1python-oletools 2=============== 3 4|PyPI| |Build Status| |Say Thanks!| 5 6`oletools <http://www.decalage.info/python/oletools>`__ is a package of 7python tools to analyze `Microsoft OLE2 8files <http://en.wikipedia.org/wiki/Compound_File_Binary_Format>`__ 9(also called Structured Storage, Compound File Binary Format or Compound 10Document File Format), such as Microsoft Office documents or Outlook 11messages, mainly for malware analysis, forensics and debugging. It is 12based on the `olefile <http://www.decalage.info/olefile>`__ parser. See 13http://www.decalage.info/python/oletools for more info. 14 15**Quick links:** `Home 16page <http://www.decalage.info/python/oletools>`__ - 17`Download/Install <https://github.com/decalage2/oletools/wiki/Install>`__ 18- `Documentation <https://github.com/decalage2/oletools/wiki>`__ - 19`Report 20Issues/Suggestions/Questions <https://github.com/decalage2/oletools/issues>`__ 21- `Contact the Author <http://decalage.info/contact>`__ - 22`Repository <https://github.com/decalage2/oletools>`__ - `Updates on 23Twitter <https://twitter.com/decalage2>`__ 24`Cheatsheet <https://github.com/decalage2/oletools/blob/master/cheatsheet/oletools_cheatsheet.pdf>`__ 25 26Note: python-oletools is not related to OLETools published by BeCubed 27Software. 28 29News 30---- 31 32- **2019-05-22 v0.54.2**: 33 34 - bugfix release: fixed several issues related to encrypted 35 documents and XLM/XLF Excel 4 macros 36 - msoffcrypto-tool is now installed by default to handle encrypted 37 documents 38 - olevba and msodde now handle documents encrypted with common 39 passwords such as 123, 1234, 4321, 12345, 123456, VelvetSweatShop 40 automatically. 41 42- **2019-04-04 v0.54**: 43 44 - olevba, msodde: added support for encrypted MS Office files 45 - olevba: added detection and extraction of XLM/XLF Excel 4 macros 46 (thanks to plugin_biff from Didier Stevens' oledump) 47 - olevba, mraptor: added detection of VBA running Excel 4 macros 48 - olevba: detect and display special characters such as backspace 49 - olevba: colorized output showing suspicious keywords in the VBA 50 code 51 - olevba, mraptor: full Python 3 compatibility, no separate 52 olevba3/mraptor3 anymore 53 - olevba: improved handling of code pages and unicode 54 - olevba: fixed a false-positive in VBA macro detection 55 - rtfobj: improved OLE Package handling, improved Equation object 56 detection 57 - oleobj: added detection of external links to objects in OpenXML 58 - replaced third party packages by PyPI dependencies 59 60- 2018-05-30 v0.53: 61 62 - olevba and mraptor can now parse Word/PowerPoint 2007+ pure XML 63 files (aka Flat OPC format) 64 - improved support for VBA forms in olevba (oleform) 65 - rtfobj now displays the CLSID of OLE objects, which is the best 66 way to identify them. Known-bad CLSIDs such as MS Equation Editor 67 are highlighted in red. 68 - Updated rtfobj to handle obfuscated RTF samples. 69 - rtfobj now handles the "\'" obfuscation trick seen in recent 70 samples such as 71 https://twitter.com/buffaloverflow/status/989798880295444480, by 72 emulating the MS Word bug described in 73 https://securelist.com/disappearing-bytes/84017/ 74 - msodde: improved detection of DDE formulas in CSV files 75 - oledir now displays the tree of storage/streams, along with CLSIDs 76 and their meaning. 77 - common.clsid contains the list of known CLSIDs, and their links to 78 CVE vulnerabilities when relevant. 79 - oleid now detects encrypted OpenXML files 80 - fixed bugs in oleobj, rtfobj, oleid, olevba 81 82- 2018-02-18 v0.52: 83 84 - New tool 85 `msodde <https://github.com/decalage2/oletools/wiki/msodde>`__ to 86 detect and extract DDE links from MS Office files, RTF and CSV; 87 - Fixed bugs in olevba, rtfobj and olefile, to better handle 88 malformed/obfuscated files; 89 - Performance improvements in olevba and rtfobj; 90 - VBA form parsing in olevba; 91 - Office 2007+ support in oleobj. 92 93See the `full 94changelog <https://github.com/decalage2/oletools/wiki/Changelog>`__ for 95more information. 96 97Tools: 98------ 99 100Tools to analyze malicious documents 101~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 102 103- `oleid <https://github.com/decalage2/oletools/wiki/oleid>`__: to 104 analyze OLE files to detect specific characteristics usually found in 105 malicious files. 106- `olevba <https://github.com/decalage2/oletools/wiki/olevba>`__: to 107 extract and analyze VBA Macro source code from MS Office documents 108 (OLE and OpenXML). 109- `MacroRaptor <https://github.com/decalage2/oletools/wiki/mraptor>`__: 110 to detect malicious VBA Macros 111- `msodde <https://github.com/decalage2/oletools/wiki/msodde>`__: to 112 detect and extract DDE/DDEAUTO links from MS Office documents, RTF 113 and CSV 114- `pyxswf <https://github.com/decalage2/oletools/wiki/pyxswf>`__: to 115 detect, extract and analyze Flash objects (SWF) that may be embedded 116 in files such as MS Office documents (e.g. Word, Excel) and RTF, 117 which is especially useful for malware analysis. 118- `oleobj <https://github.com/decalage2/oletools/wiki/oleobj>`__: to 119 extract embedded objects from OLE files. 120- `rtfobj <https://github.com/decalage2/oletools/wiki/rtfobj>`__: to 121 extract embedded objects from RTF files. 122 123Tools to analyze the structure of OLE files 124~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 125 126- `olebrowse <https://github.com/decalage2/oletools/wiki/olebrowse>`__: 127 A simple GUI to browse OLE files (e.g. MS Word, Excel, Powerpoint 128 documents), to view and extract individual data streams. 129- `olemeta <https://github.com/decalage2/oletools/wiki/olemeta>`__: to 130 extract all standard properties (metadata) from OLE files. 131- `oletimes <https://github.com/decalage2/oletools/wiki/oletimes>`__: 132 to extract creation and modification timestamps of all streams and 133 storages. 134- `oledir <https://github.com/decalage2/oletools/wiki/oledir>`__: to 135 display all the directory entries of an OLE file, including free and 136 orphaned entries. 137- `olemap <https://github.com/decalage2/oletools/wiki/olemap>`__: to 138 display a map of all the sectors in an OLE file. 139 140Projects using oletools: 141------------------------ 142 143oletools are used by a number of projects and online malware analysis 144services, including `Viper <http://viper.li/>`__, 145`REMnux <https://remnux.org/>`__, 146`FLARE-VM <https://github.com/fireeye/flare-vm>`__, 147`FAME <https://certsocietegenerale.github.io/fame/>`__, 148`Hybrid-analysis.com <https://www.hybrid-analysis.com/>`__, `Joe 149Sandbox <https://www.document-analyzer.net/>`__, 150`Deepviz <https://sandbox.deepviz.com/>`__, `Laika 151BOSS <https://github.com/lmco/laikaboss>`__, `Cuckoo 152Sandbox <https://github.com/cuckoosandbox/cuckoo>`__, 153`Anlyz.io <https://sandbox.anlyz.io/>`__, 154`ViperMonkey <https://github.com/decalage2/ViperMonkey>`__, 155`pcodedmp <https://github.com/bontchev/pcodedmp>`__, 156`dridex.malwareconfig.com <https://dridex.malwareconfig.com>`__, 157`Snake <https://github.com/countercept/snake>`__, 158`DARKSURGEON <https://github.com/cryps1s/DARKSURGEON>`__, 159`CAPE <https://github.com/ctxis/CAPE>`__, 160`AssemblyLine <https://www.cse-cst.gc.ca/en/assemblyline>`__, 161`malshare.io <https://malshare.io>`__, `Malware Repository Framework 162(MRF) <https://www.adlice.com/download/mrf/>`__, 163`malware-repo <https://github.com/Tigzy/malware-repo>`__, 164`Vba2Graph <https://github.com/MalwareCantFly/Vba2Graph>`__, 165`Strelka <https://github.com/target/strelka>`__, 166`stoQ <https://stoq.punchcyber.com/>`__, 167`YOMI <https://yomi.yoroi.company>`__, and probably 168`VirusTotal <https://www.virustotal.com>`__. And quite a few `other 169projects on 170GitHub <https://github.com/search?q=oletools&type=Repositories>`__. 171(Please `contact me <(http://decalage.info/contact)>`__ if you have or 172know a project using oletools) 173 174Download and Install: 175--------------------- 176 177The recommended way to download and install/update the **latest stable 178release** of oletools is to use 179`pip <https://pip.pypa.io/en/stable/installing/>`__: 180 181- On Linux/Mac: ``sudo -H pip install -U oletools`` 182- On Windows: ``pip install -U oletools`` 183 184This should automatically create command-line scripts to run each tool 185from any directory: ``olevba``, ``mraptor``, ``rtfobj``, etc. 186 187To get the **latest development version** instead: 188 189- On Linux/Mac: 190 ``sudo -H pip install -U https://github.com/decalage2/oletools/archive/master.zip`` 191- On Windows: 192 ``pip install -U https://github.com/decalage2/oletools/archive/master.zip`` 193 194See the 195`documentation <https://github.com/decalage2/oletools/wiki/Install>`__ 196for other installation options. 197 198Documentation: 199-------------- 200 201The latest version of the documentation can be found 202`online <https://github.com/decalage2/oletools/wiki>`__, otherwise a 203copy is provided in the doc subfolder of the package. 204 205How to Suggest Improvements, Report Issues or Contribute: 206--------------------------------------------------------- 207 208This is a personal open-source project, developed on my spare time. Any 209contribution, suggestion, feedback or bug report is welcome. 210 211To suggest improvements, report a bug or any issue, please use the 212`issue reporting page <https://github.com/decalage2/oletools/issues>`__, 213providing all the information and files to reproduce the problem. 214 215You may also `contact the author <http://decalage.info/contact>`__ 216directly to provide feedback. 217 218The code is available in `a GitHub 219repository <https://github.com/decalage2/oletools>`__. You may use it to 220submit enhancements using forks and pull requests. 221 222License 223------- 224 225This license applies to the python-oletools package, apart from the 226thirdparty folder which contains third-party files published with their 227own license. 228 229The python-oletools package is copyright (c) 2012-2019 Philippe Lagadec 230(http://www.decalage.info) 231 232All rights reserved. 233 234Redistribution and use in source and binary forms, with or without 235modification, are permitted provided that the following conditions are 236met: 237 238- Redistributions of source code must retain the above copyright 239 notice, this list of conditions and the following disclaimer. 240- Redistributions in binary form must reproduce the above copyright 241 notice, this list of conditions and the following disclaimer in the 242 documentation and/or other materials provided with the distribution. 243 244THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS 245IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 246TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A 247PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 248HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 249SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 250TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 251PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 252LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 253NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 254SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 255 256-------------- 257 258olevba contains modified source code from the officeparser project, 259published under the following MIT License (MIT): 260 261officeparser is copyright (c) 2014 John William Davison 262 263Permission is hereby granted, free of charge, to any person obtaining a 264copy of this software and associated documentation files (the 265"Software"), to deal in the Software without restriction, including 266without limitation the rights to use, copy, modify, merge, publish, 267distribute, sublicense, and/or sell copies of the Software, and to 268permit persons to whom the Software is furnished to do so, subject to 269the following conditions: 270 271The above copyright notice and this permission notice shall be included 272in all copies or substantial portions of the Software. 273 274THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 275OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 276MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. 277IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY 278CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, 279TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE 280SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 281 282.. |PyPI| image:: https://img.shields.io/pypi/v/oletools.svg 283 :target: https://pypi.org/project/oletools/ 284.. |Build Status| image:: https://travis-ci.org/decalage2/oletools.svg?branch=master 285 :target: https://travis-ci.org/decalage2/oletools 286.. |Say Thanks!| image:: https://img.shields.io/badge/Say%20Thanks-!-1EAEDB.svg 287 :target: https://saythanks.io/to/decalage2 288