Skip to content

Instantly share code, notes, and snippets.

View RTF obfuscation techniques.rtf
{\rt- RTF SPECIFICATION SUCKS
{\u0097}}
{\uc2 \u0098}}}
{\uc2 \u0099\'**}}
{\uc2 \uc31682 \u0101}
{\u0100}}
{\uc-1 \u0102}
{\object\objemb\objw-\objh-
@decalage2
decalage2 / detect_CVE-2021-40444.py
Last active Sep 11, 2021
Simple script to detect CVE-2021-40444 URLs using oletools
View detect_CVE-2021-40444.py
# simple script to detect CVE-2021-40444 exploits in DOCX using oletools
# v0.01 Philippe Lagadec 2021-09-09
# IMPORTANT NOTE: this script detects the few samples identified so far, by looking for "mhtml:" in remote objects URLs.
# But it is not confirmed yet if this detection is generic enough, for example if "mhtml:" is not mandatory.
# Moreover, for now only Office 2007+ files are supported.
# Detection for other file types (RTF, Office 97-2003, ...) will be implemented later.
import sys, zipfile
from oletools import oleobj, ooxml
@decalage2
decalage2 / extract_iocs.py
Last active Dec 7, 2019
Script to extract unusual URLs, IPs, etc from OpenXML files using olevba
View extract_iocs.py
import sys, zipfile
from oletools.olevba import detect_patterns
# samples: https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Indian/APT/Donot/17-09-19/Malware%20analysis.md
fname = sys.argv[1]
print(f'Opening {fname}')
if zipfile.is_zipfile(fname):
print('filetype: OpenXML or Zip')
z = zipfile.ZipFile(fname)
for f in z.infolist():
@decalage2
decalage2 / olevba_extract.py
Last active Jan 30, 2019
Quick example showing how to extract VBA macros to files using olevba (Python 2 or 3)
View olevba_extract.py
# Quick example showing how to extract VBA macros to files using olevba
# works with python 2 or 3
# ref: https://github.com/decalage2/oletools/wiki/olevba#extract-vba-macro-source-code
import sys
if sys.version_info[0] <= 2:
# Python 2.x
from oletools.olevba import VBA_Parser
else:
@decalage2
decalage2 / Extensions.java
Created Apr 19, 2017
CommonCrawlDocumentDownload - How to add RTF files
View Extensions.java
package org.dstadler.commoncrawl;
/**
* Which extensions we are interested in.
*
* @author dominik.stadler
*/
public class Extensions {
private static final String[] EXTENSIONS = new String[] {
@decalage2
decalage2 / vbaproject.py
Created Nov 16, 2016
olevba - how to access VBA project/dir and module streams
View vbaproject.py
# sample code to demonstrate how to access VBA project/dir and module streams using olevba
from oletools.olevba import VBA_Parser, decompress_stream
from oletools.ezhexviewer import hexdump3
import sys
def dump_vba_projects(vbaparser):
vba_projects = vbaparser.find_vba_projects()
for vba_root, project_path, dir_path in vba_projects: