Skip to content

Instantly share code, notes, and snippets.

@decalage2
Last active Dec 7, 2019
Embed
What would you like to do?
Script to extract unusual URLs, IPs, etc from OpenXML files using olevba
import sys, zipfile
from oletools.olevba import detect_patterns
# samples: https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Indian/APT/Donot/17-09-19/Malware%20analysis.md
fname = sys.argv[1]
print(f'Opening {fname}')
if zipfile.is_zipfile(fname):
print('filetype: OpenXML or Zip')
z = zipfile.ZipFile(fname)
for f in z.infolist():
print(f'- subfile: {f.filename}')
data = z.read(f).decode('utf8', errors='replace')
for description, value in detect_patterns(data):
if not value.startswith('http://schemas.openxmlformats.org/') \
and not value.startswith('http://schemas.microsoft.com/') \
and not value.startswith('http://purl.org/') \
and not value.startswith('http://www.w3.org/'):
print(f' {value} - {description}')
z.close()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment