Oletools Versions Save

oletools - python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging.

v0.60.1

2 years ago

2022-05-09 v0.60.1:

  • olevba: - fixed a bug when calling XLMMacroDeobfuscator (PR #737) - removed keyword "sample" causing false positives
  • oleid: fixed OleID init issue (issue #695, PR #696)
  • oleobj: - added simple detection of CVE-2021-40444 initial stage - added detection for customUI onLoad - improved handling of incorrect filenames in OLE package (PR #451)
  • rtfobj: fixed code to find URLs in OLE2Link objects for Py3 (issue #692)
  • ftguess: - added PowerPoint and XPS formats (PR #716) - fixed issue with XPS and malformed documents (issue #711) - added XLSB format (issue #758)
  • improved logging with common module log_helper (PR #449)

More details about fixed issues and improvements in 0.60: https://github.com/decalage2/oletools/milestone/10?closed=1

v0.60

2 years ago
  • 2021-06-02 v0.60:
    • ftguess: new tool to identify file formats and containers (issue #680)
    • oleid: (issue #679)
      • each indicator now has a risk level
      • calls ftguess to identify file formats
      • calls olevba+mraptor to detect and analyse VBA+XLM macros
    • olevba:
      • when XLMMacroDeobfuscator is available, use it to extract and deobfuscate XLM macros
    • rtfobj:
      • use ftguess to identify file type of OLE Package (issue #682)
      • fixed bug in re_executable_extensions
    • crypto: added PowerPoint transparent password '/01Hannes Ruescher/01' (issue #627)
    • setup: XLMMacroDeobfuscator, xlrd2 and pyxlsb2 added as optional dependencies

More details about fixed issues and improvements in 0.60: https://github.com/decalage2/oletools/milestone/10?closed=1

v0.56.2

3 years ago
  • 2021-05-07 v0.56.2:
    • olevba:
      • updated plugin_biff to v0.0.22 to fix a bug (issues #647, #674)
    • olevba, mraptor:
      • added detection of Workbook_BeforeClose (issue #518)
    • rtfobj:
      • fixed bug when OLE package class name ends with null characters (issue #507, PR #648)
    • oleid:
      • fixed bug in check_excel (issue #584, PR #585)
    • clsid:
      • added several CLSIDs related to MS Office click-to-run issue CVE-2021-27058
      • added checks to ensure that all CLSIDs are uppercase (PR #678)

More details about fixed issues and improvements in 0.56: https://github.com/decalage2/oletools/milestone/9?closed=1

v0.56.1

3 years ago
  • 2021-04-02 v0.56.1:
    • olevba:
      • fixed bug when parsing some malformed files (issue #629)
    • oleobj:
      • fixed bug preventing detection of links 'externalReference', 'frame', 'hyperlink' (issue #641, PR #670)
    • setup:
      • avoid installing msoffcrypto-tool when platform is PyPy+Windows (issue #473)
      • PyPI version is now a wheel package to improve installation and avoid antivirus false positives due to test files (issues #215, #398)

More details about fixed issues and improvements in 0.56: https://github.com/decalage2/oletools/milestone/9?closed=1

v0.56

3 years ago
  • 2020-09-28 v0.56:
    • olevba/mraptor:
      • added detection of trigger _OnConnecting
    • olevba:
      • updated plugin_biff to v0.0.17 to improve Excel 4/XLM macros parsing
      • added simple analysis of Excel 4/XLM macros in XLSM files (PR #569)
      • added detection of template injection (PR #569)
      • added detection of many suspicious keywords (PR #591 and #569, see https://www.certego.net/en/news/advanced-vba-macros/)
      • improved MHT detection (PR #532)
      • added --no-xlm option to disable Excel 4/XLM macros parsing (PR #532)
      • fixed bug when decompressing raw chunks in VBA (issue #575)
      • fixed bug with email package due to monkeypatch for MHT parsing (issue #602, PR #604)
      • fixed option --relaxed (issue #596, PR #595)
      • enabled relaxed mode by default (issues #477, #593)
      • fixed detect_vba_macros to always return VBA code as unicode on Python 3 (issues #455, #477, #587, #593)
      • replaced option --pcode by --show-pcode and --no-pcode, replaced optparse by argparse (PR #479)
    • oleform: improved form parsing (PR #532)
    • oleobj: "Ole10Native" is now case insensitive (issue #541)
    • clsid: added PDF (issue #552), Microsoft Word Picture (issue #571)
    • ppt_parser: fixed bug on Python 3 (issues #177, #607, PR #450)

