This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{\rt- RTF SPECIFICATION SUCKS | |
{\u0097}} | |
{\uc2 \u0098}}} | |
{\uc2 \u0099\'**}} | |
{\uc2 \uc31682 \u0101} | |
{\u0100}} | |
{\uc-1 \u0102} | |
{\object\objemb\objw-\objh- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# simple script to detect CVE-2021-40444 exploits in DOCX using oletools | |
# v0.01 Philippe Lagadec 2021-09-09 | |
# IMPORTANT NOTE: this script detects the few samples identified so far, by looking for "mhtml:" in remote objects URLs. | |
# But it is not confirmed yet if this detection is generic enough, for example if "mhtml:" is not mandatory. | |
# Moreover, for now only Office 2007+ files are supported. | |
# Detection for other file types (RTF, Office 97-2003, ...) will be implemented later. | |
import sys, zipfile | |
from oletools import oleobj, ooxml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import sys, zipfile | |
from oletools.olevba import detect_patterns | |
# samples: https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Indian/APT/Donot/17-09-19/Malware%20analysis.md | |
fname = sys.argv[1] | |
print(f'Opening {fname}') | |
if zipfile.is_zipfile(fname): | |
print('filetype: OpenXML or Zip') | |
z = zipfile.ZipFile(fname) | |
for f in z.infolist(): |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Quick example showing how to extract VBA macros to files using olevba | |
# works with python 2 or 3 | |
# ref: https://github.com/decalage2/oletools/wiki/olevba#extract-vba-macro-source-code | |
import sys | |
if sys.version_info[0] <= 2: | |
# Python 2.x | |
from oletools.olevba import VBA_Parser | |
else: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
package org.dstadler.commoncrawl; | |
/** | |
* Which extensions we are interested in. | |
* | |
* @author dominik.stadler | |
*/ | |
public class Extensions { | |
private static final String[] EXTENSIONS = new String[] { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# sample code to demonstrate how to access VBA project/dir and module streams using olevba | |
from oletools.olevba import VBA_Parser, decompress_stream | |
from oletools.ezhexviewer import hexdump3 | |
import sys | |
def dump_vba_projects(vbaparser): | |
vba_projects = vbaparser.find_vba_projects() | |
for vba_root, project_path, dir_path in vba_projects: |