablestream
-
+# IMPORTANT: it should be possible to run oletools directly as scripts
+# in any directory without installing them with pip or setup.py.
+# In that case, relative imports are NOT usable.
+# And to enable Python 2+3 compatibility, we need to use absolute imports,
+# so we add the oletools parent folder to sys.path (absolute+normalized path):
+_thismodule_dir = os.path.normpath(os.path.abspath(os.path.dirname(__file__)))
+# print('_thismodule_dir = %r' % _thismodule_dir)
+_parent_dir = os.path.normpath(os.path.join(_thismodule_dir, '..'))
+# print('_parent_dir = %r' % _thirdparty_dir)
+if not _parent_dir in sys.path:
+    sys.path.insert(0, _parent_dir)
+
+from oletools.thirdparty.xglob import xglob
+from oletools.thirdparty.tablestream import tablestream
+from oletools.oleobj import OleObject, OleNativeStream
+from oletools import oleobj
  
 # === LOGGING =================================================================
  
@@ -174,8 +196,8 @@ ASCII_NAME = b&#39;([a-zA-Z]{1,250})&#39;
 # SIGNED_INTEGER = r'(-?\d{1,250})'
 SIGNED_INTEGER = b'(-?\\d+)'
  
-# Note for issue #78: need to match "\A-" not followed by digits
-CONTROL_WORD = b'(?:\\\\' + ASCII_NAME + b'(?:' + SIGNED_INTEGER + b'(?=[^0-9])|(?=[^a-zA-Z0-9])))'
+# Note for issue #78: need to match "\A-" not followed by digits (or the end of string)
+CONTROL_WORD = b'(?:\\\\' + ASCII_NAME + b'(?:' + SIGNED_INTEGER + b'(?=[^0-9])|(?=[^a-zA-Z0-9])|$))'
  
 re_control_word = re.compile(CONTROL_WORD)
  
@@ -262,7 +284,11 @@ DESTINATION_CONTROL_WORDS = frozenset((
     b"mzeroAsc", b"mzeroDesc", b"mzeroWid", b"nesttableprops", b"nexctfile", b"nonesttables", b"objalias", b"objclass",
     b"objdata", b"object", b"objname", b"objsect", b"objtime", b"oldcprops", b"oldpprops", b"oldsprops", b"oldtprops",
     b"oleclsid", b"operator", b"panose", b"password", b"passwordhash", b"pgp", b"pgptbl", b"picprop", b"pict", b"pn", b"pnseclvl",
-    b"pntext", b"pntxta", b"pntxtb", b"printim", b"private", b"propname", b"protend", b"protstart", b"protusertbl", b"pxe",
+    b"pntext", b"pntxta", b"pntxtb", b"printim",
+    # It seems \private should not be treated as a destination (issue #178)
+    # Same for \pxe (issue #196)
+    # b"private", b"pxe",
+    b"propname", b"protend", b"protstart", b"protusertbl",
     b"result", b"revtbl", b"revtim", b"rsidtbl", b"rtf", b"rxe", b"shp", b"shpgrp", b"shpinst", b"shppict", b"shprslt", b"shptxt",
     b"sn", b"sp", b"staticval", b"stylesheet", b"subject", b"sv", b"svb", b"tc", b"template", b"themedata", b"title", b"txe", b"ud",
     b"upr", b"userprops", b"wgrffmtfilter", b"windowcaption", b"writereservation", b"writereservhash", b"xe", b"xform",
@@ -311,10 +337,16 @@ class Destination(object):
  
 class RtfParser(object):
     """
-    Very simple generic RTF parser
+    Very simple but robust generic RTF parser, designed to handle
+    malformed malicious RTF as MS Word does
     """
  
     def __init__(self, data):
+        """
+        RtfParser constructor.
+        
+        :param data: bytes object containing the RTF data to be parsed 
+        """
         self.data = data
         self.index = 0
         self.size = len(data)
@@ -325,42 +357,66 @@ class RtfParser(object):
         self.current_destination = document_destination
  
     def parse(self):
+        """
+        Parse the RTF data
+        
+        :return: nothing
+        """
+        # Start at beginning of data
         self.index = 0
+        # Loop until the end
         while self.index < self.size:
             if self.data[self.index] == BRACE_OPEN:
+                # Found an opening brace "{": Start of a group
                 self._open_group()
                 self.index += 1
                 continue
             if self.data[self.index] == BRACE_CLOSE:
+                # Found a closing brace "}": End of a group
                 self._close_group()
                 self.index += 1
                 continue
             if self.data[self.index] == BACKSLASH:
-                m = re_control_word.match(self.data, self.index)
+                # Found a backslash "\": Start of a control word or control symbol
+                # Use a regex to extract the control word name if present:
+                # NOTE: the full length of the control word + its optional integer parameter
+                # is limited by MS Word at 253 characters, so we have to run the regex
+                # on a cropped string:
+                data_cropped = self.data[self.index:]
+                if len(data_cropped)>253:
+                    data_cropped = data_cropped[:254]
+                # append a space so that the regex can check the following character:
+                data_cropped += b' '
+                # m = re_control_word.match(self.data, self.index, self.index+253)
+                m = re_control_word.match(data_cropped)
                 if m:
                     cword = m.group(1)
                     param = None
                     if len(m.groups()) > 1:
                         param = m.group(2)
-                    # log.debug('control word %r at index %Xh - cword=%r param=%r' % (m.group(), self.index, cword, param))
+                    # log.debug('control word at index %Xh - cword=%r param=%r  %r' % (self.index, cword, param, m.group()))
                     self._control_word(m, cword, param)
                     self.index += len(m.group())
                     # if it's \bin, call _bin after updating index
                     if cword == b'bin':
                         self._bin(m, param)
                     continue
+                # Otherwise, it may be a control symbol:
                 m = re_control_symbol.match(self.data, self.index)
                 if m:
                     self.control_symbol(m)
                     self.index += len(m.group())
                     continue
+            # Otherwise, this is plain text:
+            # Use a regex to match all characters until the next brace or backslash:
             m = re_text.match(self.data, self.index)
             if m:
                 self._text(m)
                 self.index += len(m.group())
                 continue
             raise RuntimeError('Should not have reached this point - index=%Xh' % self.index)
-        self.end_of_file()
+        # call _end_of_file to make sure all groups are closed properly
+        self._end_of_file()
  
  
     def _open_group(self):
@@ -430,6 +486,8 @@ class RtfParser(object):
  
     def _control_word(self, matchobject, cword, param):
         #log.debug('control word %r at index %Xh' % (matchobject.group(), self.index))
+        # TODO: according to RTF specs v1.9.1, "Destination changes are legal only immediately after an opening brace ({)"
+        # (not counting the special control symbol \*, of course)
         if cword in DESTINATION_CONTROL_WORDS:
             # log.debug('%r is a destination control word: starting a new destination' % cword)
             self._open_destination(matchobject, cword)
@@ -454,9 +512,19 @@ class RtfParser(object):
  
     def _bin(self, matchobject, param):
         binlen = int(param)
+        # handle negative length
+        if binlen < 0:
+            log.warn('Detected anti-analysis trick: \\bin object with negative length at index %X' % self.index)
+            # binlen = int(param.strip('-'))
+            # According to my tests, if the bin length is negative,
+            # it should be treated as a null length:
+            binlen=0
+        # ignore optional space after \bin
+        if self.data[self.index] == ' ':
+            log.debug('\\bin: ignoring whitespace before data')
+            self.index += 1
         log.debug('\\bin: reading %d bytes of binary data' % binlen)
-        # TODO: handle optional space?
-        # TODO: handle negative length, and length greater than data
+        # TODO: handle length greater than data
         bindata = self.data[self.index:self.index + binlen]
         self.index += binlen
         self.bin(bindata)
@@ -468,7 +536,7 @@ class RtfParser(object):
         # log.debug('%Xh Reached End of File')
         # close any group/destination that is still open:
         while self.group_level > 0:
-            # log.debug('Group Level = %d, closing group' % self.group_level)
+            log.debug('Group Level = %d, closing group' % self.group_level)
             self._close_group()
         self.end_of_file()
  
@@ -517,6 +585,7 @@ class RtfObjParser(RtfParser):
         self.objects = []
  
     def open_destination(self, destination):
+        # TODO: detect when the destination is within an objdata, report as obfuscation
         if destination.cword == b'objdata':
             log.debug('*** Start object data at index %Xh' % destination.start)
  
@@ -530,10 +599,10 @@ class RtfObjParser(RtfParser):
             # Filter out all whitespaces first (just ignored):
             hexdata1 = destination.data.translate(None, b' \t\r\n\f\v')
             # Then filter out any other non-hex character:
-            hexdata = re.sub(b'[^a-hA-H0-9]', b'', hexdata1)
+            hexdata = re.sub(b'[^a-fA-F0-9]', b'', hexdata1)
             if len(hexdata) < len(hexdata1):
                 # this is only for debugging:
-                nonhex = re.sub(b'[a-hA-H0-9]', b'', hexdata1)
+                nonhex = re.sub(b'[a-fA-F0-9]', b'', hexdata1)
                 log.debug('Found non-hex chars in hexdata: %r' % nonhex)
             # MS Word accepts an extra hex digit, so we need to trim it if present:
             if len(hexdata) & 1:
@@ -573,6 +642,7 @@ class RtfObjParser(RtfParser):
         # TODO: extract useful cwords such as objclass
         # TODO: keep track of cwords inside objdata, because it is unusual and indicates potential obfuscation
         # TODO: same with control symbols, and opening bracket
+        # log.debug('- Control word "%s", param=%s, level=%d' % (cword, param, self.group_level))
         pass
  
  
@@ -649,11 +719,22 @@ def process_file(container, filename, data, output_dir=None, save_object=False):
     rtfp = RtfObjParser(data)
     rtfp.parse()
     for rtfobj in rtfp.objects:
+        ole_color = None
         pkg_color = None
         if rtfobj.is_ole:
-            ole_column = 'format_id: %d\n' % rtfobj.format_id
+            ole_column = 'format_id: %d ' % rtfobj.format_id
+            if rtfobj.format_id == oleobj.OleObject.TYPE_EMBEDDED:
+                ole_column += '(Embedded)\n'
+            elif rtfobj.format_id == oleobj.OleObject.TYPE_LINKED:
+                ole_column += '(Linked)\n'
+            else:
+                ole_column += '(Unknown)\n'
             ole_column += 'class name: %r\n' % rtfobj.class_name
-            ole_column += 'data size: %d' % rtfobj.oledata_size
+            # if the object is linked and not embedded, data_size=None:
+            if rtfobj.oledata_size is None:
+                ole_column += 'data size: N/A'
+            else:
+                ole_column += 'data size: %d' % rtfobj.oledata_size
             if rtfobj.is_package:
                 pkg_column = 'Filename: %r\n' % rtfobj.filename
                 pkg_column += 'Source path: %r\n' % rtfobj.src_path
@@ -667,6 +748,11 @@ def process_file(container, filename, data, output_dir=None, save_object=False):
                     pkg_column += '\nEXECUTABLE FILE'
             else:
                 pkg_column = 'Not an OLE Package'
+            # Detect OLE2Link exploit
+            # http://www.kb.cert.org/vuls/id/921560
+            if rtfobj.class_name == 'OLE2Link':
+                ole_color = 'red'
+                ole_column += '\nPossibly an exploit for the OLE2Link vulnerability (VU#921560, CVE-2017-0199)'
         else:
             pkg_column = ''
             ole_column = 'Not a well-formed OLE object'
@@ -676,7 +762,7 @@ def process_file(container, filename, data, output_dir=None, save_object=False):
             '%08Xh' % rtfobj.start,
             ole_column,
             pkg_column
-            ), colors=(None, None, None, pkg_color)
+            ), colors=(None, None, ole_color, pkg_color)
         )
         tstream.write_sep()
     if save_object:
@@ -703,7 +789,8 @@ def process_file(container, filename, data, output_dir=None, save_object=False):
                     fname = '%s_object_%08X.noname' % (fname_prefix, rtfobj.start)
                 print('  saving to file %s' % fname)
                 open(fname, 'wb').write(rtfobj.olepkgdata)
-            elif rtfobj.is_ole:
+            # When format_id=TYPE_LINKED, oledata_size=None
+            elif rtfobj.is_ole and rtfobj.oledata_size is not None:
                 print('Saving file embedded in OLE object #%d:' % i)
                 print('  format_id  = %d' % rtfobj.format_id)
                 print('  class name = %r' % rtfobj.class_name)
@@ -789,7 +876,7 @@ def main():
                         format='%(levelname)-8s %(message)s')
     # enable logging in the modules:
     log.setLevel(logging.NOTSET)
-    oleobj.log.setLevel(logging.NOTSET)
+    oleobj.enable_logging()
  
     for container, filename, data in xglob.iter_files(args, recursive=options.recursive,
         zip_password=options.zip_password, zip_fname=options.zip_fname):
-#!/usr/bin/env python
+"""
+olefile (formerly OleFileIO_PL)
  
-# olefile (formerly OleFileIO_PL)
-#
-# Module to read/write Microsoft OLE2 files (also called Structured Storage or
-# Microsoft Compound Document File Format), such as Microsoft Office 97-2003
-# documents, Image Composer and FlashPix files, Outlook messages, ...
-# This version is compatible with Python 2.6+ and 3.x
-#
-# Project website: http://www.decalage.info/olefile
-#
-# olefile is copyright (c) 2005-2016 Philippe Lagadec (http://www.decalage.info)
-#
-# olefile is based on the OleFileIO module from the PIL library v1.1.6
-# See: http://www.pythonware.com/products/pil/index.htm
-#
-# The Python Imaging Library (PIL) is
-# Copyright (c) 1997-2005 by Secret Labs AB
-# Copyright (c) 1995-2005 by Fredrik Lundh
-#
-# See source code and LICENSE.txt for information on usage and redistribution.
+Module to read/write Microsoft OLE2 files (also called Structured Storage or
+Microsoft Compound Document File Format), such as Microsoft Office 97-2003
+documents, Image Composer and FlashPix files, Outlook messages, ...
+This version is compatible with Python 2.6+ and 3.x
+
+Project website: https://www.decalage.info/olefile
+
+olefile is copyright (c) 2005-2017 Philippe Lagadec
+(https://www.decalage.info)
  
+olefile is based on the OleFileIO module from the PIL library v1.1.7
+See: http://www.pythonware.com/products/pil/index.htm
+and http://svn.effbot.org/public/tags/pil-1.1.7/PIL/OleFileIO.py
+
+The Python Imaging Library (PIL) is
+Copyright (c) 1997-2009 by Secret Labs AB
+Copyright (c) 1995-2009 by Fredrik Lundh
+
+See source code and LICENSE.txt for information on usage and redistribution.
+"""
  
 # Since OleFileIO_PL v0.30, only Python 2.6+ and 3.x is supported
 # This import enables print() as a function rather than a keyword
@@ -28,14 +29,10 @@
 from __future__ import print_function   # This version of olefile requires Python 2.6+ or 3.x.
  
  
-__author__  = "Philippe Lagadec"
-__date__    = "2016-04-26"
-__version__ = '0.44'
-
 #--- LICENSE ------------------------------------------------------------------
  
-# olefile (formerly OleFileIO_PL) is copyright (c) 2005-2016 Philippe Lagadec
-# (http://www.decalage.info)
+# olefile (formerly OleFileIO_PL) is copyright (c) 2005-2017 Philippe Lagadec
+# (https://www.decalage.info)
 #
 # All rights reserved.
 #
@@ -66,8 +63,8 @@ __version__ = &#39;0.44&#39;
 # Imaging Library (PIL) published by Fredrik Lundh under the following license:
  
 # The Python Imaging Library (PIL) is
-#    Copyright (c) 1997-2005 by Secret Labs AB
-#    Copyright (c) 1995-2005 by Fredrik Lundh
+#    Copyright (c) 1997-2009 by Secret Labs AB
+#    Copyright (c) 1995-2009 by Fredrik Lundh
 #
 # By obtaining, using, and/or copying this software and/or its associated
 # documentation, you agree that you have read, understood, and will comply with
@@ -138,7 +135,7 @@ __version__ = &#39;0.44&#39;
 # 2009-12-11 v0.20 PL: - bugfix in OleFileIO.open when filename is not plain str
 # 2010-01-22 v0.21 PL: - added support for big-endian CPUs such as PowerPC Macs
 # 2012-02-16 v0.22 PL: - fixed bug in getproperties, patch by chuckleberryfinn
-#                        (https://bitbucket.org/decalage/olefileio_pl/issue/7)
+#                        (https://github.com/decalage2/olefile/issues/7)
 #                      - added close method to OleFileIO (fixed issue #2)
 # 2012-07-25 v0.23 PL: - added support for file-like objects (patch by mete0r_kr)
 # 2013-05-05 v0.24 PL: - getproperties: added conversion from filetime to python
@@ -196,6 +193,16 @@ __version__ = &#39;0.44&#39;
 # 2016-04-27           - added support for incomplete streams and incorrect
 #                        directory entries (to read malformed documents)
 # 2016-05-04           - fixed slight bug in OleStream
+# 2016-11-27       DR: - added method to get the clsid of a storage/stream
+#                        (Daniel Roethlisberger)
+# 2017-05-31 v0.45 BS: - PR #114 from oletools to handle excessive number of
+#                        properties:
+#                        https://github.com/decalage2/oletools/pull/114
+# 2017-07-11       PL: - ignore incorrect ByteOrder (issue #70)
+
+__date__    = "2017-07-11"
+__version__ = '0.45dev2'
+__author__  = "Philippe Lagadec"
  
 #-----------------------------------------------------------------------------
 # TODO (for version 1.0):
@@ -223,7 +230,7 @@ __version__ = &#39;0.44&#39;
 # - see also original notes and FIXME below
 # - remove all obsolete FIXMEs
 # - OleMetadata: fix version attrib according to
-#   http://msdn.microsoft.com/en-us/library/dd945671%28v=office.12%29.aspx
+#   https://msdn.microsoft.com/en-us/library/dd945671%28v=office.12%29.aspx
  
 # IDEAS:
 # - in OleFileIO._open and OleStream, use size=None instead of 0x7FFFFFFF for
@@ -238,8 +245,8 @@ __version__ = &#39;0.44&#39;
 # - create a simple OLE explorer with wxPython
  
 # FUTURE EVOLUTIONS to add write support:
-# see issue #6 on Bitbucket:
-# https://bitbucket.org/decalage/olefileio_pl/issue/6/improve-olefileio_pl-to-write-ole-files
+# see issue #6 on GitHub:
+# https://github.com/decalage2/olefile/issues/6
  
 #-----------------------------------------------------------------------------
 # NOTES from PIL 1.1.6:
@@ -268,6 +275,10 @@ __version__ = &#39;0.44&#39;
  
 #------------------------------------------------------------------------------
  
+__all__ = ['isOleFile', 'OleFileIO', 'OleMetadata', 'enable_logging',
+           'MAGIC', 'STGTY_EMPTY',
+           'STGTY_STREAM', 'STGTY_STORAGE', 'STGTY_ROOT', 'STGTY_PROPERTY',
+           'STGTY_LOCKBYTES', 'MINIMAL_OLEFILE_SIZE', 'NOSTREAM']
  
 import io
 import sys
@@ -317,17 +328,10 @@ else:
  
 #[PL] These workarounds were inspired from the Path module
 # (see http://www.jorendorff.com/articles/python/path/)
-#TODO: test with old Python versions
-
-# Pre-2.3 workaround for basestring.
 try:
     basestring
 except NameError:
-    try:
-        # is Unicode supported (Python >2.0 or >1.6 ?)
-        basestring = (str, unicode)
-    except NameError:
-        basestring = str
+    basestring = str
  
 #[PL] Experimental setting: if True, OLE filenames will be kept in Unicode
 # if False (default PIL behaviour), all filenames are converted to Latin-1.
@@ -395,27 +399,27 @@ def enable_logging():
  
 #=== CONSTANTS ===============================================================
  
-# magic bytes that should be at the beginning of every OLE file:
+#: magic bytes that should be at the beginning of every OLE file:
 MAGIC = b'\xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1'
  
 #[PL]: added constants for Sector IDs (from AAF specifications)
-MAXREGSECT = 0xFFFFFFFA # (-6) maximum SECT
-DIFSECT    = 0xFFFFFFFC # (-4) denotes a DIFAT sector in a FAT
-FATSECT    = 0xFFFFFFFD # (-3) denotes a FAT sector in a FAT
-ENDOFCHAIN = 0xFFFFFFFE # (-2) end of a virtual stream chain
-FREESECT   = 0xFFFFFFFF # (-1) unallocated sector
+MAXREGSECT = 0xFFFFFFFA #: (-6) maximum SECT
+DIFSECT    = 0xFFFFFFFC #: (-4) denotes a DIFAT sector in a FAT
+FATSECT    = 0xFFFFFFFD #: (-3) denotes a FAT sector in a FAT
+ENDOFCHAIN = 0xFFFFFFFE #: (-2) end of a virtual stream chain
+FREESECT   = 0xFFFFFFFF #: (-1) unallocated sector
  
 #[PL]: added constants for Directory Entry IDs (from AAF specifications)
-MAXREGSID  = 0xFFFFFFFA # (-6) maximum directory entry ID
-NOSTREAM   = 0xFFFFFFFF # (-1) unallocated directory entry
+MAXREGSID  = 0xFFFFFFFA #: (-6) maximum directory entry ID
+NOSTREAM   = 0xFFFFFFFF #: (-1) unallocated directory entry
  
 #[PL] object types in storage (from AAF specifications)
-STGTY_EMPTY     = 0 # empty directory entry (according to OpenOffice.org doc)
-STGTY_STORAGE   = 1 # element is a storage object
-STGTY_STREAM    = 2 # element is a stream object
-STGTY_LOCKBYTES = 3 # element is an ILockBytes object
-STGTY_PROPERTY  = 4 # element is an IPropertyStorage object
-STGTY_ROOT      = 5 # element is a root storage
+STGTY_EMPTY     = 0 #: empty directory entry
+STGTY_STORAGE   = 1 #: element is a storage object
+STGTY_STREAM    = 2 #: element is a stream object
+STGTY_LOCKBYTES = 3 #: element is an ILockBytes object
+STGTY_PROPERTY  = 4 #: element is an IPropertyStorage object
+STGTY_ROOT      = 5 #: element is a root storage
  
 # Unknown size for a stream (used by OleStream):
 UNKNOWN_SIZE = 0x7FFFFFFF
@@ -472,7 +476,13 @@ def isOleFile (filename):
     """
     Test if a file is an OLE container (according to the magic bytes in its header).
  
-    :param filename: string-like or file-like object, OLE file to parse
+    .. note::
+        This function only checks the first 8 bytes of the file, not the
+        rest of the OLE structure.
+
+    .. versionadded:: 0.16
+
+    :param filename: filename, contents or file-like object of the OLE file (string-like or file-like object)
  
         - if filename is a string smaller than 1536 bytes, it is the path
           of the file to open. (bytes or unicode string)
@@ -481,7 +491,9 @@ def isOleFile (filename):
         - if filename is a file-like object (with read and seek methods),
           it is parsed as-is.
  
+    :type filename: bytes or str or unicode or file
     :returns: True if OLE, False otherwise.
+    :rtype: bool
     """
     # check if filename is a string-like or file-like object:
     if hasattr(filename, 'read'):
@@ -494,7 +506,8 @@ def isOleFile (filename):
         header = filename[:len(MAGIC)]
     else:
         # string-like object: filename of file on disk
-        header = open(filename, 'rb').read(len(MAGIC))
+        with open(filename, 'rb') as fp:
+            header = fp.read(len(MAGIC))
     if header == MAGIC:
         return True
     else:
@@ -511,8 +524,6 @@ else:
         return c if c.__class__ is int else c[0]
  
  
-#TODO: replace i16 and i32 with more readable struct.unpack equivalent?
-
 def i16(c, o = 0):
     """
     Converts a 2-bytes (16 bits) string to an integer.
@@ -520,7 +531,7 @@ def i16(c, o = 0):
     :param c: string containing bytes to convert
     :param o: offset of bytes to convert in string
     """
-    return i8(c[o]) | (i8(c[o+1])<<8)
+    return struct.unpack("<H", c[o:o+2])[0]
  
  
 def i32(c, o = 0):
@@ -530,10 +541,7 @@ def i32(c, o = 0):
     :param c: string containing bytes to convert
     :param o: offset of bytes to convert in string
     """
-##    return int(ord(c[o])+(ord(c[o+1])<<8)+(ord(c[o+2])<<16)+(ord(c[o+3])<<24))
-##    # [PL]: added int() because "<<" gives long int since Python 2.4
-    # copied from Pillow's _binary:
-    return i8(c[o]) | (i8(c[o+1])<<8) | (i8(c[o+2])<<16) | (i8(c[o+3])<<24)
+    return struct.unpack("<I", c[o:o+4])[0]
  
  
 def _clsid(clsid):
@@ -558,7 +566,7 @@ def filetime2datetime(filetime):
         convert FILETIME (64 bits int) to Python datetime.datetime
         """
         # TODO: manage exception when microseconds is too large
-        # inspired from http://code.activestate.com/recipes/511425-filetime-to-datetime/
+        # inspired from https://code.activestate.com/recipes/511425-filetime-to-datetime/
         _FILETIME_null_date = datetime.datetime(1601, 1, 1, 0, 0, 0)
         #log.debug('timedelta days=%d' % (filetime//(10*1000000*3600*24)))
         return _FILETIME_null_date + datetime.timedelta(microseconds=filetime//10)
@@ -585,17 +593,19 @@ class OleMetadata:
     OLE file.
  
     References for SummaryInformation stream:
-    - http://msdn.microsoft.com/en-us/library/dd942545.aspx
-    - http://msdn.microsoft.com/en-us/library/dd925819%28v=office.12%29.aspx
-    - http://msdn.microsoft.com/en-us/library/windows/desktop/aa380376%28v=vs.85%29.aspx
-    - http://msdn.microsoft.com/en-us/library/aa372045.aspx
-    - http://sedna-soft.de/summary-information-stream/
-    - http://poi.apache.org/apidocs/org/apache/poi/hpsf/SummaryInformation.html
+
+    - https://msdn.microsoft.com/en-us/library/dd942545.aspx
+    - https://msdn.microsoft.com/en-us/library/dd925819%28v=office.12%29.aspx
+    - https://msdn.microsoft.com/en-us/library/windows/desktop/aa380376%28v=vs.85%29.aspx
+    - https://msdn.microsoft.com/en-us/library/aa372045.aspx
+    - http://sedna-soft.de/articles/summary-information-stream/
+    - https://poi.apache.org/apidocs/org/apache/poi/hpsf/SummaryInformation.html
  
     References for DocumentSummaryInformation stream:
-    - http://msdn.microsoft.com/en-us/library/dd945671%28v=office.12%29.aspx
-    - http://msdn.microsoft.com/en-us/library/windows/desktop/aa380374%28v=vs.85%29.aspx
-    - http://poi.apache.org/apidocs/org/apache/poi/hpsf/DocumentSummaryInformation.html
+
+    - https://msdn.microsoft.com/en-us/library/dd945671%28v=office.12%29.aspx
+    - https://msdn.microsoft.com/en-us/library/windows/desktop/aa380374%28v=vs.85%29.aspx
+    - https://poi.apache.org/apidocs/org/apache/poi/hpsf/DocumentSummaryInformation.html
  
     new in version 0.25
     """
@@ -676,7 +686,7 @@ class OleMetadata:
     def parse_properties(self, olefile):
         """
         Parse standard properties of an OLE file, from the streams
-        "\x05SummaryInformation" and "\x05DocumentSummaryInformation",
+        ``\\x05SummaryInformation`` and ``\\x05DocumentSummaryInformation``,
         if present.
         Properties are converted to strings, integers or python datetime objects.
         If a property is not present, its value is set to None.
@@ -851,14 +861,14 @@ class OleStream(io.BytesIO):
         elif unknown_size:
             # actual stream size was not known, now we know the size of read
             # data:
-            log.debug('Read data of length %d, the stream size was unkown' % len(data))
+            log.debug('Read data of length %d, the stream size was unknown' % len(data))
             self.size = len(data)
         else:
             # read data is less than expected:
             log.debug('Read data of length %d, less than expected stream size %d' % (len(data), size))
             # TODO: provide details in exception message
-            self.ole._raise_defect(DEFECT_INCORRECT, 'OLE stream size is less than declared')
             self.size = len(data)
+            self.ole._raise_defect(DEFECT_INCORRECT, 'OLE stream size is less than declared')
         # when all data is read in memory, BytesIO constructor is called
         io.BytesIO.__init__(self, data)
         # Then the OleStream object can be used as a read-only file object.
@@ -1023,7 +1033,7 @@ class OleDirectoryEntry:
         Walk through red-black tree of children of this directory entry to add
         all of them to the kids list. (recursive method)
  
-        :param child_sid : index of child directory entry to use, or None when called
+        :param child_sid: index of child directory entry to use, or None when called
             first time for the root. (only used during recursion)
         """
         log.debug('append_kids: child_sid=%d' % child_sid)
@@ -1188,8 +1198,8 @@ class OleFileIO:
         """
         # minimal level for defects to be raised as exceptions:
         self._raise_defects_level = raise_defects
-        # list of defects/issues not raised as exceptions:
-        # tuples of (exception type, message)
+        #: list of defects/issues not raised as exceptions:
+        #: tuples of (exception type, message)
         self.parsing_issues = []
         self.write_mode = write_mode
         self.path_encoding = path_encoding
@@ -1386,7 +1396,7 @@ class OleFileIO:
         log.debug( "Byte Order    = %X (expected: FFFE)" % self.byte_order )
         if self.byte_order != 0xFFFE:
             # For now only common little-endian documents are handled correctly
-            self._raise_defect(DEFECT_FATAL, "incorrect ByteOrder in OLE header")
+            self._raise_defect(DEFECT_INCORRECT, "incorrect ByteOrder in OLE header")
             # TODO: add big-endian support for documents created on Mac ?
             # But according to [MS-CFB] ? v20140502, ByteOrder MUST be 0xFFFE.
         self.sector_size = 2**self.sector_shift
@@ -2081,6 +2091,21 @@ class OleFileIO:
             return False
  
  
+    def getclsid(self, filename):
+        """
+        Return clsid of a stream/storage.
+
+        :param filename: path of stream/storage in storage tree. (see openstream for
+            syntax)
+        :returns: Empty string if clsid is null, a printable representation of the clsid otherwise
+
+        new in version 0.44
+        """
+        sid = self._find(filename)
+        entry = self.direntries[sid]
+        return entry.clsid
+
+
     def getmtime(self, filename):
         """
         Return modification time of a stream/storage.
@@ -2201,7 +2226,10 @@ class OleFileIO:
             self._raise_defect(DEFECT_INCORRECT, msg, type(exc))
             return data
  
-        for i in range(num_props):
+        # clamp num_props based on the data length
+        num_props = min(num_props, len(s) / 8)
+
+        for i in iterrange(num_props):
             property_id = 0 # just in case of an exception
             try:
                 property_id = i32(s, 8+i*8)
@@ -2222,12 +2250,12 @@ class OleFileIO:
                 elif property_type in (VT_I4, VT_INT, VT_ERROR):
                     # VT_I4: 32-bit signed integer
                     # VT_ERROR: HRESULT, similar to 32-bit signed integer,
-                    # see http://msdn.microsoft.com/en-us/library/cc230330.aspx
+                    # see https://msdn.microsoft.com/en-us/library/cc230330.aspx
                     value = i32(s, offset+4)
                 elif property_type in (VT_UI4, VT_UINT): # 4-byte unsigned integer
                     value = i32(s, offset+4) # FIXME
                 elif property_type in (VT_BSTR, VT_LPSTR):
-                    # CodePageString, see http://msdn.microsoft.com/en-us/library/dd942354.aspx
+                    # CodePageString, see https://msdn.microsoft.com/en-us/library/dd942354.aspx
                     # size is a 32 bits integer, including the null terminator, and
                     # possibly trailing or embedded null chars
                     #TODO: if codepage is unicode, the string should be converted as such
@@ -2237,12 +2265,12 @@ class OleFileIO:
                     value = value.replace(b'\x00', b'')
                 elif property_type == VT_BLOB:
                     # binary large object (BLOB)
-                    # see http://msdn.microsoft.com/en-us/library/dd942282.aspx
+                    # see https://msdn.microsoft.com/en-us/library/dd942282.aspx
                     count = i32(s, offset+4)
                     value = s[offset+8:offset+8+count]
                 elif property_type == VT_LPWSTR:
                     # UnicodeString
-                    # see http://msdn.microsoft.com/en-us/library/dd942313.aspx
+                    # see https://msdn.microsoft.com/en-us/library/dd942313.aspx
                     # "the string should NOT contain embedded or additional trailing
                     # null characters."
                     count = i32(s, offset+4)
@@ -2255,7 +2283,7 @@ class OleFileIO:
                         log.debug('Converting property #%d to python datetime, value=%d=%fs'
                                 %(property_id, value, float(value)/10000000))
                         # convert FILETIME to Python datetime.datetime
-                        # inspired from http://code.activestate.com/recipes/511425-filetime-to-datetime/
+                        # inspired from https://code.activestate.com/recipes/511425-filetime-to-datetime/
                         _FILETIME_null_date = datetime.datetime(1601, 1, 1, 0, 0, 0)
                         log.debug('timedelta days=%d' % (value//(10*1000000*3600*24)))
                         value = _FILETIME_null_date + datetime.timedelta(microseconds=value//10)
@@ -2269,12 +2297,12 @@ class OleFileIO:
                     value = _clsid(s[offset+4:offset+20])
                 elif property_type == VT_CF:
                     # PropertyIdentifier or ClipboardData??
-                    # see http://msdn.microsoft.com/en-us/library/dd941945.aspx
+                    # see https://msdn.microsoft.com/en-us/library/dd941945.aspx
                     count = i32(s, offset+4)
                     value = s[offset+8:offset+8+count]
                 elif property_type == VT_BOOL:
                     # VARIANT_BOOL, 16 bits bool, 0x0000=Fals, 0xFFFF=True
-                    # see http://msdn.microsoft.com/en-us/library/cc237864.aspx
+                    # see https://msdn.microsoft.com/en-us/library/cc237864.aspx
                     value = bool(i16(s, offset+4))
                 else:
                     value = None # everything else yields "None"
@@ -2282,13 +2310,13 @@ class OleFileIO:
  
                 # missing: VT_EMPTY, VT_NULL, VT_R4, VT_R8, VT_CY, VT_DATE,
                 # VT_DECIMAL, VT_I1, VT_I8, VT_UI8,
-                # see http://msdn.microsoft.com/en-us/library/dd942033.aspx
+                # see https://msdn.microsoft.com/en-us/library/dd942033.aspx
  
                 # FIXME: add support for VT_VECTOR
                 # VT_VECTOR is a 32 uint giving the number of items, followed by
                 # the items in sequence. The VT_VECTOR value is combined with the
                 # type of items, e.g. VT_VECTOR|VT_BSTR
-                # see http://msdn.microsoft.com/en-us/library/dd942011.aspx
+                # see https://msdn.microsoft.com/en-us/library/dd942011.aspx
  
                 #print("%08x" % property_id, repr(value), end=" ")
                 #print("(%s)" % VT[i32(s, offset) & 0xFFF])
@@ -2344,7 +2372,7 @@ if __name__ == &quot;__main__&quot;:
  
     (options, args) = parser.parse_args()
  
-    print('olefile version %s %s - http://www.decalage.info/en/olefile\n' % (__version__, __date__))
+    print('olefile version %s %s - https://www.decalage.info/en/olefile\n' % (__version__, __date__))
  
     # Print help if no arguments are passed
     if len(args) == 0:
@@ -281,6 +281,9 @@ class TableStream(object):
         """
         shortcut for self.outfile.write()
         """
+        # TODO temporary bugfix for Unicode replacement character FFFD, that triggers an
+        # exception when printing to the console on Windows 10 (CP850)
+        s = s.replace(u"\uFFFD", '')
         self.outfile.write(s)
  
     def write_row(self, row, last=False, colors=None):
@@ -22,6 +22,7 @@ to install this package.
 # 2016-07-29       PL: - use setuptools if available
 # 2016-09-05       PL: - added more entry points
 # 2017-01-18 v0.51 PL: - added package zipfile27 (issue #121)
+# 2017-10-18 v0.52 PL: - added msodde
  
 #--- TODO ---------------------------------------------------------------------
  
@@ -41,11 +42,11 @@ import os, fnmatch
 #--- METADATA -----------------------------------------------------------------
  
 name         = "oletools"
-version      = '0.51a1'
+version      = '0.52dev3'
 desc         = "Python tools to analyze security characteristics of MS Office and OLE files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), for Malware Analysis and Incident Response #DFIR"
 long_desc    = open('oletools/README.rst').read()
 author       = "Philippe Lagadec"
-author_email = "decalage at laposte dot net"
+author_email = "nospam@decalage.info"
 url          = "http://www.decalage.info/python/oletools"
 license      = "BSD"
 download_url = "https://github.com/decalage2/oletools/releases"
@@ -281,6 +282,7 @@ entry_points = {
         'pyxswf=oletools.pyxswf:main',
         'rtfobj=oletools.rtfobj:main',
         'oleobj=oletools.oleobj:main',
+        'msodde=oletools.msodde:main',
     ],
 }
  
@@ -312,6 +314,7 @@ def main():
         download_url=download_url,
 #        data_files=data_files,
         entry_points=entry_points,
+        test_suite="tests",
         # scripts=scripts,
     )
  
+Howto: Add unittests
+--------------------
+
+Note: The following are just guidelines to help inexperienced users create unit
+tests. The python unittest library (see
+https://docs.python.org/2/library/unittest.html) offers much more flexibility
+than described here.
+
+For helping python's unittest to discover your tests, do the following:
+
+* create a subdirectory within oletools/tests/
+  - The directory name must be a valid python package name,
+    so must not include '-', for example
+  - e.g. oletools/tests/my_feature
+
+* Create a __init__.py inside that directory
+  - can be empty but must be there
+
+* Copy the unittest_template.py into your test directory
+
+* Rename your copy of the template to fit its purpose
+  - file name must start with 'test' and end with '.py'
+  - e.g. oletools/tests/my_feature/test_bla.py
+
+* Create python code inside that directory
+  - classes names must start with Test and must be subclasses
+    of Unittest.TestCase
+  - test functions inside your test cases must start with test_
+  - see unittest_template.py for examples
+
+* If your unit test requires test files, put them into a subdir
+  of oletools/tests/test-data with some name that clarifies what
+  tests it belongs to
+  - e.g. oletools/tests/test-data/my_feature/example.doc
+  - Do not add files with actual evil malware macros! Only harmless
+    test data!
+
+* Test that unittests work by running from the oletools base dir:
+  python -m unittest discover -v
+
+* Re-test with python2 and python3 (if possible)
+""" Test validity of json output
+
+Some scripts have a json output flag. Verify that at default log levels output
+can be captured as-is and parsed by a json parser -- at least if the scripts
+return 0
+"""
+
+import unittest
+import sys
+import json
+import os
+from os.path import join
+from oletools import msodde
+from tests.test_utils import OutputCapture, DATA_BASE_DIR
+
+if sys.version_info[0] <= 2:
+    from oletools import olevba
+else:
+    from oletools import olevba3 as olevba
+
+
+class TestValidJson(unittest.TestCase):
+    """ Ensure that script output is valid json (if return code is 0) """
+
+    def iter_test_files(self):
+        """ Iterate over all test files in DATA_BASE_DIR """
+        for dirpath, _, filenames in os.walk(DATA_BASE_DIR):
+            for filename in filenames:
+                yield join(dirpath, filename)
+
+    def run_and_parse(self, program, args, print_output=False):
+        """ run single program with single file and parse output """
+        return_code = None
+        with OutputCapture() as capturer:       # capture stdout
+            try:
+                return_code = program(args)
+            except Exception:
+                return_code = 1   # would result in non-zero exit
+            except SystemExit as se:
+                return_code = se.code or 0   # se.code can be None
+        if return_code is not 0:
+            if print_output:
+                print('Command failed ({0}) -- not parsing output'
+                      .format(return_code))
+            return []    # no need to test
+
+        self.assertNotEqual(return_code, None,
+                            msg='self-test fail: return_code not set')
+
+        # now test output
+        if print_output:
+            print(capturer.buffer.getvalue())
+        capturer.buffer.seek(0)    # re-set position in file-like stream
+        try:
+            json_data = json.load(capturer.buffer)
+        except ValueError:
+            self.fail('Invalid json:\n' + capturer.buffer.getvalue())
+        self.assertNotEqual(len(json_data), 0, msg='Output was empty')
+        return json_data
+
+    def run_all_files(self, program, args_without_filename, print_output=False):
+        """ run test for a single program over all test files """
+        n_files = 0
+        for testfile in self.iter_test_files():   # loop over all input
+            args = args_without_filename + [testfile, ]
+            self.run_and_parse(program, args, print_output)
+            n_files += 1
+        self.assertNotEqual(n_files, 0,
+                            msg='self-test fail: No test files found')
+
+    def test_msodde(self):
+        """ Test msodde.py """
+        self.run_all_files(msodde.main, ['-j', ])
+
+    def test_olevba(self):
+        """ Test olevba.py with default args """
+        self.run_all_files(olevba.main, ['-j', ])
+
+    def test_olevba_analysis(self):
+        """ Test olevba.py with -a """
+        self.run_all_files(olevba.main, ['-j', '-a', ])
+
+    def test_olevba_recurse(self):
+        """ Test olevba.py with -r """
+        json_data = self.run_and_parse(olevba.main,
+                                       ['-j', '-r', join(DATA_BASE_DIR, '*')])
+        self.assertNotEqual(len(json_data), 0,
+                            msg='olevba[3] returned non-zero or no output')
+        self.assertNotEqual(json_data[-1]['n_processed'], 0,
+                            msg='self-test fail: No test files found!')
+
+
+# just in case somebody calls this file as a script
+if __name__ == '__main__':
+    unittest.main()
+""" Test some basic behaviour of msodde.py
+
+Ensure that
+- doc and docx are read without error
+- garbage returns error return status
+- dde-links are found where appropriate
+"""
+
+from __future__ import print_function
+
+import unittest
+from oletools import msodde
+from tests.test_utils import OutputCapture, DATA_BASE_DIR as BASE_DIR
+import shlex
+from os.path import join
+from traceback import print_exc
+
+
+class TestReturnCode(unittest.TestCase):
+
+    def test_valid_doc(self):
+        """ check that a valid doc file leads to 0 exit status """
+        for filename in ('dde-test-from-office2003', 'dde-test-from-office2016',
+                         'harmless-clean', 'dde-test-from-office2013-utf_16le-korean'):
+            self.do_test_validity(join(BASE_DIR, 'msodde-doc',
+                                       filename + '.doc'))
+
+    def test_valid_docx(self):
+        """ check that a valid docx file leads to 0 exit status """
+        for filename in 'dde-test', 'harmless-clean':
+            self.do_test_validity(join(BASE_DIR, 'msodde-doc',
+                                       filename + '.docx'))
+
+    def test_valid_docm(self):
+        """ check that a valid docm file leads to 0 exit status """
+        for filename in 'dde-test', 'harmless-clean':
+            self.do_test_validity(join(BASE_DIR, 'msodde-doc',
+                                       filename + '.docm'))
+
+    def test_invalid_other(self):
+        """ check that xml do not work yet """
+        for extn in '-2003.xml', '.xml':
+            self.do_test_validity(join(BASE_DIR, 'msodde-doc',
+                                       'harmless-clean' + extn), True)
+
+    def test_invalid_none(self):
+        """ check that no file argument leads to non-zero exit status """
+        self.do_test_validity('', True)
+
+    def test_invalid_empty(self):
+        """ check that empty file argument leads to non-zero exit status """
+        self.do_test_validity(join(BASE_DIR, 'basic/empty'), True)
+
+    def test_invalid_text(self):
+        """ check that text file argument leads to non-zero exit status """
+        self.do_test_validity(join(BASE_DIR, 'basic/text'), True)
+
+    def do_test_validity(self, args, expect_error=False):
+        """ helper for test_valid_doc[x] """
+        args = shlex.split(args)
+        return_code = -1
+        have_exception = False
+        try:
+            return_code = msodde.main(args)
+        except Exception:
+            have_exception = True
+            print_exc()
+        except SystemExit as se:     # sys.exit() was called
+            return_code = se.code
+            if se.code is None:
+                return_code = 0
+
+        self.assertEqual(expect_error, have_exception or (return_code != 0),
+                         msg='Args={0}, expect={1}, exc={2}, return={3}'
+                             .format(args, expect_error, have_exception,
+                                     return_code))
+
+
+class TestDdeInDoc(unittest.TestCase):
+
+    def get_dde_from_output(self, capturer):
+        """ helper to read dde links from captured output """
+        have_start_line = False
+        result = []
+        for line in capturer:
+            if not line.strip():
+                continue   # skip empty lines
+            if have_start_line:
+                result.append(line)
+            elif line == 'DDE Links:':
+                have_start_line = True
+
+        self.assertTrue(have_start_line) # ensure output was complete
+        return result
+
+    def test_with_dde(self):
+        """ check that dde links appear on stdout """
+        with OutputCapture() as capturer:
+            msodde.main([join(BASE_DIR, 'msodde-doc',
+                              'dde-test-from-office2003.doc')])
+        self.assertNotEqual(len(self.get_dde_from_output(capturer)), 0,
+                            msg='Found no dde links in output for doc file')
+
+    def test_no_dde(self):
+        """ check that no dde links appear on stdout """
+        with OutputCapture() as capturer:
+            msodde.main([join(BASE_DIR, 'msodde-doc', 'harmless-clean.doc')])
+        self.assertEqual(len(self.get_dde_from_output(capturer)), 0,
+                         msg='Found dde links in output for doc file')
+
+    def test_with_dde_utf16le(self):
+        """ check that dde links appear on stdout """
+        with OutputCapture() as capturer:
+            msodde.main([join(BASE_DIR, 'msodde-doc',
+                              'dde-test-from-office2013-utf_16le-korean.doc')])
+        self.assertNotEqual(len(self.get_dde_from_output(capturer)), 0,
+                            msg='Found no dde links in output for doc file')
+
+
+if __name__ == '__main__':
+    unittest.main()
+import unittest, sys, os
+
+from tests.test_utils import testdata_reader
+from oletools import rtfobj
+
+class TestRtfObjIssue185(unittest.TestCase):
+    def test_skip_space_after_bin_control_word(self):
+        data = testdata_reader.read('rtfobj/issue_185.rtf')
+        rtfp = rtfobj.RtfObjParser(data)
+        rtfp.parse()
+        objects = rtfp.objects
+
+        self.assertTrue(len(objects) == 1)
+
+if __name__ == '__main__':
+    unittest.main()
+bla
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<?mso-application progid="Word.Document"?>
+<w:wordDocument xmlns:aml="http://schemas.microsoft.com/aml/2001/core" xmlns:wpc="http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas" xmlns:cx="http://schemas.microsoft.com/office/drawing/2014/chartex" xmlns:cx1="http://schemas.microsoft.com/office/drawing/2015/9/8/chartex" xmlns:cx2="http://schemas.microsoft.com/office/drawing/2015/10/21/chartex" xmlns:cx3="http://schemas.microsoft.com/office/drawing/2016/5/9/chartex" xmlns:cx4="http://schemas.microsoft.com/office/drawing/2016/5/10/chartex" xmlns:cx5="http://schemas.microsoft.com/office/drawing/2016/5/11/chartex" xmlns:cx6="http://schemas.microsoft.com/office/drawing/2016/5/12/chartex" xmlns:cx7="http://schemas.microsoft.com/office/drawing/2016/5/13/chartex" xmlns:cx8="http://schemas.microsoft.com/office/drawing/2016/5/14/chartex" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:aink="http://schemas.microsoft.com/office/drawing/2016/ink" xmlns:am3d="http://schemas.microsoft.com/office/drawing/2017/model3d" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.microsoft.com/office/word/2003/wordml" xmlns:wx="http://schemas.microsoft.com/office/word/2003/auxHint" xmlns:wne="http://schemas.microsoft.com/office/word/2006/wordml" xmlns:wsp="http://schemas.microsoft.com/office/word/2003/wordml/sp2" xmlns:sl="http://schemas.microsoft.com/schemaLibrary/2003/core" w:macrosPresent="no" w:embeddedObjPresent="no" w:ocxPresent="no" xml:space="preserve"><w:ignoreSubtree w:val="http://schemas.microsoft.com/office/word/2003/wordml/sp2"/><o:DocumentProperties><o:Author>user</o:Author><o:LastAuthor>user</o:LastAuthor><o:Revision>2</o:Revision><o:TotalTime>0</o:TotalTime><o:Created>2017-10-26T09:10:00Z</o:Created><o:LastSaved>2017-10-26T09:10:00Z</o:LastSaved><o:Pages>1</o:Pages><o:Words>39</o:Words><o:Characters>250</o:Characters><o:Lines>2</o:Lines><o:Paragraphs>1</o:Paragraphs><o:CharactersWithSpaces>288</o:CharactersWithSpaces><o:Version>16</o:Version></o:DocumentProperties><w:fonts><w:defaultFonts w:ascii="Calibri" w:fareast="Calibri" w:h-ansi="Calibri" w:cs="Times New Roman"/><w:font w:name="Times New Roman"><w:panose-1 w:val="02020603050405020304"/><w:charset w:val="00"/><w:family w:val="Roman"/><w:pitch w:val="variable"/><w:sig w:usb-0="E0002EFF" w:usb-1="C000785B" w:usb-2="00000009" w:usb-3="00000000" w:csb-0="000001FF" w:csb-1="00000000"/></w:font><w:font w:name="Times New Roman"><w:panose-1 w:val="02020603050405020304"/><w:charset w:val="00"/><w:family w:val="Roman"/><w:pitch w:val="variable"/><w:sig w:usb-0="E0002EFF" w:usb-1="C000785B" w:usb-2="00000009" w:usb-3="00000000" w:csb-0="000001FF" w:csb-1="00000000"/></w:font><w:font w:name="Calibri"><w:panose-1 w:val="020F0502020204030204"/><w:charset w:val="00"/><w:family w:val="Swiss"/><w:pitch w:val="variable"/><w:sig w:usb-0="E0002AFF" w:usb-1="C000247B" w:usb-2="00000009" w:usb-3="00000000" w:csb-0="000001FF" w:csb-1="00000000"/></w:font><w:font w:name="Calibri Light"><w:panose-1 w:val="020F0302020204030204"/><w:charset w:val="00"/><w:family w:val="Swiss"/><w:pitch w:val="variable"/><w:sig w:usb-0="E0002AFF" w:usb-1="C000247B" w:usb-2="00000009" w:usb-3="00000000" w:csb-0="000001FF" w:csb-1="00000000"/></w:font><w:font w:name="Algerian"><w:panose-1 w:val="04020705040A02060702"/><w:charset w:val="00"/><w:family w:val="Decorative"/><w:pitch w:val="variable"/><w:sig w:usb-0="00000003" w:usb-1="00000000" w:usb-2="00000000" w:usb-3="00000000" w:csb-0="00000001" w:csb-1="00000000"/></w:font></w:fonts><w:styles><w:versionOfBuiltInStylenames w:val="7"/><w:latentStyles w:defLockedState="off" w:latentStyleCount="375"><w:lsdException w:name="Normal"/><w:lsdException w:name="heading 1"/><w:lsdException w:name="heading 2"/><w:lsdException w:name="heading 3"/><w:lsdException w:name="heading 4"/><w:lsdException w:name="heading 5"/><w:lsdException w:name="heading 6"/><w:lsdException w:name="heading 7"/><w:lsdException w:name="heading 8"/><w:lsdException w:name="heading 9"/><w:lsdException w:name="index 1"/><w:lsdException w:name="index 2"/><w:lsdException w:name="index 3"/><w:lsdException w:name="index 4"/><w:lsdException w:name="index 5"/><w:lsdException w:name="index 6"/><w:lsdException w:name="index 7"/><w:lsdException w:name="index 8"/><w:lsdException w:name="index 9"/><w:lsdException w:name="toc 1"/><w:lsdException w:name="toc 2"/><w:lsdException w:name="toc 3"/><w:lsdException w:name="toc 4"/><w:lsdException w:name="toc 5"/><w:lsdException w:name="toc 6"/><w:lsdException w:name="toc 7"/><w:lsdException w:name="toc 8"/><w:lsdException w:name="toc 9"/><w:lsdException w:name="Normal Indent"/><w:lsdException w:name="footnote text"/><w:lsdException w:name="annotation text"/><w:lsdException w:name="header"/><w:lsdException w:name="footer"/><w:lsdException w:name="index heading"/><w:lsdException w:name="caption"/><w:lsdException w:name="table of figures"/><w:lsdException w:name="envelope address"/><w:lsdException w:name="envelope return"/><w:lsdException w:name="footnote reference"/><w:lsdException w:name="annotation reference"/><w:lsdException w:name="line number"/><w:lsdException w:name="page number"/><w:lsdException w:name="endnote reference"/><w:lsdException w:name="endnote text"/><w:lsdException w:name="table of authorities"/><w:lsdException w:name="macro"/><w:lsdException w:name="toa heading"/><w:lsdException w:name="List"/><w:lsdException w:name="List Bullet"/><w:lsdException w:name="List Number"/><w:lsdException w:name="List 2"/><w:lsdException w:name="List 3"/><w:lsdException w:name="List 4"/><w:lsdException w:name="List 5"/><w:lsdException w:name="List Bullet 2"/><w:lsdException w:name="List Bullet 3"/><w:lsdException w:name="List Bullet 4"/><w:lsdException w:name="List Bullet 5"/><w:lsdException w:name="List Number 2"/><w:lsdException w:name="List Number 3"/><w:lsdException w:name="List Number 4"/><w:lsdException w:name="List Number 5"/><w:lsdException w:name="Title"/><w:lsdException w:name="Closing"/><w:lsdException w:name="Signature"/><w:lsdException w:name="Default Paragraph Font"/><w:lsdException w:name="Body Text"/><w:lsdException w:name="Body Text Indent"/><w:lsdException w:name="List Continue"/><w:lsdException w:name="List Continue 2"/><w:lsdException w:name="List Continue 3"/><w:lsdException w:name="List Continue 4"/><w:lsdException w:name="List Continue 5"/><w:lsdException w:name="Message Header"/><w:lsdException w:name="Subtitle"/><w:lsdException w:name="Salutation"/><w:lsdException w:name="Date"/><w:lsdException w:name="Body Text First Indent"/><w:lsdException w:name="Body Text First Indent 2"/><w:lsdException w:name="Note Heading"/><w:lsdException w:name="Body Text 2"/><w:lsdException w:name="Body Text 3"/><w:lsdException w:name="Body Text Indent 2"/><w:lsdException w:name="Body Text Indent 3"/><w:lsdException w:name="Block Text"/><w:lsdException w:name="Hyperlink"/><w:lsdException w:name="FollowedHyperlink"/><w:lsdException w:name="Strong"/><w:lsdException w:name="Emphasis"/><w:lsdException w:name="Document Map"/><w:lsdException w:name="Plain Text"/><w:lsdException w:name="E-mail Signature"/><w:lsdException w:name="HTML Top of Form"/><w:lsdException w:name="HTML Bottom of Form"/><w:lsdException w:name="Normal (Web)"/><w:lsdException w:name="HTML Acronym"/><w:lsdException w:name="HTML Address"/><w:lsdException w:name="HTML Cite"/><w:lsdException w:name="HTML Code"/><w:lsdException w:name="HTML Definition"/><w:lsdException w:name="HTML Keyboard"/><w:lsdException w:name="HTML Preformatted"/><w:lsdException w:name="HTML Sample"/><w:lsdException w:name="HTML Typewriter"/><w:lsdException w:name="HTML Variable"/><w:lsdException w:name="Normal Table"/><w:lsdException w:name="annotation subject"/><w:lsdException w:name="No List"/><w:lsdException w:name="Outline List 1"/><w:lsdException w:name="Outline List 2"/><w:lsdException w:name="Outline List 3"/><w:lsdException w:name="Table Simple 1"/><w:lsdException w:name="Table Simple 2"/><w:lsdException w:name="Table Simple 3"/><w:lsdException w:name="Table Classic 1"/><w:lsdException w:name="Table Classic 2"/><w:lsdException w:name="Table Classic 3"/><w:lsdException w:name="Table Classic 4"/><w:lsdException w:name="Table Colorful 1"/><w:lsdException w:name="Table Colorful 2"/><w:lsdException w:name="Table Colorful 3"/><w:lsdException w:name="Table Columns 1"/><w:lsdException w:name="Table Columns 2"/><w:lsdException w:name="Table Columns 3"/><w:lsdException w:name="Table Columns 4"/><w:lsdException w:name="Table Columns 5"/><w:lsdException w:name="Table Grid 1"/><w:lsdException w:name="Table Grid 2"/><w:lsdException w:name="Table Grid 3"/><w:lsdException w:name="Table Grid 4"/><w:lsdException w:name="Table Grid 5"/><w:lsdException w:name="Table Grid 6"/><w:lsdException w:name="Table Grid 7"/><w:lsdException w:name="Table Grid 8"/><w:lsdException w:name="Table List 1"/><w:lsdException w:name="Table List 2"/><w:lsdException w:name="Table List 3"/><w:lsdException w:name="Table List 4"/><w:lsdException w:name="Table List 5"/><w:lsdException w:name="Table List 6"/><w:lsdException w:name="Table List 7"/><w:lsdException w:name="Table List 8"/><w:lsdException w:name="Table 3D effects 1"/><w:lsdException w:name="Table 3D effects 2"/><w:lsdException w:name="Table 3D effects 3"/><w:lsdException w:name="Table Contemporary"/><w:lsdException w:name="Table Elegant"/><w:lsdException w:name="Table Professional"/><w:lsdException w:name="Table Subtle 1"/><w:lsdException w:name="Table Subtle 2"/><w:lsdException w:name="Table Web 1"/><w:lsdException w:name="Table Web 2"/><w:lsdException w:name="Table Web 3"/><w:lsdException w:name="Balloon Text"/><w:lsdException w:name="Table Grid"/><w:lsdException w:name="Table Theme"/><w:lsdException w:name="Placeholder Text"/><w:lsdException w:name="No Spacing"/><w:lsdException w:name="Light Shading"/><w:lsdException w:name="Light List"/><w:lsdException w:name="Light Grid"/><w:lsdException w:name="Medium Shading 1"/><w:lsdException w:name="Medium Shading 2"/><w:lsdException w:name="Medium List 1"/><w:lsdException w:name="Medium List 2"/><w:lsdException w:name="Medium Grid 1"/><w:lsdException w:name="Medium Grid 2"/><w:lsdException w:name="Medium Grid 3"/><w:lsdException w:name="Dark List"/><w:lsdException w:name="Colorful Shading"/><w:lsdException w:name="Colorful List"/><w:lsdException w:name="Colorful Grid"/><w:lsdException w:name="Light Shading Accent 1"/><w:lsdException w:name="Light List Accent 1"/><w:lsdException w:name="Light Grid Accent 1"/><w:lsdException w:name="Medium Shading 1 Accent 1"/><w:lsdException w:name="Medium Shading 2 Accent 1"/><w:lsdException w:name="Medium List 1 Accent 1"/><w:lsdException w:name="Revision"/><w:lsdException w:name="List Paragraph"/><w:lsdException w:name="Quote"/><w:lsdException w:name="Intense Quote"/><w:lsdException w:name="Medium List 2 Accent 1"/><w:lsdException w:name="Medium Grid 1 Accent 1"/><w:lsdException w:name="Medium Grid 2 Accent 1"/><w:lsdException w:name="Medium Grid 3 Accent 1"/><w:lsdException w:name="Dark List Accent 1"/><w:lsdException w:name="Colorful Shading Accent 1"/><w:lsdException w:name="Colorful List Accent 1"/><w:lsdException w:name="Colorful Grid Accent 1"/><w:lsdException w:name="Light Shading Accent 2"/><w:lsdException w:name="Light List Accent 2"/><w:lsdException w:name="Light Grid Accent 2"/><w:lsdException w:name="Medium Shading 1 Accent 2"/><w:lsdException w:name="Medium Shading 2 Accent 2"/><w:lsdException w:name="Medium List 1 Accent 2"/><w:lsdException w:name="Medium List 2 Accent 2"/><w:lsdException w:name="Medium Grid 1 Accent 2"/><w:lsdException w:name="Medium Grid 2 Accent 2"/><w:lsdException w:name="Medium Grid 3 Accent 2"/><w:lsdException w:name="Dark List Accent 2"/><w:lsdException w:name="Colorful Shading Accent 2"/><w:lsdException w:name="Colorful List Accent 2"/><w:lsdException w:name="Colorful Grid Accent 2"/><w:lsdException w:name="Light Shading Accent 3"/><w:lsdException w:name="Light List Accent 3"/><w:lsdException w:name="Light Grid Accent 3"/><w:lsdException w:name="Medium Shading 1 Accent 3"/><w:lsdException w:name="Medium Shading 2 Accent 3"/><w:lsdException w:name="Medium List 1 Accent 3"/><w:lsdException w:name="Medium List 2 Accent 3"/><w:lsdException w:name="Medium Grid 1 Accent 3"/><w:lsdException w:name="Medium Grid 2 Accent 3"/><w:lsdException w:name="Medium Grid 3 Accent 3"/><w:lsdException w:name="Dark List Accent 3"/><w:lsdException w:name="Colorful Shading Accent 3"/><w:lsdException w:name="Colorful List Accent 3"/><w:lsdException w:name="Colorful Grid Accent 3"/><w:lsdException w:name="Light Shading Accent 4"/><w:lsdException w:name="Light List Accent 4"/><w:lsdException w:name="Light Grid Accent 4"/><w:lsdException w:name="Medium Shading 1 Accent 4"/><w:lsdException w:name="Medium Shading 2 Accent 4"/><w:lsdException w:name="Medium List 1 Accent 4"/><w:lsdException w:name="Medium List 2 Accent 4"/><w:lsdException w:name="Medium Grid 1 Accent 4"/><w:lsdException w:name="Medium Grid 2 Accent 4"/><w:lsdException w:name="Medium Grid 3 Accent 4"/><w:lsdException w:name="Dark List Accent 4"/><w:lsdException w:name="Colorful Shading Accent 4"/><w:lsdException w:name="Colorful List Accent 4"/><w:lsdException w:name="Colorful Grid Accent 4"/><w:lsdException w:name="Light Shading Accent 5"/><w:lsdException w:name="Light List Accent 5"/><w:lsdException w:name="Light Grid Accent 5"/><w:lsdException w:name="Medium Shading 1 Accent 5"/><w:lsdException w:name="Medium Shading 2 Accent 5"/><w:lsdException w:name="Medium List 1 Accent 5"/><w:lsdException w:name="Medium List 2 Accent 5"/><w:lsdException w:name="Medium Grid 1 Accent 5"/><w:lsdException w:name="Medium Grid 2 Accent 5"/><w:lsdException w:name="Medium Grid 3 Accent 5"/><w:lsdException w:name="Dark List Accent 5"/><w:lsdException w:name="Colorful Shading Accent 5"/><w:lsdException w:name="Colorful List Accent 5"/><w:lsdException w:name="Colorful Grid Accent 5"/><w:lsdException w:name="Light Shading Accent 6"/><w:lsdException w:name="Light List Accent 6"/><w:lsdException w:name="Light Grid Accent 6"/><w:lsdException w:name="Medium Shading 1 Accent 6"/><w:lsdException w:name="Medium Shading 2 Accent 6"/><w:lsdException w:name="Medium List 1 Accent 6"/><w:lsdException w:name="Medium List 2 Accent 6"/><w:lsdException w:name="Medium Grid 1 Accent 6"/><w:lsdException w:name="Medium Grid 2 Accent 6"/><w:lsdException w:name="Medium Grid 3 Accent 6"/><w:lsdException w:name="Dark List Accent 6"/><w:lsdException w:name="Colorful Shading Accent 6"/><w:lsdException w:name="Colorful List Accent 6"/><w:lsdException w:name="Colorful Grid Accent 6"/><w:lsdException w:name="Subtle Emphasis"/><w:lsdException w:name="Intense Emphasis"/><w:lsdException w:name="Subtle Reference"/><w:lsdException w:name="Intense Reference"/><w:lsdException w:name="Book Title"/><w:lsdException w:name="Bibliography"/><w:lsdException w:name="TOC Heading"/><w:lsdException w:name="Plain Table 1"/><w:lsdException w:name="Plain Table 2"/><w:lsdException w:name="Plain Table 3"/><w:lsdException w:name="Plain Table 4"/><w:lsdException w:name="Plain Table 5"/><w:lsdException w:name="Grid Table Light"/><w:lsdException w:name="Grid Table 1 Light"/><w:lsdException w:name="Grid Table 2"/><w:lsdException w:name="Grid Table 3"/><w:lsdException w:name="Grid Table 4"/><w:lsdException w:name="Grid Table 5 Dark"/><w:lsdException w:name="Grid Table 6 Colorful"/><w:lsdException w:name="Grid Table 7 Colorful"/><w:lsdException w:name="Grid Table 1 Light Accent 1"/><w:lsdException w:name="Grid Table 2 Accent 1"/><w:lsdException w:name="Grid Table 3 Accent 1"/><w:lsdException w:name="Grid Table 4 Accent 1"/><w:lsdException w:name="Grid Table 5 Dark Accent 1"/><w:lsdException w:name="Grid Table 6 Colorful Accent 1"/><w:lsdException w:name="Grid Table 7 Colorful Accent 1"/><w:lsdException w:name="Grid Table 1 Light Accent 2"/><w:lsdException w:name="Grid Table 2 Accent 2"/><w:lsdException w:name="Grid Table 3 Accent 2"/><w:lsdException w:name="Grid Table 4 Accent 2"/><w:lsdException w:name="Grid Table 5 Dark Accent 2"/><w:lsdException w:name="Grid Table 6 Colorful Accent 2"/><w:lsdException w:name="Grid Table 7 Colorful Accent 2"/><w:lsdException w:name="Grid Table 1 Light Accent 3"/><w:lsdException w:name="Grid Table 2 Accent 3"/><w:lsdException w:name="Grid Table 3 Accent 3"/><w:lsdException w:name="Grid Table 4 Accent 3"/><w:lsdException w:name="Grid Table 5 Dark Accent 3"/><w:lsdException w:name="Grid Table 6 Colorful Accent 3"/><w:lsdException w:name="Grid Table 7 Colorful Accent 3"/><w:lsdException w:name="Grid Table 1 Light Accent 4"/><w:lsdException w:name="Grid Table 2 Accent 4"/><w:lsdException w:name="Grid Table 3 Accent 4"/><w:lsdException w:name="Grid Table 4 Accent 4"/><w:lsdException w:name="Grid Table 5 Dark Accent 4"/><w:lsdException w:name="Grid Table 6 Colorful Accent 4"/><w:lsdException w:name="Grid Table 7 Colorful Accent 4"/><w:lsdException w:name="Grid Table 1 Light Accent 5"/><w:lsdException w:name="Grid Table 2 Accent 5"/><w:lsdException w:name="Grid Table 3 Accent 5"/><w:lsdException w:name="Grid Table 4 Accent 5"/><w:lsdException w:name="Grid Table 5 Dark Accent 5"/><w:lsdException w:name="Grid Table 6 Colorful Accent 5"/><w:lsdException w:name="Grid Table 7 Colorful Accent 5"/><w:lsdException w:name="Grid Table 1 Light Accent 6"/><w:lsdException w:name="Grid Table 2 Accent 6"/><w:lsdException w:name="Grid Table 3 Accent 6"/><w:lsdException w:name="Grid Table 4 Accent 6"/><w:lsdException w:name="Grid Table 5 Dark Accent 6"/><w:lsdException w:name="Grid Table 6 Colorful Accent 6"/><w:lsdException w:name="Grid Table 7 Colorful Accent 6"/><w:lsdException w:name="List Table 1 Light"/><w:lsdException w:name="List Table 2"/><w:lsdException w:name="List Table 3"/><w:lsdException w:name="List Table 4"/><w:lsdException w:name="List Table 5 Dark"/><w:lsdException w:name="List Table 6 Colorful"/><w:lsdException w:name="List Table 7 Colorful"/><w:lsdException w:name="List Table 1 Light Accent 1"/><w:lsdException w:name="List Table 2 Accent 1"/><w:lsdException w:name="List Table 3 Accent 1"/><w:lsdException w:name="List Table 4 Accent 1"/><w:lsdException w:name="List Table 5 Dark Accent 1"/><w:lsdException w:name="List Table 6 Colorful Accent 1"/><w:lsdException w:name="List Table 7 Colorful Accent 1"/><w:lsdException w:name="List Table 1 Light Accent 2"/><w:lsdException w:name="List Table 2 Accent 2"/><w:lsdException w:name="List Table 3 Accent 2"/><w:lsdException w:name="List Table 4 Accent 2"/><w:lsdException w:name="List Table 5 Dark Accent 2"/><w:lsdException w:name="List Table 6 Colorful Accent 2"/><w:lsdException w:name="List Table 7 Colorful Accent 2"/><w:lsdException w:name="List Table 1 Light Accent 3"/><w:lsdException w:name="List Table 2 Accent 3"/><w:lsdException w:name="List Table 3 Accent 3"/><w:lsdException w:name="List Table 4 Accent 3"/><w:lsdException w:name="List Table 5 Dark Accent 3"/><w:lsdException w:name="List Table 6 Colorful Accent 3"/><w:lsdException w:name="List Table 7 Colorful Accent 3"/><w:lsdException w:name="List Table 1 Light Accent 4"/><w:lsdException w:name="List Table 2 Accent 4"/><w:lsdException w:name="List Table 3 Accent 4"/><w:lsdException w:name="List Table 4 Accent 4"/><w:lsdException w:name="List Table 5 Dark Accent 4"/><w:lsdException w:name="List Table 6 Colorful Accent 4"/><w:lsdException w:name="List Table 7 Colorful Accent 4"/><w:lsdException w:name="List Table 1 Light Accent 5"/><w:lsdException w:name="List Table 2 Accent 5"/><w:lsdException w:name="List Table 3 Accent 5"/><w:lsdException w:name="List Table 4 Accent 5"/><w:lsdException w:name="List Table 5 Dark Accent 5"/><w:lsdException w:name="List Table 6 Colorful Accent 5"/><w:lsdException w:name="List Table 7 Colorful Accent 5"/><w:lsdException w:name="List Table 1 Light Accent 6"/><w:lsdException w:name="List Table 2 Accent 6"/><w:lsdException w:name="List Table 3 Accent 6"/><w:lsdException w:name="List Table 4 Accent 6"/><w:lsdException w:name="List Table 5 Dark Accent 6"/><w:lsdException w:name="List Table 6 Colorful Accent 6"/><w:lsdException w:name="List Table 7 Colorful Accent 6"/><w:lsdException w:name="Mention"/><w:lsdException w:name="Smart Hyperlink"/><w:lsdException w:name="Hashtag"/><w:lsdException w:name="Unresolved Mention"/></w:latentStyles><w:style w:type="paragraph" w:default="on" w:styleId="Standard"><w:name w:val="Normal"/><wx:uiName wx:val="Standard"/><w:pPr><w:spacing w:after="160" w:line="259" w:line-rule="auto"/></w:pPr><w:rPr><wx:font wx:val="Calibri"/><w:sz w:val="22"/><w:sz-cs w:val="22"/><w:lang w:val="DE" w:fareast="EN-US" w:bidi="AR-SA"/></w:rPr></w:style><w:style w:type="paragraph" w:styleId="berschrift1"><w:name w:val="heading 1"/><wx:uiName wx:val="Überschrift 1"/><w:basedOn w:val="Standard"/><w:next w:val="Standard"/><w:link w:val="berschrift1Zchn"/><w:rsid w:val="00601692"/><w:pPr><w:keepNext/><w:keepLines/><w:spacing w:before="240" w:after="0"/><w:outlineLvl w:val="0"/></w:pPr><w:rPr><w:rFonts w:ascii="Calibri Light" w:fareast="Times New Roman" w:h-ansi="Calibri Light"/><wx:font wx:val="Calibri Light"/><w:color w:val="2F5496"/><w:sz w:val="32"/><w:sz-cs w:val="32"/></w:rPr></w:style><w:style w:type="character" w:default="on" w:styleId="Absatz-Standardschriftart"><w:name w:val="Default Paragraph Font"/><wx:uiName wx:val="Absatz-Standardschriftart"/></w:style><w:style w:type="table" w:default="on" w:styleId="NormaleTabelle"><w:name w:val="Normal Table"/><wx:uiName wx:val="Normale Tabelle"/><w:rPr><wx:font wx:val="Calibri"/><w:lang w:val="DE" w:fareast="DE" w:bidi="AR-SA"/></w:rPr><w:tblPr><w:tblInd w:w="0" w:type="dxa"/><w:tblCellMar><w:top w:w="0" w:type="dxa"/><w:left w:w="108" w:type="dxa"/><w:bottom w:w="0" w:type="dxa"/><w:right w:w="108" w:type="dxa"/></w:tblCellMar></w:tblPr></w:style><w:style w:type="list" w:default="on" w:styleId="KeineListe"><w:name w:val="No List"/><wx:uiName wx:val="Keine Liste"/></w:style><w:style w:type="character" w:styleId="berschrift1Zchn"><w:name w:val="Überschrift 1 Zchn"/><w:link w:val="berschrift1"/><w:rsid w:val="00601692"/><w:rPr><w:rFonts w:ascii="Calibri Light" w:fareast="Times New Roman" w:h-ansi="Calibri Light" w:cs="Times New Roman"/><w:color w:val="2F5496"/><w:sz w:val="32"/><w:sz-cs w:val="32"/></w:rPr></w:style></w:styles><w:shapeDefaults><o:shapedefaults v:ext="edit" spidmax="1026"/><o:shapelayout v:ext="edit"><o:idmap v:ext="edit" data="1"/></o:shapelayout></w:shapeDefaults><w:docPr><w:view w:val="print"/><w:zoom w:percent="100"/><w:doNotEmbedSystemFonts/><w:proofState w:spelling="clean" w:grammar="clean"/><w:defaultTabStop w:val="708"/><w:hyphenationZone w:val="425"/><w:punctuationKerning/><w:characterSpacingControl w:val="DontCompress"/><w:optimizeForBrowser/><w:allowPNG/><w:validateAgainstSchema/><w:saveInvalidXML w:val="off"/><w:ignoreMixedContent w:val="off"/><w:alwaysShowPlaceholderText w:val="off"/><w:compat><w:breakWrappedTables/><w:snapToGridInCell/><w:wrapTextWithPunct/><w:useAsianBreakRules/><w:dontGrowAutofit/></w:compat><wsp:rsids><wsp:rsidRoot wsp:val="00601692"/><wsp:rsid wsp:val="002341F3"/><wsp:rsid wsp:val="00601692"/><wsp:rsid wsp:val="00972907"/><wsp:rsid wsp:val="00FC3A9D"/></wsp:rsids></w:docPr><w:body><wx:sect><wx:sub-section><w:p wsp:rsidR="00601692" wsp:rsidRDefault="00601692" wsp:rsidP="00601692"><w:pPr><w:pStyle w:val="berschrift1"/><w:rPr><w:lang w:val="EN-US"/></w:rPr></w:pPr><w:r><w:rPr><w:lang w:val="EN-US"/></w:rPr><w:t>Test</w:t></w:r></w:p><w:p wsp:rsidR="00601692" wsp:rsidRDefault="00601692"><w:pPr><w:rPr><w:lang w:val="EN-US"/></w:rPr></w:pPr></w:p><w:p wsp:rsidR="00FC3A9D" wsp:rsidRDefault="00601692"><w:pPr><w:rPr><w:lang w:val="EN-US"/></w:rPr></w:pPr><w:r><w:rPr><w:lang w:val="EN-US"/></w:rPr><w:t>This is a harmless test document.</w:t></w:r></w:p><w:p wsp:rsidR="00601692" wsp:rsidRDefault="00601692"><w:pPr><w:rPr><w:lang w:val="EN-US"/></w:rPr></w:pPr></w:p><w:p wsp:rsidR="00601692" wsp:rsidRDefault="00601692"><w:pPr><w:rPr><w:lang w:val="EN-US"/></w:rPr></w:pPr><w:r><w:rPr><w:lang w:val="EN-US"/></w:rPr><w:t>It contains neither macros nor </w:t></w:r><w:proofErr w:type="spellStart"/><w:r><w:rPr><w:lang w:val="EN-US"/></w:rPr><w:t>dde</w:t></w:r><w:proofErr w:type="spellEnd"/><w:r><w:rPr><w:lang w:val="EN-US"/></w:rPr><w:t> links nor embedded viruses nor links to evil web pages. Not even a single insult. Boring!</w:t></w:r></w:p><w:p wsp:rsidR="00601692" wsp:rsidRDefault="00601692"><w:pPr><w:rPr><w:lang w:val="EN-US"/></w:rPr></w:pPr></w:p><w:p wsp:rsidR="00601692" wsp:rsidRPr="00601692" wsp:rsidRDefault="00601692"><w:pPr><w:rPr><w:lang w:val="EN-US"/></w:rPr></w:pPr><w:r><w:rPr><w:lang w:val="EN-US"/></w:rPr><w:t>Just to make things slightly interesting, however, we add some </w:t></w:r><w:proofErr w:type="spellStart"/><w:r><w:rPr><w:lang w:val="EN-US"/></w:rPr><w:t>ünicöde-ßtringß</w:t></w:r><w:proofErr w:type="spellEnd"/><w:r><w:rPr><w:lang w:val="EN-US"/></w:rPr><w:t> and different text </w:t></w:r><w:r wsp:rsidRPr="00601692"><w:rPr><w:sz w:val="32"/><w:sz-cs w:val="32"/><w:lang w:val="EN-US"/></w:rPr><w:t>sizes</w:t></w:r><w:r><w:rPr><w:lang w:val="EN-US"/></w:rPr><w:t>, </w:t></w:r><w:r wsp:rsidRPr="00601692"><w:rPr><w:color w:val="C00000"/><w:lang w:val="EN-US"/></w:rPr><w:t>colors </w:t></w:r><w:r><w:rPr><w:lang w:val="EN-US"/></w:rPr><w:t>and </w:t></w:r><w:r wsp:rsidRPr="00601692"><w:rPr><w:rFonts w:ascii="Algerian" w:h-ansi="Algerian"/><wx:font wx:val="Algerian"/><w:lang w:val="EN-US"/></w:rPr><w:t>fonts</w:t></w:r></w:p></wx:sub-section><w:sectPr wsp:rsidR="00601692" wsp:rsidRPr="00601692"><w:pgSz w:w="11906" w:h="16838"/><w:pgMar w:top="1417" w:right="1417" w:bottom="1134" w:left="1417" w:header="708" w:footer="708" w:gutter="0"/><w:cols w:space="708"/><w:docGrid w:line-pitch="360"/></w:sectPr></wx:sect></w:body></w:wordDocument>
 \ No newline at end of file
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<?mso-application progid="Word.Document"?>
+<pkg:package xmlns:pkg="http://schemas.microsoft.com/office/2006/xmlPackage"><pkg:part pkg:name="/_rels/.rels" pkg:contentType="application/vnd.openxmlformats-package.relationships+xml" pkg:padding="512"><pkg:xmlData><Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/extended-properties" Target="docProps/app.xml"/><Relationship Id="rId2" Type="http://schemas.openxmlformats.org/package/2006/relationships/metadata/core-properties" Target="docProps/core.xml"/><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocument" Target="word/document.xml"/></Relationships></pkg:xmlData></pkg:part><pkg:part pkg:name="/word/_rels/document.xml.rels" pkg:contentType="application/vnd.openxmlformats-package.relationships+xml" pkg:padding="256"><pkg:xmlData><Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/webSettings" Target="webSettings.xml"/><Relationship Id="rId2" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/settings" Target="settings.xml"/><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/styles" Target="styles.xml"/><Relationship Id="rId5" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/theme" Target="theme/theme1.xml"/><Relationship Id="rId4" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/fontTable" Target="fontTable.xml"/></Relationships></pkg:xmlData></pkg:part><pkg:part pkg:name="/word/document.xml" pkg:contentType="application/vnd.openxmlformats-officedocument.wordprocessingml.document.main+xml"><pkg:xmlData><w:document xmlns:wpc="http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas" xmlns:cx="http://schemas.microsoft.com/office/drawing/2014/chartex" xmlns:cx1="http://schemas.microsoft.com/office/drawing/2015/9/8/chartex" xmlns:cx2="http://schemas.microsoft.com/office/drawing/2015/10/21/chartex" xmlns:cx3="http://schemas.microsoft.com/office/drawing/2016/5/9/chartex" xmlns:cx4="http://schemas.microsoft.com/office/drawing/2016/5/10/chartex" xmlns:cx5="http://schemas.microsoft.com/office/drawing/2016/5/11/chartex" xmlns:cx6="http://schemas.microsoft.com/office/drawing/2016/5/12/chartex" xmlns:cx7="http://schemas.microsoft.com/office/drawing/2016/5/13/chartex" xmlns:cx8="http://schemas.microsoft.com/office/drawing/2016/5/14/chartex" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:aink="http://schemas.microsoft.com/office/drawing/2016/ink" xmlns:am3d="http://schemas.microsoft.com/office/drawing/2017/model3d" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:wp14="http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing" xmlns:wp="http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:w15="http://schemas.microsoft.com/office/word/2012/wordml" xmlns:w16cid="http://schemas.microsoft.com/office/word/2016/wordml/cid" xmlns:w16se="http://schemas.microsoft.com/office/word/2015/wordml/symex" xmlns:wpg="http://schemas.microsoft.com/office/word/2010/wordprocessingGroup" xmlns:wpi="http://schemas.microsoft.com/office/word/2010/wordprocessingInk" xmlns:wne="http://schemas.microsoft.com/office/word/2006/wordml" xmlns:wps="http://schemas.microsoft.com/office/word/2010/wordprocessingShape" mc:Ignorable="w14 w15 w16se w16cid wp14"><w:body><w:p w:rsidR="00601692" w:rsidRDefault="00601692" w:rsidP="00601692"><w:pPr><w:pStyle w:val="berschrift1"/><w:rPr><w:lang w:val="en-US"/></w:rPr></w:pPr><w:r><w:rPr><w:lang w:val="en-US"/></w:rPr><w:t>Test</w:t></w:r></w:p><w:p w:rsidR="00601692" w:rsidRDefault="00601692"><w:pPr><w:rPr><w:lang w:val="en-US"/></w:rPr></w:pPr></w:p><w:p w:rsidR="00FC3A9D" w:rsidRDefault="00601692"><w:pPr><w:rPr><w:lang w:val="en-US"/></w:rPr></w:pPr><w:r><w:rPr><w:lang w:val="en-US"/></w:rPr><w:t>This is a harmless test document.</w:t></w:r></w:p><w:p w:rsidR="00601692" w:rsidRDefault="00601692"><w:pPr><w:rPr><w:lang w:val="en-US"/></w:rPr></w:pPr></w:p><w:p w:rsidR="00601692" w:rsidRDefault="00601692"><w:pPr><w:rPr><w:lang w:val="en-US"/></w:rPr></w:pPr><w:r><w:rPr><w:lang w:val="en-US"/></w:rPr><w:t xml:space="preserve">It contains neither macros nor </w:t></w:r><w:proofErr w:type="spellStart"/><w:r><w:rPr><w:lang w:val="en-US"/></w:rPr><w:t>dde</w:t></w:r><w:proofErr w:type="spellEnd"/><w:r><w:rPr><w:lang w:val="en-US"/></w:rPr><w:t xml:space="preserve"> links nor embedded viruses nor links to evil web pages. Not even a single insult. Boring!</w:t></w:r></w:p><w:p w:rsidR="00601692" w:rsidRDefault="00601692"><w:pPr><w:rPr><w:lang w:val="en-US"/></w:rPr></w:pPr></w:p><w:p w:rsidR="00601692" w:rsidRPr="00601692" w:rsidRDefault="00601692"><w:pPr><w:rPr><w:lang w:val="en-US"/></w:rPr></w:pPr><w:r><w:rPr><w:lang w:val="en-US"/></w:rPr><w:t>Just to make things sli</w:t></w:r><w:bookmarkStart w:id="0" w:name="_GoBack"/><w:bookmarkEnd w:id="0"/><w:r><w:rPr><w:lang w:val="en-US"/></w:rPr><w:t xml:space="preserve">ghtly interesting, however, we add some </w:t></w:r><w:proofErr w:type="spellStart"/><w:r><w:rPr><w:lang w:val="en-US"/></w:rPr><w:t>ünicöde-ßtringß</w:t></w:r><w:proofErr w:type="spellEnd"/><w:r><w:rPr><w:lang w:val="en-US"/></w:rPr><w:t xml:space="preserve"> and different text </w:t></w:r><w:r w:rsidRPr="00601692"><w:rPr><w:sz w:val="32"/><w:szCs w:val="32"/><w:lang w:val="en-US"/></w:rPr><w:t>sizes</w:t></w:r><w:r><w:rPr><w:lang w:val="en-US"/></w:rPr><w:t xml:space="preserve">, </w:t></w:r><w:r w:rsidRPr="00601692"><w:rPr><w:color w:val="C00000"/><w:lang w:val="en-US"/></w:rPr><w:t xml:space="preserve">colors </w:t></w:r><w:r><w:rPr><w:lang w:val="en-US"/></w:rPr><w:t xml:space="preserve">and </w:t></w:r><w:r w:rsidRPr="00601692"><w:rPr><w:rFonts w:ascii="Algerian" w:hAnsi="Algerian"/><w:lang w:val="en-US"/></w:rPr><w:t>fonts</w:t></w:r></w:p><w:sectPr w:rsidR="00601692" w:rsidRPr="00601692"><w:pgSz w:w="11906" w:h="16838"/><w:pgMar w:top="1417" w:right="1417" w:bottom="1134" w:left="1417" w:header="708" w:footer="708" w:gutter="0"/><w:cols w:space="708"/><w:docGrid w:linePitch="360"/></w:sectPr></w:body></w:document></pkg:xmlData></pkg:part><pkg:part pkg:name="/word/theme/theme1.xml" pkg:contentType="application/vnd.openxmlformats-officedocument.theme+xml"><pkg:xmlData><a:theme xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" name="Office"><a:themeElements><a:clrScheme name="Office"><a:dk1><a:sysClr val="windowText" lastClr="000000"/></a:dk1><a:lt1><a:sysClr val="window" lastClr="FFFFFF"/></a:lt1><a:dk2><a:srgbClr val="44546A"/></a:dk2><a:lt2><a:srgbClr val="E7E6E6"/></a:lt2><a:accent1><a:srgbClr val="4472C4"/></a:accent1><a:accent2><a:srgbClr val="ED7D31"/></a:accent2><a:accent3><a:srgbClr val="A5A5A5"/></a:accent3><a:accent4><a:srgbClr val="FFC000"/></a:accent4><a:accent5><a:srgbClr val="5B9BD5"/></a:accent5><a:accent6><a:srgbClr val="70AD47"/></a:accent6><a:hlink><a:srgbClr val="0563C1"/></a:hlink><a:folHlink><a:srgbClr val="954F72"/></a:folHlink></a:clrScheme><a:fontScheme name="Office"><a:majorFont><a:latin typeface="Calibri Light" panose="020F0302020204030204"/><a:ea typeface=""/><a:cs typeface=""/><a:font script="Jpan" typeface="游ゴシック Light"/><a:font script="Hang" typeface="맑은 고딕"/><a:font script="Hans" typeface="等线 Light"/><a:font script="Hant" typeface="新細明體"/><a:font script="Arab" typeface="Times New Roman"/><a:font script="Hebr" typeface="Times New Roman"/><a:font script="Thai" typeface="Angsana New"/><a:font script="Ethi" typeface="Nyala"/><a:font script="Beng" typeface="Vrinda"/><a:font script="Gujr" typeface="Shruti"/><a:font script="Khmr" typeface="MoolBoran"/><a:font script="Knda" typeface="Tunga"/><a:font script="Guru" typeface="Raavi"/><a:font script="Cans" typeface="Euphemia"/><a:font script="Cher" typeface="Plantagenet Cherokee"/><a:font script="Yiii" typeface="Microsoft Yi Baiti"/><a:font script="Tibt" typeface="Microsoft Himalaya"/><a:font script="Thaa" typeface="MV Boli"/><a:font script="Deva" typeface="Mangal"/><a:font script="Telu" typeface="Gautami"/><a:font script="Taml" typeface="Latha"/><a:font script="Syrc" typeface="Estrangelo Edessa"/><a:font script="Orya" typeface="Kalinga"/><a:font script="Mlym" typeface="Kartika"/><a:font script="Laoo" typeface="DokChampa"/><a:font script="Sinh" typeface="Iskoola Pota"/><a:font script="Mong" typeface="Mongolian Baiti"/><a:font script="Viet" typeface="Times New Roman"/><a:font script="Uigh" typeface="Microsoft Uighur"/><a:font script="Geor" typeface="Sylfaen"/><a:font script="Armn" typeface="Arial"/><a:font script="Bugi" typeface="Leelawadee UI"/><a:font script="Bopo" typeface="Microsoft JhengHei"/><a:font script="Java" typeface="Javanese Text"/><a:font script="Lisu" typeface="Segoe UI"/><a:font script="Mymr" typeface="Myanmar Text"/><a:font script="Nkoo" typeface="Ebrima"/><a:font script="Olck" typeface="Nirmala UI"/><a:font script="Osma" typeface="Ebrima"/><a:font script="Phag" typeface="Phagspa"/><a:font script="Syrn" typeface="Estrangelo Edessa"/><a:font script="Syrj" typeface="Estrangelo Edessa"/><a:font script="Syre" typeface="Estrangelo Edessa"/><a:font script="Sora" typeface="Nirmala UI"/><a:font script="Tale" typeface="Microsoft Tai Le"/><a:font script="Talu" typeface="Microsoft New Tai Lue"/><a:font script="Tfng" typeface="Ebrima"/></a:majorFont><a:minorFont><a:latin typeface="Calibri" panose="020F0502020204030204"/><a:ea typeface=""/><a:cs typeface=""/><a:font script="Jpan" typeface="游明朝"/><a:font script="Hang" typeface="맑은 고딕"/><a:font script="Hans" typeface="等线"/><a:font script="Hant" typeface="新細明體"/><a:font script="Arab" typeface="Arial"/><a:font script="Hebr" typeface="Arial"/><a:font script="Thai" typeface="Cordia New"/><a:font script="Ethi" typeface="Nyala"/><a:font script="Beng" typeface="Vrinda"/><a:font script="Gujr" typeface="Shruti"/><a:font script="Khmr" typeface="DaunPenh"/><a:font script="Knda" typeface="Tunga"/><a:font script="Guru" typeface="Raavi"/><a:font script="Cans" typeface="Euphemia"/><a:font script="Cher" typeface="Plantagenet Cherokee"/><a:font script="Yiii" typeface="Microsoft Yi Baiti"/><a:font script="Tibt" typeface="Microsoft Himalaya"/><a:font script="Thaa" typeface="MV Boli"/><a:font script="Deva" typeface="Mangal"/><a:font script="Telu" typeface="Gautami"/><a:font script="Taml" typeface="Latha"/><a:font script="Syrc" typeface="Estrangelo Edessa"/><a:font script="Orya" typeface="Kalinga"/><a:font script="Mlym" typeface="Kartika"/><a:font script="Laoo" typeface="DokChampa"/><a:font script="Sinh" typeface="Iskoola Pota"/><a:font script="Mong" typeface="Mongolian Baiti"/><a:font script="Viet" typeface="Arial"/><a:font script="Uigh" typeface="Microsoft Uighur"/><a:font script="Geor" typeface="Sylfaen"/><a:font script="Armn" typeface="Arial"/><a:font script="Bugi" typeface="Leelawadee UI"/><a:font script="Bopo" typeface="Microsoft JhengHei"/><a:font script="Java" typeface="Javanese Text"/><a:font script="Lisu" typeface="Segoe UI"/><a:font script="Mymr" typeface="Myanmar Text"/><a:font script="Nkoo" typeface="Ebrima"/><a:font script="Olck" typeface="Nirmala UI"/><a:font script="Osma" typeface="Ebrima"/><a:font script="Phag" typeface="Phagspa"/><a:font script="Syrn" typeface="Estrangelo Edessa"/><a:font script="Syrj" typeface="Estrangelo Edessa"/><a:font script="Syre" typeface="Estrangelo Edessa"/><a:font script="Sora" typeface="Nirmala UI"/><a:font script="Tale" typeface="Microsoft Tai Le"/><a:font script="Talu" typeface="Microsoft New Tai Lue"/><a:font script="Tfng" typeface="Ebrima"/></a:minorFont></a:fontScheme><a:fmtScheme name="Office"><a:fillStyleLst><a:solidFill><a:schemeClr val="phClr"/></a:solidFill><a:gradFill rotWithShape="1"><a:gsLst><a:gs pos="0"><a:schemeClr val="phClr"><a:lumMod val="110000"/><a:satMod val="105000"/><a:tint val="67000"/></a:schemeClr></a:gs><a:gs pos="50000"><a:schemeClr val="phClr"><a:lumMod val="105000"/><a:satMod val="103000"/><a:tint val="73000"/></a:schemeClr></a:gs><a:gs pos="100000"><a:schemeClr val="phClr"><a:lumMod val="105000"/><a:satMod val="109000"/><a:tint val="81000"/></a:schemeClr></a:gs></a:gsLst><a:lin ang="5400000" scaled="0"/></a:gradFill><a:gradFill rotWithShape="1"><a:gsLst><a:gs pos="0"><a:schemeClr val="phClr"><a:satMod val="103000"/><a:lumMod val="102000"/><a:tint val="94000"/></a:schemeClr></a:gs><a:gs pos="50000"><a:schemeClr val="phClr"><a:satMod val="110000"/><a:lumMod val="100000"/><a:shade val="100000"/></a:schemeClr></a:gs><a:gs pos="100000"><a:schemeClr val="phClr"><a:lumMod val="99000"/><a:satMod val="120000"/><a:shade val="78000"/></a:schemeClr></a:gs></a:gsLst><a:lin ang="5400000" scaled="0"/></a:gradFill></a:fillStyleLst><a:lnStyleLst><a:ln w="6350" cap="flat" cmpd="sng" algn="ctr"><a:solidFill><a:schemeClr val="phClr"/></a:solidFill><a:prstDash val="solid"/><a:miter lim="800000"/></a:ln><a:ln w="12700" cap="flat" cmpd="sng" algn="ctr"><a:solidFill><a:schemeClr val="phClr"/></a:solidFill><a:prstDash val="solid"/><a:miter lim="800000"/></a:ln><a:ln w="19050" cap="flat" cmpd="sng" algn="ctr"><a:solidFill><a:schemeClr val="phClr"/></a:solidFill><a:prstDash val="solid"/><a:miter lim="800000"/></a:ln></a:lnStyleLst><a:effectStyleLst><a:effectStyle><a:effectLst/></a:effectStyle><a:effectStyle><a:effectLst/></a:effectStyle><a:effectStyle><a:effectLst><a:outerShdw blurRad="57150" dist="19050" dir="5400000" algn="ctr" rotWithShape="0"><a:srgbClr val="000000"><a:alpha val="63000"/></a:srgbClr></a:outerShdw></a:effectLst></a:effectStyle></a:effectStyleLst><a:bgFillStyleLst><a:solidFill><a:schemeClr val="phClr"/></a:solidFill><a:solidFill><a:schemeClr val="phClr"><a:tint val="95000"/><a:satMod val="170000"/></a:schemeClr></a:solidFill><a:gradFill rotWithShape="1"><a:gsLst><a:gs pos="0"><a:schemeClr val="phClr"><a:tint val="93000"/><a:satMod val="150000"/><a:shade val="98000"/><a:lumMod val="102000"/></a:schemeClr></a:gs><a:gs pos="50000"><a:schemeClr val="phClr"><a:tint val="98000"/><a:satMod val="130000"/><a:shade val="90000"/><a:lumMod val="103000"/></a:schemeClr></a:gs><a:gs pos="100000"><a:schemeClr val="phClr"><a:shade val="63000"/><a:satMod val="120000"/></a:schemeClr></a:gs></a:gsLst><a:lin ang="5400000" scaled="0"/></a:gradFill></a:bgFillStyleLst></a:fmtScheme></a:themeElements><a:objectDefaults/><a:extraClrSchemeLst/><a:extLst><a:ext uri="{05A4C25C-085E-4340-85A3-A5531E510DB2}"><thm15:themeFamily xmlns:thm15="http://schemas.microsoft.com/office/thememl/2012/main" name="Office Theme" id="{62F939B6-93AF-4DB8-9C6B-D6C7DFDC589F}" vid="{4A3C46E8-61CC-4603-A589-7422A47A8E4A}"/></a:ext></a:extLst></a:theme></pkg:xmlData></pkg:part><pkg:part pkg:name="/word/settings.xml" pkg:contentType="application/vnd.openxmlformats-officedocument.wordprocessingml.settings+xml"><pkg:xmlData><w:settings xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:w15="http://schemas.microsoft.com/office/word/2012/wordml" xmlns:w16cid="http://schemas.microsoft.com/office/word/2016/wordml/cid" xmlns:w16se="http://schemas.microsoft.com/office/word/2015/wordml/symex" xmlns:sl="http://schemas.openxmlformats.org/schemaLibrary/2006/main" mc:Ignorable="w14 w15 w16se w16cid"><w:zoom w:percent="100"/><w:proofState w:spelling="clean" w:grammar="clean"/><w:doNotTrackMoves/><w:defaultTabStop w:val="708"/><w:hyphenationZone w:val="425"/><w:characterSpacingControl w:val="doNotCompress"/><w:compat><w:useNormalStyleForList/><w:doNotUseIndentAsNumberingTabStop/><w:useAltKinsokuLineBreakRules/><w:allowSpaceOfSameStyleInTable/><w:doNotSuppressIndentation/><w:doNotAutofitConstrainedTables/><w:autofitToFirstFixedWidthCell/><w:displayHangulFixedWidth/><w:splitPgBreakAndParaMark/><w:doNotVertAlignCellWithSp/><w:doNotBreakConstrainedForcedTable/><w:doNotVertAlignInTxbx/><w:useAnsiKerningPairs/><w:cachedColBalance/><w:compatSetting w:name="compatibilityMode" w:uri="http://schemas.microsoft.com/office/word" w:val="11"/><w:compatSetting w:name="allowHyphenationAtTrackBottom" w:uri="http://schemas.microsoft.com/office/word" w:val="1"/><w:compatSetting w:name="useWord2013TrackBottomHyphenation" w:uri="http://schemas.microsoft.com/office/word" w:val="1"/></w:compat><w:rsids><w:rsidRoot w:val="00601692"/><w:rsid w:val="00601692"/><w:rsid w:val="00972907"/><w:rsid w:val="00FC3A9D"/></w:rsids><m:mathPr><m:mathFont m:val="Cambria Math"/><m:brkBin m:val="before"/><m:brkBinSub m:val="--"/><m:smallFrac m:val="0"/><m:dispDef/><m:lMargin m:val="0"/><m:rMargin m:val="0"/><m:defJc m:val="centerGroup"/><m:wrapIndent m:val="1440"/><m:intLim m:val="subSup"/><m:naryLim m:val="undOvr"/></m:mathPr><w:themeFontLang w:val="de-DE"/><w:clrSchemeMapping w:bg1="light1" w:t1="dark1" w:bg2="light2" w:t2="dark2" w:accent1="accent1" w:accent2="accent2" w:accent3="accent3" w:accent4="accent4" w:accent5="accent5" w:accent6="accent6" w:hyperlink="hyperlink" w:followedHyperlink="followedHyperlink"/><w:shapeDefaults><o:shapedefaults v:ext="edit" spidmax="1026"/><o:shapelayout v:ext="edit"><o:idmap v:ext="edit" data="1"/></o:shapelayout></w:shapeDefaults><w:decimalSymbol w:val=","/><w:listSeparator w:val=";"/><w14:docId w14:val="047552AE"/><w15:chartTrackingRefBased/><w15:docId w15:val="{C5480CB3-6457-4809-B8A6-E3BEF53BE60F}"/></w:settings></pkg:xmlData></pkg:part><pkg:part pkg:name="/word/fontTable.xml" pkg:contentType="application/vnd.openxmlformats-officedocument.wordprocessingml.fontTable+xml"><pkg:xmlData><w:fonts xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:w15="http://schemas.microsoft.com/office/word/2012/wordml" xmlns:w16cid="http://schemas.microsoft.com/office/word/2016/wordml/cid" xmlns:w16se="http://schemas.microsoft.com/office/word/2015/wordml/symex" mc:Ignorable="w14 w15 w16se w16cid"><w:font w:name="Calibri"><w:panose1 w:val="020F0502020204030204"/><w:charset w:val="00"/><w:family w:val="swiss"/><w:pitch w:val="variable"/><w:sig w:usb0="E0002AFF" w:usb1="C000247B" w:usb2="00000009" w:usb3="00000000" w:csb0="000001FF" w:csb1="00000000"/></w:font><w:font w:name="Times New Roman"><w:panose1 w:val="02020603050405020304"/><w:charset w:val="00"/><w:family w:val="roman"/><w:pitch w:val="variable"/><w:sig w:usb0="E0002EFF" w:usb1="C000785B" w:usb2="00000009" w:usb3="00000000" w:csb0="000001FF" w:csb1="00000000"/></w:font><w:font w:name="Calibri Light"><w:panose1 w:val="020F0302020204030204"/><w:charset w:val="00"/><w:family w:val="swiss"/><w:pitch w:val="variable"/><w:sig w:usb0="E0002AFF" w:usb1="C000247B" w:usb2="00000009" w:usb3="00000000" w:csb0="000001FF" w:csb1="00000000"/></w:font><w:font w:name="Algerian"><w:panose1 w:val="04020705040A02060702"/><w:charset w:val="00"/><w:family w:val="decorative"/><w:pitch w:val="variable"/><w:sig w:usb0="00000003" w:usb1="00000000" w:usb2="00000000" w:usb3="00000000" w:csb0="00000001" w:csb1="00000000"/></w:font></w:fonts></pkg:xmlData></pkg:part><pkg:part pkg:name="/word/webSettings.xml" pkg:contentType="application/vnd.openxmlformats-officedocument.wordprocessingml.webSettings+xml"><pkg:xmlData><w:webSettings xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:w15="http://schemas.microsoft.com/office/word/2012/wordml" xmlns:w16cid="http://schemas.microsoft.com/office/word/2016/wordml/cid" xmlns:w16se="http://schemas.microsoft.com/office/word/2015/wordml/symex" mc:Ignorable="w14 w15 w16se w16cid"><w:optimizeForBrowser/><w:allowPNG/></w:webSettings></pkg:xmlData></pkg:part><pkg:part pkg:name="/docProps/app.xml" pkg:contentType="application/vnd.openxmlformats-officedocument.extended-properties+xml" pkg:padding="256"><pkg:xmlData><Properties xmlns="http://schemas.openxmlformats.org/officeDocument/2006/extended-properties" xmlns:vt="http://schemas.openxmlformats.org/officeDocument/2006/docPropsVTypes"><Template>Normal</Template><TotalTime>0</TotalTime><Pages>1</Pages><Words>39</Words><Characters>250</Characters><Application>Microsoft Office Word</Application><DocSecurity>0</DocSecurity><Lines>2</Lines><Paragraphs>1</Paragraphs><ScaleCrop>false</ScaleCrop><HeadingPairs><vt:vector size="2" baseType="variant"><vt:variant><vt:lpstr>Titel</vt:lpstr></vt:variant><vt:variant><vt:i4>1</vt:i4></vt:variant></vt:vector></HeadingPairs><TitlesOfParts><vt:vector size="1" baseType="lpstr"><vt:lpstr/></vt:vector></TitlesOfParts><Company/><LinksUpToDate>false</LinksUpToDate><CharactersWithSpaces>288</CharactersWithSpaces><SharedDoc>false</SharedDoc><HyperlinksChanged>false</HyperlinksChanged><AppVersion>16.0000</AppVersion></Properties></pkg:xmlData></pkg:part><pkg:part pkg:name="/docProps/core.xml" pkg:contentType="application/vnd.openxmlformats-package.core-properties+xml" pkg:padding="256"><pkg:xmlData><cp:coreProperties xmlns:cp="http://schemas.openxmlformats.org/package/2006/metadata/core-properties" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:dcterms="http://purl.org/dc/terms/" xmlns:dcmitype="http://purl.org/dc/dcmitype/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><dc:title/><dc:subject/><dc:creator>user</dc:creator><cp:keywords/><dc:description/><cp:lastModifiedBy>user</cp:lastModifiedBy><cp:revision>2</cp:revision><dcterms:created xsi:type="dcterms:W3CDTF">2017-10-26T09:10:00Z</dcterms:created><dcterms:modified xsi:type="dcterms:W3CDTF">2017-10-26T09:10:00Z</dcterms:modified></cp:coreProperties></pkg:xmlData></pkg:part><pkg:part pkg:name="/word/styles.xml" pkg:contentType="application/vnd.openxmlformats-officedocument.wordprocessingml.styles+xml"><pkg:xmlData><w:styles xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:w15="http://schemas.microsoft.com/office/word/2012/wordml" xmlns:w16cid="http://schemas.microsoft.com/office/word/2016/wordml/cid" xmlns:w16se="http://schemas.microsoft.com/office/word/2015/wordml/symex" mc:Ignorable="w14 w15 w16se w16cid"><w:docDefaults><w:rPrDefault><w:rPr><w:rFonts w:ascii="Calibri" w:eastAsia="Calibri" w:hAnsi="Calibri" w:cs="Times New Roman"/><w:lang w:val="de-DE" w:eastAsia="de-DE" w:bidi="ar-SA"/></w:rPr></w:rPrDefault><w:pPrDefault/></w:docDefaults><w:latentStyles w:defLockedState="0" w:defUIPriority="99" w:defSemiHidden="0" w:defUnhideWhenUsed="0" w:defQFormat="0" w:count="375"><w:lsdException w:name="Normal" w:uiPriority="0" w:qFormat="1"/><w:lsdException w:name="heading 1" w:uiPriority="9" w:qFormat="1"/><w:lsdException w:name="heading 2" w:semiHidden="1" w:uiPriority="9" w:unhideWhenUsed="1" w:qFormat="1"/><w:lsdException w:name="heading 3" w:semiHidden="1" w:uiPriority="9" w:unhideWhenUsed="1" w:qFormat="1"/><w:lsdException w:name="heading 4" w:semiHidden="1" w:uiPriority="9" w:unhideWhenUsed="1" w:qFormat="1"/><w:lsdException w:name="heading 5" w:semiHidden="1" w:uiPriority="9" w:unhideWhenUsed="1" w:qFormat="1"/><w:lsdException w:name="heading 6" w:semiHidden="1" w:uiPriority="9" w:unhideWhenUsed="1" w:qFormat="1"/><w:lsdException w:name="heading 7" w:semiHidden="1" w:uiPriority="9" w:unhideWhenUsed="1" w:qFormat="1"/><w:lsdException w:name="heading 8" w:semiHidden="1" w:uiPriority="9" w:unhideWhenUsed="1" w:qFormat="1"/><w:lsdException w:name="heading 9" w:semiHidden="1" w:uiPriority="9" w:unhideWhenUsed="1" w:qFormat="1"/><w:lsdException w:name="index 1" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="index 2" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="index 3" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="index 4" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="index 5" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="index 6" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="index 7" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="index 8" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="index 9" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="toc 1" w:semiHidden="1" w:uiPriority="39" w:unhideWhenUsed="1"/><w:lsdException w:name="toc 2" w:semiHidden="1" w:uiPriority="39" w:unhideWhenUsed="1"/><w:lsdException w:name="toc 3" w:semiHidden="1" w:uiPriority="39" w:unhideWhenUsed="1"/><w:lsdException w:name="toc 4" w:semiHidden="1" w:uiPriority="39" w:unhideWhenUsed="1"/><w:lsdException w:name="toc 5" w:semiHidden="1" w:uiPriority="39" w:unhideWhenUsed="1"/><w:lsdException w:name="toc 6" w:semiHidden="1" w:uiPriority="39" w:unhideWhenUsed="1"/><w:lsdException w:name="toc 7" w:semiHidden="1" w:uiPriority="39" w:unhideWhenUsed="1"/><w:lsdException w:name="toc 8" w:semiHidden="1" w:uiPriority="39" w:unhideWhenUsed="1"/><w:lsdException w:name="toc 9" w:semiHidden="1" w:uiPriority="39" w:unhideWhenUsed="1"/><w:lsdException w:name="Normal Indent" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="footnote text" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="annotation text" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="header" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="footer" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="index heading" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="caption" w:semiHidden="1" w:uiPriority="35" w:unhideWhenUsed="1" w:qFormat="1"/><w:lsdException w:name="table of figures" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="envelope address" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="envelope return" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="footnote reference" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="annotation reference" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="line number" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="page number" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="endnote reference" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="endnote text" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="table of authorities" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="macro" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="toa heading" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="List" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="List Bullet" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="List Number" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="List 2" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="List 3" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="List 4" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="List 5" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="List Bullet 2" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="List Bullet 3" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="List Bullet 4" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="List Bullet 5" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="List Number 2" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="List Number 3" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="List Number 4" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="List Number 5" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Title" w:uiPriority="10" w:qFormat="1"/><w:lsdException w:name="Closing" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Signature" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Default Paragraph Font" w:semiHidden="1" w:uiPriority="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Body Text" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Body Text Indent" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="List Continue" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="List Continue 2" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="List Continue 3" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="List Continue 4" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="List Continue 5" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Message Header" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Subtitle" w:uiPriority="11" w:qFormat="1"/><w:lsdException w:name="Salutation" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Date" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Body Text First Indent" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Body Text First Indent 2" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Note Heading" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Body Text 2" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Body Text 3" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Body Text Indent 2" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Body Text Indent 3" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Block Text" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Hyperlink" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="FollowedHyperlink" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Strong" w:uiPriority="22" w:qFormat="1"/><w:lsdException w:name="Emphasis" w:uiPriority="20" w:qFormat="1"/><w:lsdException w:name="Document Map" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Plain Text" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="E-mail Signature" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="HTML Top of Form" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="HTML Bottom of Form" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Normal (Web)" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="HTML Acronym" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="HTML Address" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="HTML Cite" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="HTML Code" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="HTML Definition" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="HTML Keyboard" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="HTML Preformatted" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="HTML Sample" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="HTML Typewriter" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="HTML Variable" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Normal Table" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="annotation subject" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="No List" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Outline List 1" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Outline List 2" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Outline List 3" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Table Simple 1" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Table Simple 2" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Table Simple 3" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Table Classic 1" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Table Classic 2" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Table Classic 3" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Table Classic 4" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Table Colorful 1" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Table Colorful 2" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Table Colorful 3" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Table Columns 1" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Table Columns 2" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Table Columns 3" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Table Columns 4" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Table Columns 5" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Table Grid 1" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Table Grid 2" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Table Grid 3" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Table Grid 4" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Table Grid 5" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Table Grid 6" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Table Grid 7" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Table Grid 8" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Table List 1" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Table List 2" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Table List 3" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Table List 4" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Table List 5" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Table List 6" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Table List 7" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Table List 8" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Table 3D effects 1" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Table 3D effects 2" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Table 3D effects 3" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Table Contemporary" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Table Elegant" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Table Professional" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Table Subtle 1" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Table Subtle 2" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Table Web 1" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Table Web 2" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Table Web 3" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Balloon Text" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Table Grid" w:uiPriority="39"/><w:lsdException w:name="Table Theme" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Placeholder Text" w:semiHidden="1"/><w:lsdException w:name="No Spacing" w:uiPriority="1" w:qFormat="1"/><w:lsdException w:name="Light Shading" w:uiPriority="60"/><w:lsdException w:name="Light List" w:uiPriority="61"/><w:lsdException w:name="Light Grid" w:uiPriority="62"/><w:lsdException w:name="Medium Shading 1" w:uiPriority="63"/><w:lsdException w:name="Medium Shading 2" w:uiPriority="64"/><w:lsdException w:name="Medium List 1" w:uiPriority="65"/><w:lsdException w:name="Medium List 2" w:uiPriority="66"/><w:lsdException w:name="Medium Grid 1" w:uiPriority="67"/><w:lsdException w:name="Medium Grid 2" w:uiPriority="68"/><w:lsdException w:name="Medium Grid 3" w:uiPriority="69"/><w:lsdException w:name="Dark List" w:uiPriority="70"/><w:lsdException w:name="Colorful Shading" w:uiPriority="71"/><w:lsdException w:name="Colorful List" w:uiPriority="72"/><w:lsdException w:name="Colorful Grid" w:uiPriority="73"/><w:lsdException w:name="Light Shading Accent 1" w:uiPriority="60"/><w:lsdException w:name="Light List Accent 1" w:uiPriority="61"/><w:lsdException w:name="Light Grid Accent 1" w:uiPriority="62"/><w:lsdException w:name="Medium Shading 1 Accent 1" w:uiPriority="63"/><w:lsdException w:name="Medium Shading 2 Accent 1" w:uiPriority="64"/><w:lsdException w:name="Medium List 1 Accent 1" w:uiPriority="65"/><w:lsdException w:name="Revision" w:semiHidden="1"/><w:lsdException w:name="List Paragraph" w:uiPriority="34" w:qFormat="1"/><w:lsdException w:name="Quote" w:uiPriority="29" w:qFormat="1"/><w:lsdException w:name="Intense Quote" w:uiPriority="30" w:qFormat="1"/><w:lsdException w:name="Medium List 2 Accent 1" w:uiPriority="66"/><w:lsdException w:name="Medium Grid 1 Accent 1" w:uiPriority="67"/><w:lsdException w:name="Medium Grid 2 Accent 1" w:uiPriority="68"/><w:lsdException w:name="Medium Grid 3 Accent 1" w:uiPriority="69"/><w:lsdException w:name="Dark List Accent 1" w:uiPriority="70"/><w:lsdException w:name="Colorful Shading Accent 1" w:uiPriority="71"/><w:lsdException w:name="Colorful List Accent 1" w:uiPriority="72"/><w:lsdException w:name="Colorful Grid Accent 1" w:uiPriority="73"/><w:lsdException w:name="Light Shading Accent 2" w:uiPriority="60"/><w:lsdException w:name="Light List Accent 2" w:uiPriority="61"/><w:lsdException w:name="Light Grid Accent 2" w:uiPriority="62"/><w:lsdException w:name="Medium Shading 1 Accent 2" w:uiPriority="63"/><w:lsdException w:name="Medium Shading 2 Accent 2" w:uiPriority="64"/><w:lsdException w:name="Medium List 1 Accent 2" w:uiPriority="65"/><w:lsdException w:name="Medium List 2 Accent 2" w:uiPriority="66"/><w:lsdException w:name="Medium Grid 1 Accent 2" w:uiPriority="67"/><w:lsdException w:name="Medium Grid 2 Accent 2" w:uiPriority="68"/><w:lsdException w:name="Medium Grid 3 Accent 2" w:uiPriority="69"/><w:lsdException w:name="Dark List Accent 2" w:uiPriority="70"/><w:lsdException w:name="Colorful Shading Accent 2" w:uiPriority="71"/><w:lsdException w:name="Colorful List Accent 2" w:uiPriority="72"/><w:lsdException w:name="Colorful Grid Accent 2" w:uiPriority="73"/><w:lsdException w:name="Light Shading Accent 3" w:uiPriority="60"/><w:lsdException w:name="Light List Accent 3" w:uiPriority="61"/><w:lsdException w:name="Light Grid Accent 3" w:uiPriority="62"/><w:lsdException w:name="Medium Shading 1 Accent 3" w:uiPriority="63"/><w:lsdException w:name="Medium Shading 2 Accent 3" w:uiPriority="64"/><w:lsdException w:name="Medium List 1 Accent 3" w:uiPriority="65"/><w:lsdException w:name="Medium List 2 Accent 3" w:uiPriority="66"/><w:lsdException w:name="Medium Grid 1 Accent 3" w:uiPriority="67"/><w:lsdException w:name="Medium Grid 2 Accent 3" w:uiPriority="68"/><w:lsdException w:name="Medium Grid 3 Accent 3" w:uiPriority="69"/><w:lsdException w:name="Dark List Accent 3" w:uiPriority="70"/><w:lsdException w:name="Colorful Shading Accent 3" w:uiPriority="71"/><w:lsdException w:name="Colorful List Accent 3" w:uiPriority="72"/><w:lsdException w:name="Colorful Grid Accent 3" w:uiPriority="73"/><w:lsdException w:name="Light Shading Accent 4" w:uiPriority="60"/><w:lsdException w:name="Light List Accent 4" w:uiPriority="61"/><w:lsdException w:name="Light Grid Accent 4" w:uiPriority="62"/><w:lsdException w:name="Medium Shading 1 Accent 4" w:uiPriority="63"/><w:lsdException w:name="Medium Shading 2 Accent 4" w:uiPriority="64"/><w:lsdException w:name="Medium List 1 Accent 4" w:uiPriority="65"/><w:lsdException w:name="Medium List 2 Accent 4" w:uiPriority="66"/><w:lsdException w:name="Medium Grid 1 Accent 4" w:uiPriority="67"/><w:lsdException w:name="Medium Grid 2 Accent 4" w:uiPriority="68"/><w:lsdException w:name="Medium Grid 3 Accent 4" w:uiPriority="69"/><w:lsdException w:name="Dark List Accent 4" w:uiPriority="70"/><w:lsdException w:name="Colorful Shading Accent 4" w:uiPriority="71"/><w:lsdException w:name="Colorful List Accent 4" w:uiPriority="72"/><w:lsdException w:name="Colorful Grid Accent 4" w:uiPriority="73"/><w:lsdException w:name="Light Shading Accent 5" w:uiPriority="60"/><w:lsdException w:name="Light List Accent 5" w:uiPriority="61"/><w:lsdException w:name="Light Grid Accent 5" w:uiPriority="62"/><w:lsdException w:name="Medium Shading 1 Accent 5" w:uiPriority="63"/><w:lsdException w:name="Medium Shading 2 Accent 5" w:uiPriority="64"/><w:lsdException w:name="Medium List 1 Accent 5" w:uiPriority="65"/><w:lsdException w:name="Medium List 2 Accent 5" w:uiPriority="66"/><w:lsdException w:name="Medium Grid 1 Accent 5" w:uiPriority="67"/><w:lsdException w:name="Medium Grid 2 Accent 5" w:uiPriority="68"/><w:lsdException w:name="Medium Grid 3 Accent 5" w:uiPriority="69"/><w:lsdException w:name="Dark List Accent 5" w:uiPriority="70"/><w:lsdException w:name="Colorful Shading Accent 5" w:uiPriority="71"/><w:lsdException w:name="Colorful List Accent 5" w:uiPriority="72"/><w:lsdException w:name="Colorful Grid Accent 5" w:uiPriority="73"/><w:lsdException w:name="Light Shading Accent 6" w:uiPriority="60"/><w:lsdException w:name="Light List Accent 6" w:uiPriority="61"/><w:lsdException w:name="Light Grid Accent 6" w:uiPriority="62"/><w:lsdException w:name="Medium Shading 1 Accent 6" w:uiPriority="63"/><w:lsdException w:name="Medium Shading 2 Accent 6" w:uiPriority="64"/><w:lsdException w:name="Medium List 1 Accent 6" w:uiPriority="65"/><w:lsdException w:name="Medium List 2 Accent 6" w:uiPriority="66"/><w:lsdException w:name="Medium Grid 1 Accent 6" w:uiPriority="67"/><w:lsdException w:name="Medium Grid 2 Accent 6" w:uiPriority="68"/><w:lsdException w:name="Medium Grid 3 Accent 6" w:uiPriority="69"/><w:lsdException w:name="Dark List Accent 6" w:uiPriority="70"/><w:lsdException w:name="Colorful Shading Accent 6" w:uiPriority="71"/><w:lsdException w:name="Colorful List Accent 6" w:uiPriority="72"/><w:lsdException w:name="Colorful Grid Accent 6" w:uiPriority="73"/><w:lsdException w:name="Subtle Emphasis" w:uiPriority="19" w:qFormat="1"/><w:lsdException w:name="Intense Emphasis" w:uiPriority="21" w:qFormat="1"/><w:lsdException w:name="Subtle Reference" w:uiPriority="31" w:qFormat="1"/><w:lsdException w:name="Intense Reference" w:uiPriority="32" w:qFormat="1"/><w:lsdException w:name="Book Title" w:uiPriority="33" w:qFormat="1"/><w:lsdException w:name="Bibliography" w:semiHidden="1" w:uiPriority="37" w:unhideWhenUsed="1"/><w:lsdException w:name="TOC Heading" w:semiHidden="1" w:uiPriority="39" w:unhideWhenUsed="1" w:qFormat="1"/><w:lsdException w:name="Plain Table 1" w:uiPriority="41"/><w:lsdException w:name="Plain Table 2" w:uiPriority="42"/><w:lsdException w:name="Plain Table 3" w:uiPriority="43"/><w:lsdException w:name="Plain Table 4" w:uiPriority="44"/><w:lsdException w:name="Plain Table 5" w:uiPriority="45"/><w:lsdException w:name="Grid Table Light" w:uiPriority="40"/><w:lsdException w:name="Grid Table 1 Light" w:uiPriority="46"/><w:lsdException w:name="Grid Table 2" w:uiPriority="47"/><w:lsdException w:name="Grid Table 3" w:uiPriority="48"/><w:lsdException w:name="Grid Table 4" w:uiPriority="49"/><w:lsdException w:name="Grid Table 5 Dark" w:uiPriority="50"/><w:lsdException w:name="Grid Table 6 Colorful" w:uiPriority="51"/><w:lsdException w:name="Grid Table 7 Colorful" w:uiPriority="52"/><w:lsdException w:name="Grid Table 1 Light Accent 1" w:uiPriority="46"/><w:lsdException w:name="Grid Table 2 Accent 1" w:uiPriority="47"/><w:lsdException w:name="Grid Table 3 Accent 1" w:uiPriority="48"/><w:lsdException w:name="Grid Table 4 Accent 1" w:uiPriority="49"/><w:lsdException w:name="Grid Table 5 Dark Accent 1" w:uiPriority="50"/><w:lsdException w:name="Grid Table 6 Colorful Accent 1" w:uiPriority="51"/><w:lsdException w:name="Grid Table 7 Colorful Accent 1" w:uiPriority="52"/><w:lsdException w:name="Grid Table 1 Light Accent 2" w:uiPriority="46"/><w:lsdException w:name="Grid Table 2 Accent 2" w:uiPriority="47"/><w:lsdException w:name="Grid Table 3 Accent 2" w:uiPriority="48"/><w:lsdException w:name="Grid Table 4 Accent 2" w:uiPriority="49"/><w:lsdException w:name="Grid Table 5 Dark Accent 2" w:uiPriority="50"/><w:lsdException w:name="Grid Table 6 Colorful Accent 2" w:uiPriority="51"/><w:lsdException w:name="Grid Table 7 Colorful Accent 2" w:uiPriority="52"/><w:lsdException w:name="Grid Table 1 Light Accent 3" w:uiPriority="46"/><w:lsdException w:name="Grid Table 2 Accent 3" w:uiPriority="47"/><w:lsdException w:name="Grid Table 3 Accent 3" w:uiPriority="48"/><w:lsdException w:name="Grid Table 4 Accent 3" w:uiPriority="49"/><w:lsdException w:name="Grid Table 5 Dark Accent 3" w:uiPriority="50"/><w:lsdException w:name="Grid Table 6 Colorful Accent 3" w:uiPriority="51"/><w:lsdException w:name="Grid Table 7 Colorful Accent 3" w:uiPriority="52"/><w:lsdException w:name="Grid Table 1 Light Accent 4" w:uiPriority="46"/><w:lsdException w:name="Grid Table 2 Accent 4" w:uiPriority="47"/><w:lsdException w:name="Grid Table 3 Accent 4" w:uiPriority="48"/><w:lsdException w:name="Grid Table 4 Accent 4" w:uiPriority="49"/><w:lsdException w:name="Grid Table 5 Dark Accent 4" w:uiPriority="50"/><w:lsdException w:name="Grid Table 6 Colorful Accent 4" w:uiPriority="51"/><w:lsdException w:name="Grid Table 7 Colorful Accent 4" w:uiPriority="52"/><w:lsdException w:name="Grid Table 1 Light Accent 5" w:uiPriority="46"/><w:lsdException w:name="Grid Table 2 Accent 5" w:uiPriority="47"/><w:lsdException w:name="Grid Table 3 Accent 5" w:uiPriority="48"/><w:lsdException w:name="Grid Table 4 Accent 5" w:uiPriority="49"/><w:lsdException w:name="Grid Table 5 Dark Accent 5" w:uiPriority="50"/><w:lsdException w:name="Grid Table 6 Colorful Accent 5" w:uiPriority="51"/><w:lsdException w:name="Grid Table 7 Colorful Accent 5" w:uiPriority="52"/><w:lsdException w:name="Grid Table 1 Light Accent 6" w:uiPriority="46"/><w:lsdException w:name="Grid Table 2 Accent 6" w:uiPriority="47"/><w:lsdException w:name="Grid Table 3 Accent 6" w:uiPriority="48"/><w:lsdException w:name="Grid Table 4 Accent 6" w:uiPriority="49"/><w:lsdException w:name="Grid Table 5 Dark Accent 6" w:uiPriority="50"/><w:lsdException w:name="Grid Table 6 Colorful Accent 6" w:uiPriority="51"/><w:lsdException w:name="Grid Table 7 Colorful Accent 6" w:uiPriority="52"/><w:lsdException w:name="List Table 1 Light" w:uiPriority="46"/><w:lsdException w:name="List Table 2" w:uiPriority="47"/><w:lsdException w:name="List Table 3" w:uiPriority="48"/><w:lsdException w:name="List Table 4" w:uiPriority="49"/><w:lsdException w:name="List Table 5 Dark" w:uiPriority="50"/><w:lsdException w:name="List Table 6 Colorful" w:uiPriority="51"/><w:lsdException w:name="List Table 7 Colorful" w:uiPriority="52"/><w:lsdException w:name="List Table 1 Light Accent 1" w:uiPriority="46"/><w:lsdException w:name="List Table 2 Accent 1" w:uiPriority="47"/><w:lsdException w:name="List Table 3 Accent 1" w:uiPriority="48"/><w:lsdException w:name="List Table 4 Accent 1" w:uiPriority="49"/><w:lsdException w:name="List Table 5 Dark Accent 1" w:uiPriority="50"/><w:lsdException w:name="List Table 6 Colorful Accent 1" w:uiPriority="51"/><w:lsdException w:name="List Table 7 Colorful Accent 1" w:uiPriority="52"/><w:lsdException w:name="List Table 1 Light Accent 2" w:uiPriority="46"/><w:lsdException w:name="List Table 2 Accent 2" w:uiPriority="47"/><w:lsdException w:name="List Table 3 Accent 2" w:uiPriority="48"/><w:lsdException w:name="List Table 4 Accent 2" w:uiPriority="49"/><w:lsdException w:name="List Table 5 Dark Accent 2" w:uiPriority="50"/><w:lsdException w:name="List Table 6 Colorful Accent 2" w:uiPriority="51"/><w:lsdException w:name="List Table 7 Colorful Accent 2" w:uiPriority="52"/><w:lsdException w:name="List Table 1 Light Accent 3" w:uiPriority="46"/><w:lsdException w:name="List Table 2 Accent 3" w:uiPriority="47"/><w:lsdException w:name="List Table 3 Accent 3" w:uiPriority="48"/><w:lsdException w:name="List Table 4 Accent 3" w:uiPriority="49"/><w:lsdException w:name="List Table 5 Dark Accent 3" w:uiPriority="50"/><w:lsdException w:name="List Table 6 Colorful Accent 3" w:uiPriority="51"/><w:lsdException w:name="List Table 7 Colorful Accent 3" w:uiPriority="52"/><w:lsdException w:name="List Table 1 Light Accent 4" w:uiPriority="46"/><w:lsdException w:name="List Table 2 Accent 4" w:uiPriority="47"/><w:lsdException w:name="List Table 3 Accent 4" w:uiPriority="48"/><w:lsdException w:name="List Table 4 Accent 4" w:uiPriority="49"/><w:lsdException w:name="List Table 5 Dark Accent 4" w:uiPriority="50"/><w:lsdException w:name="List Table 6 Colorful Accent 4" w:uiPriority="51"/><w:lsdException w:name="List Table 7 Colorful Accent 4" w:uiPriority="52"/><w:lsdException w:name="List Table 1 Light Accent 5" w:uiPriority="46"/><w:lsdException w:name="List Table 2 Accent 5" w:uiPriority="47"/><w:lsdException w:name="List Table 3 Accent 5" w:uiPriority="48"/><w:lsdException w:name="List Table 4 Accent 5" w:uiPriority="49"/><w:lsdException w:name="List Table 5 Dark Accent 5" w:uiPriority="50"/><w:lsdException w:name="List Table 6 Colorful Accent 5" w:uiPriority="51"/><w:lsdException w:name="List Table 7 Colorful Accent 5" w:uiPriority="52"/><w:lsdException w:name="List Table 1 Light Accent 6" w:uiPriority="46"/><w:lsdException w:name="List Table 2 Accent 6" w:uiPriority="47"/><w:lsdException w:name="List Table 3 Accent 6" w:uiPriority="48"/><w:lsdException w:name="List Table 4 Accent 6" w:uiPriority="49"/><w:lsdException w:name="List Table 5 Dark Accent 6" w:uiPriority="50"/><w:lsdException w:name="List Table 6 Colorful Accent 6" w:uiPriority="51"/><w:lsdException w:name="List Table 7 Colorful Accent 6" w:uiPriority="52"/><w:lsdException w:name="Mention" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Smart Hyperlink" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Hashtag" w:semiHidden="1" w:unhideWhenUsed="1"/><w:lsdException w:name="Unresolved Mention" w:semiHidden="1" w:unhideWhenUsed="1"/></w:latentStyles><w:style w:type="paragraph" w:default="1" w:styleId="Standard"><w:name w:val="Normal"/><w:qFormat/><w:pPr><w:spacing w:after="160" w:line="259" w:lineRule="auto"/></w:pPr><w:rPr><w:sz w:val="22"/><w:szCs w:val="22"/><w:lang w:eastAsia="en-US"/></w:rPr></w:style><w:style w:type="paragraph" w:styleId="berschrift1"><w:name w:val="heading 1"/><w:basedOn w:val="Standard"/><w:next w:val="Standard"/><w:link w:val="berschrift1Zchn"/><w:uiPriority w:val="9"/><w:qFormat/><w:rsid w:val="00601692"/><w:pPr><w:keepNext/><w:keepLines/><w:spacing w:before="240" w:after="0"/><w:outlineLvl w:val="0"/></w:pPr><w:rPr><w:rFonts w:ascii="Calibri Light" w:eastAsia="Times New Roman" w:hAnsi="Calibri Light"/><w:color w:val="2F5496"/><w:sz w:val="32"/><w:szCs w:val="32"/></w:rPr></w:style><w:style w:type="character" w:default="1" w:styleId="Absatz-Standardschriftart"><w:name w:val="Default Paragraph Font"/><w:uiPriority w:val="1"/><w:semiHidden/><w:unhideWhenUsed/></w:style><w:style w:type="table" w:default="1" w:styleId="NormaleTabelle"><w:name w:val="Normal Table"/><w:uiPriority w:val="99"/><w:semiHidden/><w:unhideWhenUsed/><w:tblPr><w:tblInd w:w="0" w:type="dxa"/><w:tblCellMar><w:top w:w="0" w:type="dxa"/><w:left w:w="108" w:type="dxa"/><w:bottom w:w="0" w:type="dxa"/><w:right w:w="108" w:type="dxa"/></w:tblCellMar></w:tblPr></w:style><w:style w:type="numbering" w:default="1" w:styleId="KeineListe"><w:name w:val="No List"/><w:uiPriority w:val="99"/><w:semiHidden/><w:unhideWhenUsed/></w:style><w:style w:type="character" w:customStyle="1" w:styleId="berschrift1Zchn"><w:name w:val="Überschrift 1 Zchn"/><w:link w:val="berschrift1"/><w:uiPriority w:val="9"/><w:rsid w:val="00601692"/><w:rPr><w:rFonts w:ascii="Calibri Light" w:eastAsia="Times New Roman" w:hAnsi="Calibri Light" w:cs="Times New Roman"/><w:color w:val="2F5496"/><w:sz w:val="32"/><w:szCs w:val="32"/></w:rPr></w:style></w:styles></pkg:xmlData></pkg:part></pkg:package>
 \ No newline at end of file
+{\rt{\object\objautlink\objupdate\rsltpict\objw37542\objh829\objscalex59286\objscaley86308{\*\objclass \'77}{\*\objdata 32\bin6 FF}}}
 \ No newline at end of file
+from .output_capture import OutputCapture
+
+from os.path import dirname, join
+
+# Directory with test data, independent of current working directory
+DATA_BASE_DIR = join(dirname(dirname(__file__)), 'test-data')
+""" class OutputCapture to test what scripts print to stdout """
+
+from __future__ import print_function
+import sys
+
+
+# python 2/3 version conflict:
+if sys.version_info.major <= 2:
+    from StringIO import StringIO
+else:
+    from io import StringIO
+
+class OutputCapture:
+    """ context manager that captures stdout
+
+    use as follows::
+
+        with OutputCapture() as capturer:
+            run_my_script(some_args)
+
+        # either test line-by-line ...
+        for line in capturer:
+            some_test(line)
+        # ...or test all output in one go
+        some_test(capturer.buffer.getvalue())
+
+    """
+
+    def __init__(self):
+        self.buffer = StringIO()
+        self.orig_stdout = None
+
+    def __enter__(self):
+        # replace sys.stdout with own buffer.
+        self.orig_stdout = sys.stdout
+        sys.stdout = self.buffer
+        return self
+
+    def __exit__(self, exc_type, exc_value, traceback):
+        sys.stdout = self.orig_stdout    # re-set to original
+
+        if exc_type:   # there has been an error
+            print('Got error during output capture!')
+            print('Print captured output and re-raise:')
+            for line in self.buffer.getvalue().splitlines():
+                print(line.rstrip())  # print output before re-raising
+
+    def __iter__(self):
+        for line in self.buffer.getvalue().splitlines():
+            yield line.rstrip()   # remove newline at end of line
+import os
+from os.path import dirname, abspath, normpath, join
+from . import DATA_BASE_DIR
+
+
+def read(relative_path):
+    with open(join(DATA_BASE_DIR, relative_path), 'rb') as file_handle:
+        return file_handle.read()
+""" Test my new feature
+
+Some more info if you want
+
+Should work with python2 and python3!
+"""
+
+import unittest
+
+# if you need data from oletools/test-data/DIR/, uncomment these lines:
+#from os.path import join, dirname, normpath
+#Directory with test data, independent of current working directory
+#DATA_DIR = normpath(join(dirname(__file__), '..', 'test-data', 'DIR'))
+
+
+class TestMyFeature(unittest.TestCase):
+    """ Tests my cool new feature """
+
+    def test_this(self):
+        """ check that this works """
+        pass   # your code here
+
+    def test_that(self):
+        """ check that that also works """
+        pass   # your code here
+
+    def helper_function(self, filename):
+        """ to be called from other test functions to avoid copy-and-paste
+
+        this is not called by unittest directly, only from your functions """
+        pass   # your code here
+        # e.g.: msodde.main(join(DATA_DIR, filename))
+
+
+# just in case somebody calls this file as a script
+if __name__ == '__main__':
+    unittest.main()