How to install with pip: https://github.com/decalage2/oletools/wiki/Install

v0.55

4 years ago

Main changes in oletools v0.55:

  • olevba:
    • added support for SLK files and XLM macro extraction from SLK
    • VBA Stomping detection
    • integrated pcodedmp to extract and disassemble P-code
    • detection of suspicious keywords and IOCs in P-code
    • new option --pcode to display P-code disassembly
    • improved detection of auto execution triggers
  • rtfobj: added URL carver for CVE-2017-0199
  • better handling of unicode for systems with locale that does not support UTF-8, e.g. LANG=C (PR #365)
  • tests:
    • test files can now be encrypted, to avoid antivirus alerts (PR #217, issue #215)
    • tests that trigger antivirus alerts have been temporarily disabled (issue #215)

How to install with pip: https://github.com/decalage2/oletools/wiki/Install

v0.54.2b

4 years ago

This is a bugfix release for oletools 0.54.

Changes:

  • 2019-05-23 v0.54.2:
    • msoffcrypto-tool is now a required dependency (simplified install)
    • plugin_biff: fixed issues #428, #434 and #444, improved Python 3 support
    • olevba, msodde, crypto: improved handling of encrypted files (PR #441)
    • olevba: initialize VBA_Parser.xlm_macros (fixes #433)
    • various fixes (PR #446)
    • olevba and msodde now handle documents encrypted with common passwords such as 123, 1234, 4321, 12345, 123456, VelvetSweatShop automatically.
  • 2019-04-09 v0.54.1:
    • olevba: decompress_stream now accepts both bytes and bytearray (fixes #422)

How to install/update with pip: https://github.com/decalage2/oletools/wiki/Install

v0.54

5 years ago

Main changes in oletools 0.54:

  • olevba, msodde: added support for encrypted MS Office files
  • olevba: added detection and extraction of XLM/XLF Excel 4 macros
  • olevba, mraptor: added detection of VBA running Excel 4 macros
  • olevba: detect and display special characters such as backspace
  • olevba: colorized output showing suspicious keywords in the VBA code
  • olevba, mraptor: full Python 3 compatibility, no separate olevba3/mraptor3 anymore
  • olevba: improved handling of code pages and unicode
  • olevba: fixed a false-positive in VBA macro detection
  • rtfobj: improved OLE Package handling, improved Equation object detection
  • oleobj: added detection of external links to objects in OpenXML
  • replaced third party packages by PyPI dependencies

How to install with pip: https://github.com/decalage2/oletools/wiki/Install

v0.53.1

5 years ago

2018-06-13 v0.53.1: Bugfix release - rtfobj: fixed issue #316, whitespace after \bin on Python 3 - olevba3: fixed #320, chr instead of unichr on python 3 - olevba3: fixed #322, import reduce from functools

v0.53

5 years ago

2018-05-30 v0.53: - olevba and mraptor can now parse Word/PowerPoint 2007+ pure XML files (aka Flat OPC format) - improved support for VBA forms in olevba (oleform) - rtfobj now displays the CLSID of OLE objects, which is the best way to identify them. Known-bad CLSIDs such as MS Equation Editor are highlighted in red. - Updated rtfobj to handle obfuscated RTF samples. - rtfobj now handles the "\'" obfuscation trick seen in recent samples such as https://twitter.com/buffaloverflow/status/989798880295444480, by emulating the MS Word bug described in https://securelist.com/disappearing-bytes/84017/ - msodde: improved detection of DDE formulas in CSV files - oledir now displays the tree of storage/streams, along with CLSIDs and their meaning. - common.clsid contains the list of known CLSIDs, and their links to CVE vulnerabilities when relevant. - oleid now detects encrypted OpenXML files - fixed bugs in oleobj, rtfobj, oleid, olevba