diff --git a/oletools/README.html b/oletools/README.html
index 2e40975b..5a3199ec 100644
--- a/oletools/README.html
+++ b/oletools/README.html
@@ -9,12 +9,24 @@
-oletools is a package of python tools to analyze Microsoft OLE2 files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging. It is based on the olefile parser. See http://www.decalage.info/python/oletools for more info.
+oletools is a package of python tools to analyze Microsoft OLE2 files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging. It is based on the olefile parser. See http://www.decalage.info/python/oletools for more info.
Quick links: Home page - Download/Install - Documentation - Report Issues/Suggestions/Questions - Contact the Author - Repository - Updates on Twitter
Note: python-oletools is not related to OLETools published by BeCubed Software.
News
-- 2016-11-01 v0.50: all oletools now support python 2 and 3.
+
- 2017-06-29 v0.51:
+
+- added the oletools cheatsheet
+- improved rtfobj to handle malformed RTF files, detect vulnerability CVE-2017-0199
+- olevba: improved deobfuscation and Mac files support
+- mraptor: added more ActiveX macro triggers
+- added DocVarDump.vba to dump document variables using Word
+- olemap: can now detect and extract extra data at end of file, improved display
+- oledir, olemeta, oletimes: added support for zip files and wildcards
+- many bugfixes in all the tools
+- improved Python 2+3 support
+
+- 2016-11-01 v0.50: all oletools now support python 2 and 3.
- olevba: several bugfixes and improvements.
- mraptor: improved detection, added mraptor_milter for Sendmail/Postfix integration.
@@ -22,28 +34,9 @@ News
- setup: now creates handy command-line scripts to run oletools from any directory.
- 2016-06-10 v0.47: olevba added PPT97 macros support, improved handling of malformed/incomplete documents, improved error handling and JSON output, now returns an exit code based on analysis results, new --relaxed option. rtfobj: improved parsing to handle obfuscated RTF documents, added -d option to set output dir. Moved repository and documentation to GitHub.
-- 2016-04-19 v0.46: olevba does not deobfuscate VBA expressions by default (much faster), new option --deobf to enable it. Fixed color display bug on Windows for several tools.
-- 2016-04-12 v0.45: improved rtfobj to handle several anti-analysis tricks, improved olevba to export results in JSON format.
-- 2016-03-11 v0.44: improved olevba to extract and analyse strings from VBA Forms.
-- 2016-03-04 v0.43: added new tool MacroRaptor (mraptor) to detect malicious macros, bugfix and slight improvements in olevba.
-- 2016-02-07 v0.42: added two new tools oledir and olemap, better handling of malformed files and several bugfixes in olevba, improved display for olemeta.
-- 2015-09-22 v0.41: added new --reveal option to olevba, to show the macro code with VBA strings deobfuscated.
-- 2015-09-17 v0.40: Improved macro deobfuscation in olevba, to decode Hex and Base64 within VBA expressions. Display printable deobfuscated strings by default. Improved the VBA_Parser API. Improved performance. Fixed issue #23 with sys.stderr.
-- 2015-06-19 v0.12: olevba can now deobfuscate VBA expressions with any combination of Chr, Asc, Val, StrReverse, Environ, +, &, using a VBA parser built with pyparsing. New options to display only the analysis results or only the macros source code. The analysis is now done on all the VBA modules at once.
-- 2015-05-29 v0.11: Improved parsing of MHTML and ActiveMime/MSO files in olevba, added several suspicious keywords to VBA scanner (thanks to @ozhermit and Davy Douhine for the suggestions)
-- 2015-05-06 v0.10: olevba now supports Word MHTML files with macros, aka "Single File Web Page" (.mht) - see issue #10 for more info
-- 2015-03-23 v0.09: olevba now supports Word 2003 XML files, added anti-sandboxing/VM detection
-- 2015-02-08 v0.08: olevba can now decode strings obfuscated with Hex/StrReverse/Base64/Dridex and extract IOCs. Added new triage mode, support for non-western codepages with olefile 0.42, improved API and display, several bugfixes.
