Changelogs » Oletools

PyUp Safety actively tracks 267,404 Python packages for vulnerabilities and notifies you when to upgrade.



- olevba:
  - added support for SLK files and XLM macro extraction from SLK
  - VBA Stomping detection
  - integrated pcodedmp to extract and disassemble P-code
  - detection of suspicious keywords and IOCs in P-code
  - new option --pcode to display P-code disassembly
  - improved detection of auto execution triggers
  - rtfobj: added URL carver for CVE-2017-0199
  - better handling of unicode for systems with locale that does not support UTF-8, e.g. LANG=C (PR 365)
  - tests:
  - test files can now be encrypted, to avoid antivirus alerts (PR 217, issue 215)
  - tests that trigger antivirus alerts have been temporarily disabled (issue 215)
  How to install with pip:


This is a bugfix release for [oletools 0.54](
  - **2019-05-23 v0.54.2**:
  - msoffcrypto-tool is now a required dependency (simplified install)
  - plugin_biff: fixed issues 428, 434 and 444, improved Python 3 support
  - olevba, msodde, crypto: improved handling of encrypted files (PR 441)
  - olevba: initialize VBA_Parser.xlm_macros (fixes 433)
  - various fixes (PR 446)
  - olevba and msodde now handle documents encrypted with common passwords such
  as 123, 1234, 4321, 12345, 123456, VelvetSweatShop automatically.
  - **2019-04-09 v0.54.1**:
  - olevba: decompress_stream now accepts both bytes and bytearray (fixes 422)
  How to install/update with pip:


* olevba, msodde: added support for encrypted MS Office files
  * olevba: added detection and extraction of XLM/XLF Excel 4 macros
  * olevba, mraptor: added detection of VBA running Excel 4 macros
  * olevba: detect and display special characters such as backspace
  * olevba: colorized output showing suspicious keywords in the VBA code
  * olevba, mraptor: full Python 3 compatibility, no separate olevba3/mraptor3 anymore
  * olevba: improved handling of code pages and unicode
  * olevba: fixed a false-positive in VBA macro detection
  * rtfobj: improved OLE Package handling, improved Equation object detection
  * oleobj: added detection of external links to objects in OpenXML
  * replaced third party packages by PyPI dependencies
  How to install with pip:


**2018-06-13 v0.53.1**: Bugfix release
  - rtfobj: fixed issue 316, whitespace after \bin on Python 3
  - olevba3: fixed 320, chr instead of unichr on python 3
  - olevba3: fixed 322, import reduce from functools


- olevba and mraptor can now parse Word/PowerPoint 2007+ pure XML files (aka Flat OPC format)
  - improved support for VBA forms in olevba (oleform)
  - rtfobj now displays the CLSID of OLE objects, which is the best way to identify them. Known-bad CLSIDs such as MS Equation Editor are highlighted in red.
  - Updated rtfobj to handle obfuscated RTF samples.
  - rtfobj now handles the "\\'" obfuscation trick seen in recent samples such as, by emulating the MS Word bug described in
  - msodde: improved detection of DDE formulas in CSV files
  - oledir now displays the tree of storage/streams, along with CLSIDs and their meaning.
  - common.clsid contains the list of known CLSIDs, and their links to CVE vulnerabilities when relevant.
  - oleid now detects encrypted OpenXML files
  - fixed bugs in oleobj, rtfobj, oleid, olevba


- New tool msodde to detect and extract DDE links from MS Office files, RTF and CSV;
  - Fixed bugs in olevba, rtfobj and olefile, to better handle malformed/obfuscated files;
  - Performance improvements in olevba and rtfobj;
  - VBA form parsing in olevba;
  - Office 2007+ support in oleobj.


- added the [oletools cheatsheet](
  - improved [rtfobj]( to handle malformed RTF files, detect vulnerability CVE-2017-0199
  - olevba: improved deobfuscation and Mac files support
  - [mraptor]( added more ActiveX macro triggers
  - added [DocVarDump.vba]( to dump document variables using Word
  - olemap: can now detect and extract [extra data at end of file](, improved display
  - oledir, olemeta, oletimes: added support for zip files and wildcards
  - many [bugfixes]( in all the tools
  - improved Python 2+3 support


- all oletools now support python 2 and 3.
  - olevba: several bugfixes and improvements.
  - mraptor: improved detection, added mraptor_milter for Sendmail/Postfix integration.
  - rtfobj: brand new RTF parser, obfuscation-aware, improved display, detect executable files in OLE Package objects.
  - setup: now creates handy command-line scripts to run oletools from any directory.


- olevba: added PPT97 macros support, improved handling of malformed/incomplete documents, improved error handling and JSON output, now returns an exit code based on analysis results, new --relaxed option.
  - rtfobj: improved parsing to handle obfuscated RTF documents, added -d option to set output dir.
  - moved repository and documentation to GitHub.


olevba does not deobfuscate VBA expressions by default (much faster), new option --deobf to enable it. Fixed color display bug on Windows for several tools.