Changelogs » Oletools

PyUp Safety actively tracks 267,404 Python packages for vulnerabilities and notifies you when to upgrade.

Oletools

0.55

- olevba:
  - added support for SLK files and XLM macro extraction from SLK
  - VBA Stomping detection
  - integrated pcodedmp to extract and disassemble P-code
  - detection of suspicious keywords and IOCs in P-code
  - new option --pcode to display P-code disassembly
  - improved detection of auto execution triggers
  - rtfobj: added URL carver for CVE-2017-0199
  - better handling of unicode for systems with locale that does not support UTF-8, e.g. LANG=C (PR 365)
  - tests:
  - test files can now be encrypted, to avoid antivirus alerts (PR 217, issue 215)
  - tests that trigger antivirus alerts have been temporarily disabled (issue 215)
  
  How to install with pip: https://github.com/decalage2/oletools/wiki/Install

0.54.2b

This is a bugfix release for [oletools 0.54](https://github.com/decalage2/oletools/releases/tag/v0.54).
  
  Changes:
  - **2019-05-23 v0.54.2**:
  - msoffcrypto-tool is now a required dependency (simplified install)
  - plugin_biff: fixed issues 428, 434 and 444, improved Python 3 support
  - olevba, msodde, crypto: improved handling of encrypted files (PR 441)
  - olevba: initialize VBA_Parser.xlm_macros (fixes 433)
  - various fixes (PR 446)
  - olevba and msodde now handle documents encrypted with common passwords such
  as 123, 1234, 4321, 12345, 123456, VelvetSweatShop automatically.
  - **2019-04-09 v0.54.1**:
  - olevba: decompress_stream now accepts both bytes and bytearray (fixes 422)
  
  How to install/update with pip: https://github.com/decalage2/oletools/wiki/Install

0.54

* olevba, msodde: added support for encrypted MS Office files
  * olevba: added detection and extraction of XLM/XLF Excel 4 macros
  * olevba, mraptor: added detection of VBA running Excel 4 macros
  * olevba: detect and display special characters such as backspace
  * olevba: colorized output showing suspicious keywords in the VBA code
  * olevba, mraptor: full Python 3 compatibility, no separate olevba3/mraptor3 anymore
  * olevba: improved handling of code pages and unicode
  * olevba: fixed a false-positive in VBA macro detection
  * rtfobj: improved OLE Package handling, improved Equation object detection
  * oleobj: added detection of external links to objects in OpenXML
  * replaced third party packages by PyPI dependencies
  
  How to install with pip: https://github.com/decalage2/oletools/wiki/Install

0.53.1

**2018-06-13 v0.53.1**: Bugfix release
  - rtfobj: fixed issue 316, whitespace after \bin on Python 3
  - olevba3: fixed 320, chr instead of unichr on python 3
  - olevba3: fixed 322, import reduce from functools

0.53

- olevba and mraptor can now parse Word/PowerPoint 2007+ pure XML files (aka Flat OPC format)
  - improved support for VBA forms in olevba (oleform)
  - rtfobj now displays the CLSID of OLE objects, which is the best way to identify them. Known-bad CLSIDs such as MS Equation Editor are highlighted in red.
  - Updated rtfobj to handle obfuscated RTF samples.
  - rtfobj now handles the "\\'" obfuscation trick seen in recent samples such as https://twitter.com/buffaloverflow/status/989798880295444480, by emulating the MS Word bug described in https://securelist.com/disappearing-bytes/84017/
  - msodde: improved detection of DDE formulas in CSV files
  - oledir now displays the tree of storage/streams, along with CLSIDs and their meaning.
  - common.clsid contains the list of known CLSIDs, and their links to CVE vulnerabilities when relevant.
  - oleid now detects encrypted OpenXML files
  - fixed bugs in oleobj, rtfobj, oleid, olevba

0.52

- New tool msodde to detect and extract DDE links from MS Office files, RTF and CSV;
  - Fixed bugs in olevba, rtfobj and olefile, to better handle malformed/obfuscated files;
  - Performance improvements in olevba and rtfobj;
  - VBA form parsing in olevba;
  - Office 2007+ support in oleobj.

0.51

- added the [oletools cheatsheet](https://github.com/decalage2/oletools/blob/master/cheatsheet/oletools_cheatsheet.pdf)
  - improved [rtfobj](https://github.com/decalage2/oletools/wiki/rtfobj) to handle malformed RTF files, detect vulnerability CVE-2017-0199
  - olevba: improved deobfuscation and Mac files support
  - [mraptor](https://github.com/decalage2/oletools/wiki/mraptor): added more ActiveX macro triggers
  - added [DocVarDump.vba](https://github.com/decalage2/oletools/blob/master/oletools/DocVarDump.vba) to dump document variables using Word
  - olemap: can now detect and extract [extra data at end of file](http://decalage.info/en/ole_extradata), improved display
  - oledir, olemeta, oletimes: added support for zip files and wildcards
  - many [bugfixes](https://github.com/decalage2/oletools/milestone/3?closed=1) in all the tools
  - improved Python 2+3 support

0.50

- all oletools now support python 2 and 3.
  - olevba: several bugfixes and improvements.
  - mraptor: improved detection, added mraptor_milter for Sendmail/Postfix integration.
  - rtfobj: brand new RTF parser, obfuscation-aware, improved display, detect executable files in OLE Package objects.
  - setup: now creates handy command-line scripts to run oletools from any directory.

0.47

- olevba: added PPT97 macros support, improved handling of malformed/incomplete documents, improved error handling and JSON output, now returns an exit code based on analysis results, new --relaxed option.
  - rtfobj: improved parsing to handle obfuscated RTF documents, added -d option to set output dir.
  - moved repository and documentation to GitHub.

0.46

olevba does not deobfuscate VBA expressions by default (much faster), new option --deobf to enable it. Fixed color display bug on Windows for several tools.
  [oletools-0.46.tar.gz](https://github.com/decalage2/oletools/files/288425/oletools-0.46.tar.gz)
  [oletools-0.46.zip](https://github.com/decalage2/oletools/files/288426/oletools-0.46.zip)