-- 2015-01-05 v0.07: improved olevba to detect suspicious keywords and IOCs in VBA macros, can now scan several files and open password-protected zip archives, added a Python API, upgraded OleFileIO_PL to olefile v0.41
-- 2014-08-28 v0.06: added olevba, a new tool to extract VBA Macro source code from MS Office documents (97-2003 and 2007+). Improved documentation
-- 2013-07-24 v0.05: added new tools olemeta and oletimes
-- 2013-04-18 v0.04: fixed bug in rtfobj, added documentation for rtfobj
-- 2012-11-09 v0.03: Improved pyxswf to extract Flash objects from RTF
-- 2012-10-29 v0.02: Added oleid
-- 2012-10-09 v0.01: Initial version of olebrowse and pyxswf
-- see changelog in source code for more info.
-
+See the full changelog for more information.
+
- olebrowse: A simple GUI to browse OLE files (e.g. MS Word, Excel, Powerpoint documents), to view and extract individual data streams.
- oleid: to analyze OLE files to detect specific characteristics usually found in malicious files.
@@ -59,13 +52,20 @@
- and a few others (coming soon)
-oletools are used by a number of projects and online malware analysis services, including Viper, REMnux, Hybrid-analysis.com, Joe Sandbox, Deepviz, Laika BOSS, Cuckoo Sandbox, Anlyz.io, pcodedmp and probably VirusTotal. (Please contact me if you have or know a project using oletools)
+oletools are used by a number of projects and online malware analysis services, including Viper, REMnux, FAME, Hybrid-analysis.com, Joe Sandbox, Deepviz, Laika BOSS, Cuckoo Sandbox, Anlyz.io, ViperMonkey, pcodedmp, dridex.malwareconfig.com, and probably VirusTotal. (Please contact me if you have or know a project using oletools)
Download and Install:
-To use python-oletools from the command line as analysis tools, you may simply download the latest release archive and extract the files into the directory of your choice.
-You may also download the latest development version with the most recent features.
-Another possibility is to use a git client to clone the repository (https://github.com/decalage2/oletools.git) into a folder. You can then update it easily in the future.
-If you plan to use python-oletools with other Python applications or your own scripts, then the simplest solution is to use "pip install oletools" or "easy_install oletools" to download and install in one go. Otherwise you may download/extract the zip archive and run "setup.py install".
-Important: to update oletools if it is already installed, you must run "pip install -U oletools", otherwise pip will not update it.
+The recommended way to download and install/update the latest stable release of oletools is to use pip:
+
+- On Linux/Mac:
sudo -H pip install -U oletools
+- On Windows:
pip install -U oletools
+
+This should automatically create command-line scripts to run each tool from any directory: olevba, mraptor, rtfobj, etc.
+To get the latest development version instead:
+
+- On Linux/Mac:
sudo -H pip install -U https://github.com/decalage2/oletools/archive/master.zip
+- On Windows:
pip install -U https://github.com/decalage2/oletools/archive/master.zip
+
+See the documentation for other installation options.
Documentation:
The latest version of the documentation can be found online, otherwise a copy is provided in the doc subfolder of the package.
How to Suggest Improvements, Report Issues or Contribute:
@@ -75,7 +75,7 @@ How to Suggest
The code is available in a GitHub repository. You may use it to submit enhancements using forks and pull requests.
License
This license applies to the python-oletools package, apart from the thirdparty folder which contains third-party files published with their own license.
-The python-oletools package is copyright (c) 2012-2016 Philippe Lagadec (http://www.decalage.info)
+The python-oletools package is copyright (c) 2012-2017 Philippe Lagadec (http://www.decalage.info)
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
diff --git a/oletools/README.rst b/oletools/README.rst
index 8100b3ad..13999728 100644
--- a/oletools/README.rst
+++ b/oletools/README.rst
@@ -26,7 +26,29 @@ Software.
News
----
-- **2016-11-01 v0.50**: all oletools now support python 2 and 3.
+- **2017-06-29 v0.51**:
+
+ - added the `oletools
+ cheatsheet `__
+ - improved
+ `rtfobj `__ to
+ handle malformed RTF files, detect vulnerability CVE-2017-0199
+ - olevba: improved deobfuscation and Mac files support
+ - `mraptor `__:
+ added more ActiveX macro triggers
+ - added
+ `DocVarDump.vba `__
+ to dump document variables using Word
+ - olemap: can now detect and extract `extra data at end of
+ file `__, improved display
+ - oledir, olemeta, oletimes: added support for zip files and
+ wildcards
+ - many
+ `bugfixes `__
+ in all the tools
+ - improved Python 2+3 support
+
+- 2016-11-01 v0.50: all oletools now support python 2 and 3.
- olevba: several bugfixes and improvements.
- mraptor: improved detection, added mraptor\_milter for
@@ -44,92 +66,13 @@ News
`rtfobj `__:
improved parsing to handle obfuscated RTF documents, added -d option
to set output dir. Moved repository and documentation to GitHub.
-- 2016-04-19 v0.46:
- `olevba `__ does
- not deobfuscate VBA expressions by default (much faster), new option
- --deobf to enable it. Fixed color display bug on Windows for several
- tools.
-- 2016-04-12 v0.45: improved
- `rtfobj `__ to
- handle several `anti-analysis
- tricks `__, improved
- `olevba `__ to
- export results in JSON format.
-- 2016-03-11 v0.44: improved
- `olevba `__ to
- extract and analyse strings from VBA Forms.
-- 2016-03-04 v0.43: added new tool
- `MacroRaptor `__
- (mraptor) to detect malicious macros, bugfix and slight improvements
- in `olevba `__.
-- 2016-02-07 v0.42: added two new tools oledir and olemap, better
- handling of malformed files and several bugfixes in
- `olevba `__,
- improved display for
- `olemeta `__.
-- 2015-09-22 v0.41: added new --reveal option to
- `olevba `__, to
- show the macro code with VBA strings deobfuscated.
-- 2015-09-17 v0.40: Improved macro deobfuscation in
- `olevba `__, to
- decode Hex and Base64 within VBA expressions. Display printable
- deobfuscated strings by default. Improved the VBA\_Parser API.
- Improved performance. Fixed `issue
- #23 `__ with
- sys.stderr.
-- 2015-06-19 v0.12:
- `olevba `__ can
- now deobfuscate VBA expressions with any combination of Chr, Asc,
- Val, StrReverse, Environ, +, &, using a VBA parser built with
- `pyparsing `__. New options to
- display only the analysis results or only the macros source code. The
- analysis is now done on all the VBA modules at once.
-- 2015-05-29 v0.11: Improved parsing of MHTML and ActiveMime/MSO files
- in `olevba `__,
- added several suspicious keywords to VBA scanner (thanks to @ozhermit
- and Davy Douhine for the suggestions)
-- 2015-05-06 v0.10:
- `olevba `__ now
- supports Word MHTML files with macros, aka "Single File Web Page"
- (.mht) - see `issue
- #10 `__ for more
- info
-- 2015-03-23 v0.09:
- `olevba `__ now
- supports Word 2003 XML files, added anti-sandboxing/VM detection
-- 2015-02-08 v0.08:
- `olevba `__ can
- now decode strings obfuscated with Hex/StrReverse/Base64/Dridex and
- extract IOCs. Added new triage mode, support for non-western
- codepages with olefile 0.42, improved API and display, several
- bugfixes.
-- 2015-01-05 v0.07: improved
- `olevba `__ to
- detect suspicious keywords and IOCs in VBA macros, can now scan
- several files and open password-protected zip archives, added a
- Python API, upgraded OleFileIO\_PL to olefile v0.41
-- 2014-08-28 v0.06: added
- `olevba `__, a new
- tool to extract VBA Macro source code from MS Office documents
- (97-2003 and 2007+). Improved
- `documentation `__
-- 2013-07-24 v0.05: added new tools
- `olemeta `__ and
- `oletimes `__
-- 2013-04-18 v0.04: fixed bug in rtfobj, added documentation for
- `rtfobj `__
-- 2012-11-09 v0.03: Improved
- `pyxswf `__ to
- extract Flash objects from RTF
-- 2012-10-29 v0.02: Added
- `oleid `__
-- 2012-10-09 v0.01: Initial version of
- `olebrowse `__
- and pyxswf
-- see changelog in source code for more info.
-
-Tools in python-oletools:
--------------------------
+
+See the `full
+changelog `__ for
+more information.
+
+Tools:
+------
- `olebrowse `__:
A simple GUI to browse OLE files (e.g. MS Word, Excel, Powerpoint
@@ -168,41 +111,43 @@ Projects using oletools:
oletools are used by a number of projects and online malware analysis
services, including `Viper `__,
`REMnux `__,
+`FAME `__,
`Hybrid-analysis.com `__, `Joe
Sandbox `__,
`Deepviz `__, `Laika
BOSS `__, `Cuckoo
Sandbox `__,
`Anlyz.io `__,
-`pcodedmp `__ and probably
-`VirusTotal `__. (Please `contact
+`ViperMonkey `__,
+`pcodedmp `__,
+`dridex.malwareconfig.com `__, and
+probably `VirusTotal `__. (Please `contact
me <(http://decalage.info/contact)>`__ if you have or know a project
using oletools)
Download and Install:
---------------------
-To use python-oletools from the command line as analysis tools, you may
-simply `download the latest release
-archive `__ and extract
-the files into the directory of your choice.
+The recommended way to download and install/update the **latest stable
+release** of oletools is to use
+`pip `__:
+
+- On Linux/Mac: ``sudo -H pip install -U oletools``
+- On Windows: ``pip install -U oletools``
-You may also download the `latest development
-version `__
-with the most recent features.
+This should automatically create command-line scripts to run each tool
+from any directory: ``olevba``, ``mraptor``, ``rtfobj``, etc.
-Another possibility is to use a git client to clone the repository
-(https://github.com/decalage2/oletools.git) into a folder. You can then
-update it easily in the future.
+To get the **latest development version** instead:
-If you plan to use python-oletools with other Python applications or
-your own scripts, then the simplest solution is to use "**pip install
-oletools**\ " or "**easy\_install oletools**\ " to download and install
-in one go. Otherwise you may download/extract the zip archive and run
-"**setup.py install**\ ".
+- On Linux/Mac:
+ ``sudo -H pip install -U https://github.com/decalage2/oletools/archive/master.zip``
+- On Windows:
+ ``pip install -U https://github.com/decalage2/oletools/archive/master.zip``
-**Important: to update oletools** if it is already installed, you must
-run **"pip install -U oletools"**, otherwise pip will not update it.
+See the
+`documentation `__
+for other installation options.
Documentation:
--------------
@@ -235,7 +180,7 @@ This license applies to the python-oletools package, apart from the
thirdparty folder which contains third-party files published with their
own license.
-The python-oletools package is copyright (c) 2012-2016 Philippe Lagadec
+The python-oletools package is copyright (c) 2012-2017 Philippe Lagadec
(http://www.decalage.info)
All rights reserved.
diff --git a/oletools/doc/Home.html b/oletools/doc/Home.html
index 2283a25d..10de2780 100644
--- a/oletools/doc/Home.html
+++ b/oletools/doc/Home.html
@@ -8,9 +8,9 @@
-
+
This is the home page of the documentation for python-oletools. The latest version can be found online, otherwise a copy is provided in the doc subfolder of the package.
-python-oletools is a package of python tools to analyze Microsoft OLE2 files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging. It is based on the olefile parser. See http://www.decalage.info/python/oletools for more info.
+python-oletools is a package of python tools to analyze Microsoft OLE2 files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging. It is based on the olefile parser. See http://www.decalage.info/python/oletools for more info.
Quick links: Home page - Download/Install - Documentation - Report Issues/Suggestions/Questions - Contact the Author - Repository - Updates on Twitter
Note: python-oletools is not related to OLETools published by BeCubed Software.
diff --git a/oletools/doc/Home.md b/oletools/doc/Home.md
index 700ee88d..257fa394 100644
--- a/oletools/doc/Home.md
+++ b/oletools/doc/Home.md
@@ -1,4 +1,4 @@
-python-oletools v0.50 documentation
+python-oletools v0.51 documentation
===================================
This is the home page of the documentation for python-oletools. The latest version can be found
diff --git a/oletools/doc/License.html b/oletools/doc/License.html
index 13bc45eb..71193c51 100644
--- a/oletools/doc/License.html
+++ b/oletools/doc/License.html
@@ -10,7 +10,7 @@
This license applies to the python-oletools package, apart from the thirdparty folder which contains third-party files published with their own license.
-The python-oletools package is copyright (c) 2012-2016 Philippe Lagadec (http://www.decalage.info)
+The python-oletools package is copyright (c) 2012-2017 Philippe Lagadec (http://www.decalage.info)
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
@@ -21,7 +21,7 @@
-| License for officeparser |
+License for officeparser |
diff --git a/oletools/doc/License.md b/oletools/doc/License.md
index 4c796ae8..4a6defe8 100644
--- a/oletools/doc/License.md
+++ b/oletools/doc/License.md
@@ -4,7 +4,7 @@ License for python-oletools
This license applies to the [python-oletools](http://www.decalage.info/python/oletools) package, apart from the
thirdparty folder which contains third-party files published with their own license.
-The python-oletools package is copyright (c) 2012-2016 Philippe Lagadec ([http://www.decalage.info](http://www.decalage.info))
+The python-oletools package is copyright (c) 2012-2017 Philippe Lagadec ([http://www.decalage.info](http://www.decalage.info))
All rights reserved.
diff --git a/oletools/doc/mraptor.html b/oletools/doc/mraptor.html
index 1c5e4795..94780094 100644
--- a/oletools/doc/mraptor.html
+++ b/oletools/doc/mraptor.html
@@ -49,6 +49,7 @@ Examples
Important: on Linux/MacOSX, always add double quotes around a file name when you use wildcards such as * and ?. Otherwise, the shell may replace the argument with the actual list of files matching the wildcards before starting the script.
Python 3 support - mraptor3
As of v0.50, mraptor has been ported to Python 3 thanks to @sebdraven. However, the differences between Python 2 and 3 are significant and for now there is a separate version of mraptor named mraptor3 to be used with Python 3.
diff --git a/oletools/doc/olebrowse.html b/oletools/doc/olebrowse.html
index 6a369ca2..348889cd 100644
--- a/oletools/doc/olebrowse.html
+++ b/oletools/doc/olebrowse.html
@@ -24,14 +24,17 @@ Screenshots
Main menu, showing all streams in the OLE file:
Menu with actions for a stream:
Hex view for a stream:
diff --git a/oletools/doc/oledir.html b/oletools/doc/oledir.html
index 008e1b77..1ea3e757 100644
--- a/oletools/doc/oledir.html
+++ b/oletools/doc/oledir.html
@@ -19,6 +19,7 @@ Examples
oledir.py file.doc
How to use oledir in Python applications
diff --git a/oletools/doc/oleid.html b/oletools/doc/oleid.html
index 2f474263..d2b6543e 100644
--- a/oletools/doc/oleid.html
+++ b/oletools/doc/oleid.html
@@ -7,23 +7,41 @@
@@ -76,9 +94,9 @@ Example
+-------------------------------+-----------------------+
How to use oleid in your Python applications
First, import oletools.oleid, and create an OleID object to scan a file:
-import oletools.oleid
+import oletools.oleid
-oid = oletools.oleid.OleID(filename)
+oid
= oletools.oleid.OleID(filename)
Note: filename can be a filename, a file-like object, or a bytes string containing the file to be analyzed.
Second, call the check() method. It returns a list of Indicator objects.
Each Indicator object has the following attributes:
@@ -90,11 +108,11 @@ How to use oleid in your P
- value: value of the indicator
For example, the following code displays all the indicators:
-indicators = oid.check()
-for i in indicators:
- print 'Indicator id=%s name="%s" type=%s value=%s' % (i.id, i.name, i.type, repr(i.value))
- print 'description:', i.description
- print ''
+indicators = oid.check()
+for i in indicators:
+ print 'Indicator id=%s name="%s" type=%s value=%s' % (i.id, i.name, i.type, repr(i.value))
+ print 'description:', i.description
+ print ''
See the source code of oleid.py for more details.
diff --git a/oletools/doc/olemap.html b/oletools/doc/olemap.html
index 66afaab9..b6ffcf1e 100644
--- a/oletools/doc/olemap.html
+++ b/oletools/doc/olemap.html
@@ -19,9 +19,11 @@ Examples
olemap.py file.doc
How to use olemap in Python applications
diff --git a/oletools/doc/olemeta.html b/oletools/doc/olemeta.html
index 5c32b1be..adefef1a 100644
--- a/oletools/doc/olemeta.html
+++ b/oletools/doc/olemeta.html
@@ -16,6 +16,7 @@ Usage
Example
TODO
diff --git a/oletools/doc/olevba.html b/oletools/doc/olevba.html
index 5ed27818..c718243d 100644
--- a/oletools/doc/olevba.html
+++ b/oletools/doc/olevba.html
@@ -7,23 +7,41 @@
@@ -219,22 +237,22 @@ How to use olevba in Python ap
IMPORTANT: olevba is currently under active development, therefore this API is likely to change.
Import olevba
First, import the oletools.olevba package, using at least the VBA_Parser and VBA_Scanner classes:
-from oletools.olevba import VBA_Parser, TYPE_OLE, TYPE_OpenXML, TYPE_Word2003_XML, TYPE_MHTML
+from oletools.olevba import VBA_Parser, TYPE_OLE, TYPE_OpenXML, TYPE_Word2003_XML, TYPE_MHTML
Parse a MS Office file - VBA_Parser
To parse a file on disk, create an instance of the VBA_Parser class, providing the name of the file to open as parameter. For example:
-vbaparser = VBA_Parser('my_file_with_macros.doc')
+vbaparser = VBA_Parser('my_file_with_macros.doc')
The file may also be provided as a bytes string containing its data. In that case, the actual filename must be provided for reference, and the file content with the data parameter. For example:
-myfile = 'my_file_with_macros.doc'
-filedata = open(myfile, 'rb').read()
-vbaparser = VBA_Parser(myfile, data=filedata)
+myfile = 'my_file_with_macros.doc'
+filedata = open(myfile, 'rb').read()
+vbaparser = VBA_Parser(myfile, data=filedata)
VBA_Parser will raise an exception if the file is not a supported format, such as OLE (MS Office 97-2003), OpenXML (MS Office 2007+), MHTML or Word 2003 XML.
After parsing the file, the attribute VBA_Parser.type is a string indicating the file type. It can be either TYPE_OLE, TYPE_OpenXML, TYPE_Word2003_XML or TYPE_MHTML. (constants defined in the olevba module)
Detect VBA macros
The method detect_vba_macros of a VBA_Parser object returns True if VBA macros have been found in the file, False otherwise.
-if vbaparser.detect_vba_macros():
- print 'VBA Macros found'
-else:
- print 'No VBA Macros found'
+if vbaparser.detect_vba_macros():
+ print 'VBA Macros found'
+else:
+ print 'No VBA Macros found'
Note: The detection algorithm looks for streams and storage with specific names in the OLE structure, which works fine for all the supported formats listed above. However, for some formats such as PowerPoint 97-2003, this method will always return False because VBA Macros are stored in a different way which is not yet supported by olevba.
Moreover, if the file contains an embedded document (e.g. an Excel workbook inserted into a Word document), this method may return True if the embedded document contains VBA Macros, even if the main document does not.
@@ -246,13 +264,13 @@
vba_code: string containing the VBA source code in clear text
Example:
-for (filename, stream_path, vba_filename, vba_code) in vbaparser.extract_macros():
- print '-'*79
- print 'Filename :', filename
- print 'OLE stream :', stream_path
- print 'VBA filename:', vba_filename
- print '- '*39
- print vba_code
+for (filename, stream_path, vba_filename, vba_code) in vbaparser.extract_macros():
+ print '-'*79
+ print 'Filename :', filename
+ print 'OLE stream :', stream_path
+ print 'VBA filename:', vba_filename
+ print '- '*39
+ print vba_code
Alternatively, the VBA_Parser method extract_all_macros returns the same results as a list of tuples.
Analyze VBA Source Code
Since version 0.40, the VBA_Parser class provides simpler methods than VBA_Scanner to analyze all macros contained in a file:
@@ -265,24 +283,24 @@ Analyze VBA Source Code
description provides a description of the keyword. For obfuscated strings, it is the encoded value of the string.
Example:
-results = vbaparser.analyze_macros()
-for kw_type, keyword, description in results:
- print 'type=%s - keyword=%s - description=%s' % (kw_type, keyword, description)
+results = vbaparser.analyze_macros()
+for kw_type, keyword, description in results:
+ print 'type=%s - keyword=%s - description=%s' % (kw_type, keyword, description)
After calling analyze_macros, the following VBA_Parser attributes also provide the number of items found for each category:
-print 'AutoExec keywords: %d' % vbaparser.nb_autoexec
-print 'Suspicious keywords: %d' % vbaparser.nb_suspicious
-print 'IOCs: %d' % vbaparser.nb_iocs
-print 'Hex obfuscated strings: %d' % vbaparser.nb_hexstrings
-print 'Base64 obfuscated strings: %d' % vbaparser.nb_base64strings
-print 'Dridex obfuscated strings: %d' % vbaparser.nb_dridexstrings
-print 'VBA obfuscated strings: %d' % vbaparser.nb_vbastrings
+print 'AutoExec keywords: %d' % vbaparser.nb_autoexec
+print 'Suspicious keywords: %d' % vbaparser.nb_suspicious
+print 'IOCs: %d' % vbaparser.nb_iocs
+print 'Hex obfuscated strings: %d' % vbaparser.nb_hexstrings
+print 'Base64 obfuscated strings: %d' % vbaparser.nb_base64strings
+print 'Dridex obfuscated strings: %d' % vbaparser.nb_dridexstrings
+print 'VBA obfuscated strings: %d' % vbaparser.nb_vbastrings
Deobfuscate VBA Macro Source Code
The method reveal attempts to deobfuscate the macro source code by replacing all the obfuscated strings by their decoded content. Returns a single string.
Example:
-print vbaparser.reveal()
+
Close the VBA_Parser
After usage, it is better to call the close method of the VBA_Parser object, to make sure the file is closed, especially if your application is parsing many files.
-vbaparser.close()
+
Deprecated API
The following methods and functions are still functional, but their usage is not recommended since they have been replaced by better solutions.
@@ -297,54 +315,54 @@ VBA_Scanner (deprecated)
description provides a description of the keyword. For obfuscated strings, it is the encoded value of the string.
Example:
-vba_scanner = VBA_Scanner(vba_code)
-results = vba_scanner.scan(include_decoded_strings=True)
-for kw_type, keyword, description in results:
- print 'type=%s - keyword=%s - description=%s' % (kw_type, keyword, description)
+vba_scanner = VBA_Scanner(vba_code)
+results = vba_scanner.scan(include_decoded_strings=True)
+for kw_type, keyword, description in results:
+ print 'type=%s - keyword=%s - description=%s' % (kw_type, keyword, description)
The function scan_vba is a shortcut for VBA_Scanner(vba_code).scan():
-results = scan_vba(vba_code, include_decoded_strings=True)
-for kw_type, keyword, description in results:
- print 'type=%s - keyword=%s - description=%s' % (kw_type, keyword, description)
+results = scan_vba(vba_code, include_decoded_strings=True)
+for kw_type, keyword, description in results:
+ print 'type=%s - keyword=%s - description=%s' % (kw_type, keyword, description)
scan_summary returns a tuple with the number of items found for each category: (autoexec, suspicious, IOCs, hex, base64, dridex).
Detect auto-executable macros (deprecated)
Deprecated: It is preferable to use either scan_vba or VBA_Scanner to get all results at once.
The function detect_autoexec checks if VBA macro code contains specific macro names that will be triggered when the document/workbook is opened, closed, changed, etc.
It returns a list of tuples containing two strings, the detected keyword, and the description of the trigger. (See the malware example above)
Sample usage:
-from oletools.olevba import detect_autoexec
-autoexec_keywords = detect_autoexec(vba_code)
-if autoexec_keywords:
- print 'Auto-executable macro keywords found:'
- for keyword, description in autoexec_keywords:
- print '%s: %s' % (keyword, description)
-else:
- print 'Auto-executable macro keywords: None found'
+from oletools.olevba import detect_autoexec
+autoexec_keywords = detect_autoexec(vba_code)
+if autoexec_keywords:
+ print 'Auto-executable macro keywords found:'
+ for keyword, description in autoexec_keywords:
+ print '%s: %s' % (keyword, description)
+else:
+ print 'Auto-executable macro keywords: None found'
Detect suspicious VBA keywords (deprecated)
Deprecated: It is preferable to use either scan_vba or VBA_Scanner to get all results at once.
The function detect_suspicious checks if VBA macro code contains specific keywords often used by malware to act on the system (create files, run commands or applications, write to the registry, etc).
It returns a list of tuples containing two strings, the detected keyword, and the description of the corresponding malicious behaviour. (See the malware example above)
Sample usage:
-from oletools.olevba import detect_suspicious
-suspicious_keywords = detect_suspicious(vba_code)
-if suspicious_keywords:
- print 'Suspicious VBA keywords found:'
- for keyword, description in suspicious_keywords:
- print '%s: %s' % (keyword, description)
-else:
- print 'Suspicious VBA keywords: None found'
+from oletools.olevba import detect_suspicious
+suspicious_keywords = detect_suspicious(vba_code)
+if suspicious_keywords:
+ print 'Suspicious VBA keywords found:'
+ for keyword, description in suspicious_keywords:
+ print '%s: %s' % (keyword, description)
+else:
+ print 'Suspicious VBA keywords: None found'
Deprecated: It is preferable to use either scan_vba or VBA_Scanner to get all results at once.
The function detect_patterns checks if VBA macro code contains specific patterns of interest, that may be useful for malware analysis and detection (potential Indicators of Compromise): IP addresses, e-mail addresses, URLs, executable file names.
It returns a list of tuples containing two strings, the pattern type, and the extracted value. (See the malware example above)
Sample usage:
-from oletools.olevba import detect_patterns
-patterns = detect_patterns(vba_code)
-if patterns:
- print 'Patterns found:'
- for pattern_type, value in patterns:
- print '%s: %s' % (pattern_type, value)
-else:
- print 'Patterns: None found'
+from oletools.olevba import detect_patterns
+patterns = detect_patterns(vba_code)
+if patterns:
+ print 'Patterns found:'
+ for pattern_type, value in patterns:
+ print '%s: %s' % (pattern_type, value)
+else:
+ print 'Patterns: None found'
diff --git a/oletools/doc/rtfobj.html b/oletools/doc/rtfobj.html
index 15d9b3df..e3386d9f 100644
--- a/oletools/doc/rtfobj.html
+++ b/oletools/doc/rtfobj.html
@@ -7,23 +7,41 @@
@@ -57,6 +75,7 @@ Usage
When an OLE Package object contains an executable file or script, it is highlighted as such. For example:
To extract an object or file, use the option -s followed by the object number as shown in the table.
Example:
@@ -67,9 +86,9 @@ How to use rtfobj in Python ap
Deprecated API (still functional):
rtf_iter_objects(filename) is an iterator which yields a tuple (index, orig_len, object) providing the index of each hexadecimal stream in the RTF file, and the corresponding decoded object.
Example:
-
from oletools import rtfobj
-for index, orig_len, data in rtfobj.rtf_iter_objects("myfile.rtf"):
- print('found object size %d at index %08X' % (len(data), index))
+from oletools import rtfobj
+for index, orig_len, data in rtfobj.rtf_iter_objects("myfile.rtf"):
+ print('found object size %d at index %08X' % (len(data), index))
+
+
+
+
+
+
+
+
+