Philippe Lagadec decalage2

## RTF obfuscation techniques.rtf
{\rt- RTF SPECIFICATION SUCKS
    {\u0097}}
    {\uc2 \u0098}}}
    {\uc2 \u0099\'**}}
    {\uc2 \uc31682 \u0101}
    {\u0100}}
    {\uc-1 \u0102}

    {\object\objemb\objw-\objh-

## detect_CVE-2021-40444.py
# simple script to detect CVE-2021-40444 exploits in DOCX using oletools
# v0.01 Philippe Lagadec 2021-09-09

# IMPORTANT NOTE: this script detects the few samples identified so far, by looking for "mhtml:" in remote objects URLs.
# But it is not confirmed yet if this detection is generic enough, for example if "mhtml:" is not mandatory.
# Moreover, for now only Office 2007+ files are supported.
# Detection for other file types (RTF, Office 97-2003, ...) will be implemented later.

import sys, zipfile
from oletools import oleobj, ooxml

## extract_iocs.py
import sys, zipfile
from oletools.olevba import detect_patterns
# samples: https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Indian/APT/Donot/17-09-19/Malware%20analysis.md

fname = sys.argv[1]
print(f'Opening {fname}')
if zipfile.is_zipfile(fname):
    print('filetype: OpenXML or Zip')
    z = zipfile.ZipFile(fname)
    for f in z.infolist():

## olevba_extract.py
# Quick example showing how to extract VBA macros to files using olevba
# works with python 2 or 3
# ref: https://github.com/decalage2/oletools/wiki/olevba#extract-vba-macro-source-code

import sys

if sys.version_info[0] <= 2:
    # Python 2.x
    from oletools.olevba import VBA_Parser
else:

## Extensions.java
package org.dstadler.commoncrawl;

/**
 * Which extensions we are interested in.
 *
 * @author dominik.stadler
 */
public class Extensions {

    private static final String[] EXTENSIONS = new String[] {

## vbaproject.py
# sample code to demonstrate how to access VBA project/dir and module streams using olevba

from oletools.olevba import VBA_Parser, decompress_stream
from oletools.ezhexviewer import hexdump3
import sys


def dump_vba_projects(vbaparser):
    vba_projects = vbaparser.find_vba_projects()
    for vba_root, project_path, dir_path in vba_projects:
	{\rt- RTF SPECIFICATION SUCKS
	{\u0097}}
	{\uc2 \u0098}}}
	{\uc2 \u0099\'**}}
	{\uc2 \uc31682 \u0101}
	{\u0100}}
	{\uc-1 \u0102}

	{\object\objemb\objw-\objh-
	# simple script to detect CVE-2021-40444 exploits in DOCX using oletools
	# v0.01 Philippe Lagadec 2021-09-09

	# IMPORTANT NOTE: this script detects the few samples identified so far, by looking for "mhtml:" in remote objects URLs.
	# But it is not confirmed yet if this detection is generic enough, for example if "mhtml:" is not mandatory.
	# Moreover, for now only Office 2007+ files are supported.
	# Detection for other file types (RTF, Office 97-2003, ...) will be implemented later.

	import sys, zipfile
	from oletools import oleobj, ooxml
	import sys, zipfile
	from oletools.olevba import detect_patterns
	# samples: https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Indian/APT/Donot/17-09-19/Malware%20analysis.md

	fname = sys.argv[1]
	print(f'Opening {fname}')
	if zipfile.is_zipfile(fname):
	print('filetype: OpenXML or Zip')
	z = zipfile.ZipFile(fname)
	for f in z.infolist():
	# Quick example showing how to extract VBA macros to files using olevba
	# works with python 2 or 3
	# ref: https://github.com/decalage2/oletools/wiki/olevba#extract-vba-macro-source-code

	import sys

	if sys.version_info[0] <= 2:
	# Python 2.x
	from oletools.olevba import VBA_Parser
	else:
	package org.dstadler.commoncrawl;

	/**
	* Which extensions we are interested in.
	*
	* @author dominik.stadler
	*/
	public class Extensions {

	private static final String[] EXTENSIONS = new String[] {
	# sample code to demonstrate how to access VBA project/dir and module streams using olevba

	from oletools.olevba import VBA_Parser, decompress_stream
	from oletools.ezhexviewer import hexdump3
	import sys


	def dump_vba_projects(vbaparser):
	vba_projects = vbaparser.find_vba_projects()
	for vba_root, project_path, dir_path in vba_projects: