From aldeid
Jump to navigation Jump to search


oledump.py is a program to analyze OLE files (Compound File Binary Format). These files contain streams of data. oledump allows you to analyze these streams.

Many applications use this file format, the best known is MS Office. .doc, .xls, .ppt, … are OLE files (docx, xlsx, … is the new file format: XML inside ZIP).




$ sudo pip install OleFileIO_PL

Yara (optional)

Refer to this page.

Installation of oledump

$ mkdir -p /data/tools/oledump/
$ cd /data/tools/oledump/
$ wget http://didierstevens.com/files/software/oledump_V0_0_16.zip
$ unzip oledump_V0_0_16.zip



Usage: oledump.py [options] [file]


show program's version number and exit
-h, --help
show this help message and exit
-m, --man
Print manual
-s SELECT, --select=SELECT
select item nr for dumping (a for all)
-d, --dump
perform dump
-x, --hexdump
perform hex dump
-a, --asciidump
perform ascii dump
-v, --vbadecompress
VBA decompression
-r, --raw
read raw file (use with options -v or -p
-e, --extract
extract OLE embedded file
-i, --info
print extra info for selected item
-p PLUGINS, --plugins=PLUGINS
plugins to load (separate plugins with a comma , ; @file supported)
options for the plugin
-q, --quiet
only print output from plugins
-y YARA, --yara=YARA
YARA rule-file, @file or directory to check streams (YARA search doesn't work with -s option)
decoders to load (separate decoders with a comma , ; @file supported)
options for the decoder
Print YARA strings
-M, --metadata
Print metadata
-c, --calc
Add extra calculated data to output, like hashes
Search for compressed data in the stream and decompress it
verbose output for plugins and decoders

Use cases

List streams

$ ./oledump.py /data/tmp/3e2c3e6904dda6fb9174713a34f44126
  1:      1376 'PROJECT'
  2:       614 'PROJECTwm'
  3: m     999 'VBA/Class1'
  4: m    1000 'VBA/Class10'
  5: m    1000 'VBA/Class11'
  6: m    1000 'VBA/Class12'
  7: m    1000 'VBA/Class13'
  8: m    1000 'VBA/Class14'
  9: m    1000 'VBA/Class15'
 10: m    1000 'VBA/Class16'
 11: m    1000 'VBA/Class17'
 12: m    1000 'VBA/Class18'
 13: m    1000 'VBA/Class19'
 14: m     999 'VBA/Class2'
 15: m    1000 'VBA/Class20'
 16: m    1000 'VBA/Class21'
 17: m    1000 'VBA/Class22'
 18: m    1000 'VBA/Class23'
 19: m    1000 'VBA/Class24'
 20: m     999 'VBA/Class3'
 21: m     999 'VBA/Class4'
 22: m     999 'VBA/Class5'
 23: m     999 'VBA/Class6'
 24: m     999 'VBA/Class7'
 25: m     999 'VBA/Class8'
 26: m     999 'VBA/Class9'
 27: M   13185 'VBA/Module1'
 28: M    1384 'VBA/ThisDocument'
 29:      6942 'VBA/_VBA_PROJECT'
 30:      1154 'VBA/dir'


Keywords: oledump ole doc xls ppt macro