Skip to content

Commit

Permalink
olevba, doc: updated the list of supported formats
Browse files Browse the repository at this point in the history
  • Loading branch information
decalage2 committed Dec 3, 2019
1 parent ae22ba6 commit 35786cc
Show file tree
Hide file tree
Showing 3 changed files with 22 additions and 15 deletions.
17 changes: 9 additions & 8 deletions oletools/doc/olevba.html
Original file line number Diff line number Diff line change
Expand Up @@ -82,23 +82,24 @@
</head>
<body>
<h1 id="olevba">olevba</h1>
<p>olevba is a script to parse OLE and OpenXML files such as MS Office documents (e.g. Word, Excel), to <strong>detect VBA Macros</strong>, extract their <strong>source code</strong> in clear text, and detect security-related patterns such as <strong>auto-executable macros</strong>, <strong>suspicious VBA keywords</strong> used by malware, anti-sandboxing and anti-virtualization techniques, and potential <strong>IOCs</strong> (IP addresses, URLs, executable filenames, etc). It also detects and decodes several common <strong>obfuscation methods including Hex encoding, StrReverse, Base64, Dridex, VBA expressions</strong>, and extracts IOCs from decoded strings.</p>
<p>olevba is a script to parse OLE and OpenXML files such as MS Office documents (e.g. Word, Excel), to <strong>detect VBA Macros</strong>, extract their <strong>source code</strong> in clear text, and detect security-related patterns such as <strong>auto-executable macros</strong>, <strong>suspicious VBA keywords</strong> used by malware, anti-sandboxing and anti-virtualization techniques, and potential <strong>IOCs</strong> (IP addresses, URLs, executable filenames, etc). It also detects and decodes several common <strong>obfuscation methods including Hex encoding, StrReverse, Base64, Dridex, VBA expressions</strong>, and extracts IOCs from decoded strings. XLM/Excel 4 Macros are also supported in Excel and SLK files.</p>
<p>It can be used either as a command-line tool, or as a python module from your own applications.</p>
<p>It is part of the <a href="http://www.decalage.info/python/oletools">python-oletools</a> package.</p>
<p>olevba is based on source code from <a href="https://github.com/unixfreak0037/officeparser">officeparser</a> by John William Davison, with significant modifications.</p>
<h2 id="supported-formats">Supported formats</h2>
<ul>
<li>Word 97-2003 (.doc, .dot)</li>
<li>Word 2007+ (.docm, .dotm)</li>
<li>Word 97-2003 (.doc, .dot), Word 2007+ (.docm, .dotm)</li>
<li>Excel 97-2003 (.xls), Excel 2007+ (.xlsm, .xlsb)</li>
<li>PowerPoint 97-2003 (.ppt), PowerPoint 2007+ (.pptm, .ppsm)</li>
<li>Word/PowerPoint 2007+ XML (aka Flat OPC)</li>
<li>Word 2003 XML (.xml)</li>
<li>Word/Excel MHTML, aka Single File Web Page (.mht)</li>
<li>Excel 97-2003 (.xls)</li>
<li>Excel 2007+ (.xlsm, .xlsb)</li>
<li>PowerPoint 2007+ (.pptm, .ppsm)</li>
<li>Word/Excel Single File Web Page / MHTML (.mht)</li>
<li>Publisher (.pub)</li>
<li>SYLK/SLK files (.slk)</li>
<li>Text file containing VBA or VBScript source code</li>
<li>Password-protected Zip archive containing any of the above</li>
</ul>
<h2 id="main-features">Main Features</h2>
<p>S## Main Features</p>
<ul>
<li>Detect VBA macros in MS Office 97-2003 and 2007+ files, XML, MHT</li>
<li>Extract VBA macro source code</li>
Expand Down
16 changes: 9 additions & 7 deletions oletools/doc/olevba.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ VBA keywords** used by malware, anti-sandboxing and anti-virtualization techniqu
and potential **IOCs** (IP addresses, URLs, executable filenames, etc).
It also detects and decodes several common **obfuscation methods including Hex encoding,
StrReverse, Base64, Dridex, VBA expressions**, and extracts IOCs from decoded strings.
XLM/Excel 4 Macros are also supported in Excel and SLK files.

It can be used either as a command-line tool, or as a python module from your own applications.

Expand All @@ -18,17 +19,18 @@ by John William Davison, with significant modifications.

## Supported formats

- Word 97-2003 (.doc, .dot)
- Word 2007+ (.docm, .dotm)
- Word 97-2003 (.doc, .dot), Word 2007+ (.docm, .dotm)
- Excel 97-2003 (.xls), Excel 2007+ (.xlsm, .xlsb)
- PowerPoint 97-2003 (.ppt), PowerPoint 2007+ (.pptm, .ppsm)
- Word/PowerPoint 2007+ XML (aka Flat OPC)
- Word 2003 XML (.xml)
- Word/Excel MHTML, aka Single File Web Page (.mht)
- Excel 97-2003 (.xls)
- Excel 2007+ (.xlsm, .xlsb)
- PowerPoint 2007+ (.pptm, .ppsm)
- Word/Excel Single File Web Page / MHTML (.mht)
- Publisher (.pub)
- SYLK/SLK files (.slk)
- Text file containing VBA or VBScript source code
- Password-protected Zip archive containing any of the above

## Main Features
S## Main Features

- Detect VBA macros in MS Office 97-2003 and 2007+ files, XML, MHT
- Extract VBA macro source code
Expand Down
4 changes: 4 additions & 0 deletions oletools/olevba.py
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
olevba is a script to parse OLE and OpenXML files such as MS Office documents
(e.g. Word, Excel), to extract VBA Macro code in clear text, deobfuscate
and analyze malicious macros.
XLM/Excel 4 Macros are also supported in Excel and SLK files.
Supported formats:
- Word 97-2003 (.doc, .dot), Word 2007+ (.docm, .dotm)
Expand All @@ -14,6 +15,9 @@
- Word 2003 XML (.xml)
- Word/Excel Single File Web Page / MHTML (.mht)
- Publisher (.pub)
- SYLK/SLK files (.slk)
- Text file containing VBA or VBScript source code
- Password-protected Zip archive containing any of the above
- raises an error if run with files encrypted using MS Crypto API RC4
Author: Philippe Lagadec - http://www.decalage.info
Expand Down

0 comments on commit 35786cc

Please sign in to comment.