Commit f2ead51c0e84e3a53e0d4c08dc898fb6e06329ca
1 parent
0762f5bb
updated readme and doc
Showing
5 changed files
with
18 additions
and
5 deletions
README.md
| @@ -22,7 +22,9 @@ Note: python-oletools is not related to OLETools published by BeCubed Software. | @@ -22,7 +22,9 @@ Note: python-oletools is not related to OLETools published by BeCubed Software. | ||
| 22 | News | 22 | News |
| 23 | ---- | 23 | ---- |
| 24 | 24 | ||
| 25 | -- **2015-03-23 v0.09**: [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba) now supports Word 2003 XML files, | 25 | +- **2015-05-06 v0.10**: [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba) now supports Word MHTML files |
| 26 | +with macros, aka "Single File Web Page" (.mht) | ||
| 27 | +- 2015-03-23 v0.09: [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba) now supports Word 2003 XML files, | ||
| 26 | added anti-sandboxing/VM detection | 28 | added anti-sandboxing/VM detection |
| 27 | - 2015-02-08 v0.08: [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba) can now decode strings | 29 | - 2015-02-08 v0.08: [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba) can now decode strings |
| 28 | obfuscated with Hex/StrReverse/Base64/Dridex and extract IOCs. Added new triage mode, support for non-western | 30 | obfuscated with Hex/StrReverse/Base64/Dridex and extract IOCs. Added new triage mode, support for non-western |
oletools/README.html
| @@ -4,7 +4,8 @@ | @@ -4,7 +4,8 @@ | ||
| 4 | <p>Note: python-oletools is not related to OLETools published by BeCubed Software.</p> | 4 | <p>Note: python-oletools is not related to OLETools published by BeCubed Software.</p> |
| 5 | <h2 id="news">News</h2> | 5 | <h2 id="news">News</h2> |
| 6 | <ul> | 6 | <ul> |
| 7 | -<li><strong>2015-03-23 v0.09</strong>: <a href="https://bitbucket.org/decalage/oletools/wiki/olevba">olevba</a> now supports Word 2003 XML files, added anti-sandboxing/VM detection</li> | 7 | +<li><strong>2015-05-06 v0.10</strong>: <a href="https://bitbucket.org/decalage/oletools/wiki/olevba">olevba</a> now supports Word MHTML files with macros, aka "Single File Web Page" (.mht)</li> |
| 8 | +<li>2015-03-23 v0.09: <a href="https://bitbucket.org/decalage/oletools/wiki/olevba">olevba</a> now supports Word 2003 XML files, added anti-sandboxing/VM detection</li> | ||
| 8 | <li>2015-02-08 v0.08: <a href="https://bitbucket.org/decalage/oletools/wiki/olevba">olevba</a> can now decode strings obfuscated with Hex/StrReverse/Base64/Dridex and extract IOCs. Added new triage mode, support for non-western codepages with olefile 0.42, improved API and display, several bugfixes.</li> | 9 | <li>2015-02-08 v0.08: <a href="https://bitbucket.org/decalage/oletools/wiki/olevba">olevba</a> can now decode strings obfuscated with Hex/StrReverse/Base64/Dridex and extract IOCs. Added new triage mode, support for non-western codepages with olefile 0.42, improved API and display, several bugfixes.</li> |
| 9 | <li>2015-01-05 v0.07: improved <a href="https://bitbucket.org/decalage/oletools/wiki/olevba">olevba</a> to detect suspicious keywords and IOCs in VBA macros, can now scan several files and open password-protected zip archives, added a Python API, upgraded OleFileIO_PL to olefile v0.41</li> | 10 | <li>2015-01-05 v0.07: improved <a href="https://bitbucket.org/decalage/oletools/wiki/olevba">olevba</a> to detect suspicious keywords and IOCs in VBA macros, can now scan several files and open password-protected zip archives, added a Python API, upgraded OleFileIO_PL to olefile v0.41</li> |
| 10 | <li>2014-08-28 v0.06: added <a href="https://bitbucket.org/decalage/oletools/wiki/olevba">olevba</a>, a new tool to extract VBA Macro source code from MS Office documents (97-2003 and 2007+). Improved <a href="https://bitbucket.org/decalage/oletools/wiki">documentation</a></li> | 11 | <li>2014-08-28 v0.06: added <a href="https://bitbucket.org/decalage/oletools/wiki/olevba">olevba</a>, a new tool to extract VBA Macro source code from MS Office documents (97-2003 and 2007+). Improved <a href="https://bitbucket.org/decalage/oletools/wiki">documentation</a></li> |
oletools/README.rst
| @@ -26,7 +26,11 @@ Software. | @@ -26,7 +26,11 @@ Software. | ||
| 26 | News | 26 | News |
| 27 | ---- | 27 | ---- |
| 28 | 28 | ||
| 29 | -- **2015-03-23 v0.09**: | 29 | +- **2015-05-06 v0.10**: |
| 30 | + `olevba <https://bitbucket.org/decalage/oletools/wiki/olevba>`__ now | ||
| 31 | + supports Word MHTML files with macros, aka "Single File Web Page" | ||
| 32 | + (.mht) | ||
| 33 | +- 2015-03-23 v0.09: | ||
| 30 | `olevba <https://bitbucket.org/decalage/oletools/wiki/olevba>`__ now | 34 | `olevba <https://bitbucket.org/decalage/oletools/wiki/olevba>`__ now |
| 31 | supports Word 2003 XML files, added anti-sandboxing/VM detection | 35 | supports Word 2003 XML files, added anti-sandboxing/VM detection |
| 32 | - 2015-02-08 v0.08: | 36 | - 2015-02-08 v0.08: |
oletools/doc/olevba.html
| @@ -16,13 +16,14 @@ | @@ -16,13 +16,14 @@ | ||
| 16 | <li><p>Word 97-2003 (.doc, .dot)</p></li> | 16 | <li><p>Word 97-2003 (.doc, .dot)</p></li> |
| 17 | <li><p>Word 2007+ (.docm, .dotm)</p></li> | 17 | <li><p>Word 2007+ (.docm, .dotm)</p></li> |
| 18 | <li><p>Word 2003 XML (.xml)</p></li> | 18 | <li><p>Word 2003 XML (.xml)</p></li> |
| 19 | +<li><p>Word MHTML Single File Web Page (.mht)</p></li> | ||
| 19 | <li><p>Excel 97-2003 (.xls)</p></li> | 20 | <li><p>Excel 97-2003 (.xls)</p></li> |
| 20 | <li><p>Excel 2007+ (.xlsm, .xlsb)</p></li> | 21 | <li><p>Excel 2007+ (.xlsm, .xlsb)</p></li> |
| 21 | <li><p>PowerPoint 2007+ (.pptm, .ppsm)</p></li> | 22 | <li><p>PowerPoint 2007+ (.pptm, .ppsm)</p></li> |
| 22 | </ul> | 23 | </ul> |
| 23 | <h2 id="main-features">Main Features</h2> | 24 | <h2 id="main-features">Main Features</h2> |
| 24 | <ul> | 25 | <ul> |
| 25 | -<li><p>Detect VBA macros in MS Office 97-2003 and 2007+ files</p></li> | 26 | +<li><p>Detect VBA macros in MS Office 97-2003 and 2007+ files, XML, MHT</p></li> |
| 26 | <li><p>Extract VBA macro source code</p></li> | 27 | <li><p>Extract VBA macro source code</p></li> |
| 27 | <li><p>Detect auto-executable macros</p></li> | 28 | <li><p>Detect auto-executable macros</p></li> |
| 28 | <li><p>Detect suspicious VBA keywords often used by malware</p></li> | 29 | <li><p>Detect suspicious VBA keywords often used by malware</p></li> |
| @@ -238,6 +239,8 @@ ANALYSIS: | @@ -238,6 +239,8 @@ ANALYSIS: | ||
| 238 | <ul> | 239 | <ul> |
| 239 | <li><p><strong>OLE</strong>: the file type is OLE, for example MS Office 97-2003</p></li> | 240 | <li><p><strong>OLE</strong>: the file type is OLE, for example MS Office 97-2003</p></li> |
| 240 | <li><p><strong>OpX</strong>: the file type is OpenXML, for example MS Office 2007+</p></li> | 241 | <li><p><strong>OpX</strong>: the file type is OpenXML, for example MS Office 2007+</p></li> |
| 242 | +<li><p><strong>XML</strong>: the file type is Word 2003 XML</p></li> | ||
| 243 | +<li><p><strong>MHT</strong>: the file type is Word MHTML, aka Single File Web Page (.mht)</p></li> | ||
| 241 | <li><p><strong>?</strong>: the file type is not supported</p></li> | 244 | <li><p><strong>?</strong>: the file type is not supported</p></li> |
| 242 | <li><p><strong>M</strong>: contains VBA Macros</p></li> | 245 | <li><p><strong>M</strong>: contains VBA Macros</p></li> |
| 243 | <li><p><strong>A</strong>: auto-executable macros</p></li> | 246 | <li><p><strong>A</strong>: auto-executable macros</p></li> |
oletools/doc/olevba.md
| @@ -21,13 +21,14 @@ by John William Davison, with significant modifications. | @@ -21,13 +21,14 @@ by John William Davison, with significant modifications. | ||
| 21 | - Word 97-2003 (.doc, .dot) | 21 | - Word 97-2003 (.doc, .dot) |
| 22 | - Word 2007+ (.docm, .dotm) | 22 | - Word 2007+ (.docm, .dotm) |
| 23 | - Word 2003 XML (.xml) | 23 | - Word 2003 XML (.xml) |
| 24 | +- Word MHTML Single File Web Page (.mht) | ||
| 24 | - Excel 97-2003 (.xls) | 25 | - Excel 97-2003 (.xls) |
| 25 | - Excel 2007+ (.xlsm, .xlsb) | 26 | - Excel 2007+ (.xlsm, .xlsb) |
| 26 | - PowerPoint 2007+ (.pptm, .ppsm) | 27 | - PowerPoint 2007+ (.pptm, .ppsm) |
| 27 | 28 | ||
| 28 | ## Main Features | 29 | ## Main Features |
| 29 | 30 | ||
| 30 | -- Detect VBA macros in MS Office 97-2003 and 2007+ files | 31 | +- Detect VBA macros in MS Office 97-2003 and 2007+ files, XML, MHT |
| 31 | - Extract VBA macro source code | 32 | - Extract VBA macro source code |
| 32 | - Detect auto-executable macros | 33 | - Detect auto-executable macros |
| 33 | - Detect suspicious VBA keywords often used by malware | 34 | - Detect suspicious VBA keywords often used by malware |
| @@ -200,6 +201,8 @@ The following flags show the results of the analysis: | @@ -200,6 +201,8 @@ The following flags show the results of the analysis: | ||
| 200 | 201 | ||
| 201 | - **OLE**: the file type is OLE, for example MS Office 97-2003 | 202 | - **OLE**: the file type is OLE, for example MS Office 97-2003 |
| 202 | - **OpX**: the file type is OpenXML, for example MS Office 2007+ | 203 | - **OpX**: the file type is OpenXML, for example MS Office 2007+ |
| 204 | +- **XML**: the file type is Word 2003 XML | ||
| 205 | +- **MHT**: the file type is Word MHTML, aka Single File Web Page (.mht) | ||
| 203 | - **?**: the file type is not supported | 206 | - **?**: the file type is not supported |
| 204 | - **M**: contains VBA Macros | 207 | - **M**: contains VBA Macros |
| 205 | - **A**: auto-executable macros | 208 | - **A**: auto-executable macros |