Skip to content

Instantly share code, notes, and snippets.

View RTF obfuscation techniques.rtf
{\uc2 \u0098}}}
{\uc2 \u0099\'**}}
{\uc2 \uc31682 \u0101}
{\uc-1 \u0102}
decalage2 /
Last active Sep 11, 2021
Simple script to detect CVE-2021-40444 URLs using oletools
# simple script to detect CVE-2021-40444 exploits in DOCX using oletools
# v0.01 Philippe Lagadec 2021-09-09
# IMPORTANT NOTE: this script detects the few samples identified so far, by looking for "mhtml:" in remote objects URLs.
# But it is not confirmed yet if this detection is generic enough, for example if "mhtml:" is not mandatory.
# Moreover, for now only Office 2007+ files are supported.
# Detection for other file types (RTF, Office 97-2003, ...) will be implemented later.
import sys, zipfile
from oletools import oleobj, ooxml
decalage2 /
Last active Dec 7, 2019
Script to extract unusual URLs, IPs, etc from OpenXML files using olevba
import sys, zipfile
from oletools.olevba import detect_patterns
# samples:
fname = sys.argv[1]
print(f'Opening {fname}')
if zipfile.is_zipfile(fname):
print('filetype: OpenXML or Zip')
z = zipfile.ZipFile(fname)
for f in z.infolist():
decalage2 /
Last active Jan 30, 2019
Quick example showing how to extract VBA macros to files using olevba (Python 2 or 3)
# Quick example showing how to extract VBA macros to files using olevba
# works with python 2 or 3
# ref:
import sys
if sys.version_info[0] <= 2:
# Python 2.x
from oletools.olevba import VBA_Parser
decalage2 /
Created Apr 19, 2017
CommonCrawlDocumentDownload - How to add RTF files
package org.dstadler.commoncrawl;
* Which extensions we are interested in.
* @author dominik.stadler
public class Extensions {
private static final String[] EXTENSIONS = new String[] {
decalage2 /
Created Nov 16, 2016
olevba - how to access VBA project/dir and module streams
# sample code to demonstrate how to access VBA project/dir and module streams using olevba
from oletools.olevba import VBA_Parser, decompress_stream
from oletools.ezhexviewer import hexdump3
import sys
def dump_vba_projects(vbaparser):
vba_projects = vbaparser.find_vba_projects()
for vba_root, project_path, dir_path in vba_projects: