Skip to content

Releases: decalage2/oletools

oletools v0.60.2

02 Jul 14:57
Compare
Choose a tag to compare
  • 2024-07-02 v0.60.2:
    • olevba:
    • oleobj: fixed SyntaxError with Python 3.12 (PR #855), SyntaxWarning (PR #774)
    • rtfobj: fixed SyntaxError with Python 3.12 (PR #854)
    • clsid: added CLSIDs for MSI, Zed
    • ftguess: added MSI, PNG and OneNote formats
    • pyxswf: fixed python 3.12 compatibility (PR #841, issue #813)
    • setup/requirements: allow pyparsing 3 to solve install issues (PR #812, issue #762)

oletools v0.60.1

09 May 21:38
Compare
Choose a tag to compare

2022-05-09 v0.60.1:

  • olevba:
    - fixed a bug when calling XLMMacroDeobfuscator (PR #737)
    - removed keyword "sample" causing false positives
  • oleid: fixed OleID init issue (issue #695, PR #696)
  • oleobj:
    - added simple detection of CVE-2021-40444 initial stage
    - added detection for customUI onLoad
    - improved handling of incorrect filenames in OLE package (PR #451)
  • rtfobj: fixed code to find URLs in OLE2Link objects for Py3 (issue #692)
  • ftguess:
    - added PowerPoint and XPS formats (PR #716)
    - fixed issue with XPS and malformed documents (issue #711)
    - added XLSB format (issue #758)
  • improved logging with common module log_helper (PR #449)

More details about fixed issues and improvements in 0.60: https://github.com/decalage2/oletools/milestone/10?closed=1

oletools v0.60

21 Jun 20:57
Compare
Choose a tag to compare
  • 2021-06-02 v0.60:
    • ftguess: new tool to identify file formats and containers (issue #680)
    • oleid: (issue #679)
      • each indicator now has a risk level
      • calls ftguess to identify file formats
      • calls olevba+mraptor to detect and analyse VBA+XLM macros
    • olevba:
      • when XLMMacroDeobfuscator is available, use it to extract and deobfuscate XLM macros
    • rtfobj:
      • use ftguess to identify file type of OLE Package (issue #682)
      • fixed bug in re_executable_extensions
    • crypto: added PowerPoint transparent password '/01Hannes Ruescher/01' (issue #627)
    • setup: XLMMacroDeobfuscator, xlrd2 and pyxlsb2 added as optional dependencies

More details about fixed issues and improvements in 0.60: https://github.com/decalage2/oletools/milestone/10?closed=1

oletools v0.56.2

07 May 21:27
Compare
Choose a tag to compare
  • 2021-05-07 v0.56.2:
    • olevba:
      • updated plugin_biff to v0.0.22 to fix a bug (issues #647, #674)
    • olevba, mraptor:
      • added detection of Workbook_BeforeClose (issue #518)
    • rtfobj:
      • fixed bug when OLE package class name ends with null characters (issue #507, PR #648)
    • oleid:
      • fixed bug in check_excel (issue #584, PR #585)
    • clsid:
      • added several CLSIDs related to MS Office click-to-run issue CVE-2021-27058
      • added checks to ensure that all CLSIDs are uppercase (PR #678)

More details about fixed issues and improvements in 0.56: https://github.com/decalage2/oletools/milestone/9?closed=1

oletools v0.56.1

02 Apr 21:57
Compare
Choose a tag to compare
  • 2021-04-02 v0.56.1:
    • olevba:
      • fixed bug when parsing some malformed files (issue #629)
    • oleobj:
      • fixed bug preventing detection of links 'externalReference', 'frame',
        'hyperlink' (issue #641, PR #670)
    • setup:
      • avoid installing msoffcrypto-tool when platform is PyPy+Windows (issue #473)
      • PyPI version is now a wheel package to improve installation and avoid antivirus
        false positives due to test files (issues #215, #398)

More details about fixed issues and improvements in 0.56: https://github.com/decalage2/oletools/milestone/9?closed=1

oletools v0.56

04 Oct 18:57
Compare
Choose a tag to compare
  • 2020-09-28 v0.56:
    • olevba/mraptor:
      • added detection of trigger _OnConnecting
    • olevba:
      • updated plugin_biff to v0.0.17 to improve Excel 4/XLM macros parsing
      • added simple analysis of Excel 4/XLM macros in XLSM files (PR #569)
      • added detection of template injection (PR #569)
      • added detection of many suspicious keywords (PR #591 and #569, see https://www.certego.net/en/news/advanced-vba-macros/)
      • improved MHT detection (PR #532)
      • added --no-xlm option to disable Excel 4/XLM macros parsing (PR #532)
      • fixed bug when decompressing raw chunks in VBA (issue #575)
      • fixed bug with email package due to monkeypatch for MHT parsing (issue #602, PR #604)
      • fixed option --relaxed (issue #596, PR #595)
      • enabled relaxed mode by default (issues #477, #593)
      • fixed detect_vba_macros to always return VBA code as
        unicode on Python 3 (issues #455, #477, #587, #593)
      • replaced option --pcode by --show-pcode and --no-pcode,
        replaced optparse by argparse (PR #479)
    • oleform: improved form parsing (PR #532)
    • oleobj: "Ole10Native" is now case insensitive (issue #541)
    • clsid: added PDF (issue #552), Microsoft Word Picture (issue #571)
    • ppt_parser: fixed bug on Python 3 (issues #177, #607, PR #450)

How to install with pip: https://github.com/decalage2/oletools/wiki/Install

oletools v0.55

03 Dec 23:42
Compare
Choose a tag to compare

Main changes in oletools v0.55:

  • olevba:
    • added support for SLK files and XLM macro extraction from SLK
    • VBA Stomping detection
    • integrated pcodedmp to extract and disassemble P-code
    • detection of suspicious keywords and IOCs in P-code
    • new option --pcode to display P-code disassembly
    • improved detection of auto execution triggers
  • rtfobj: added URL carver for CVE-2017-0199
  • better handling of unicode for systems with locale that does not support UTF-8, e.g. LANG=C (PR #365)
  • tests:
    • test files can now be encrypted, to avoid antivirus alerts (PR #217, issue #215)
    • tests that trigger antivirus alerts have been temporarily disabled (issue #215)

How to install with pip: https://github.com/decalage2/oletools/wiki/Install

oletools v0.54.2

23 May 07:05
Compare
Choose a tag to compare

This is a bugfix release for oletools 0.54.

Changes:

  • 2019-05-23 v0.54.2:
    • msoffcrypto-tool is now a required dependency (simplified install)
    • plugin_biff: fixed issues #428, #434 and #444, improved Python 3 support
    • olevba, msodde, crypto: improved handling of encrypted files (PR #441)
    • olevba: initialize VBA_Parser.xlm_macros (fixes #433)
    • various fixes (PR #446)
    • olevba and msodde now handle documents encrypted with common passwords such
      as 123, 1234, 4321, 12345, 123456, VelvetSweatShop automatically.
  • 2019-04-09 v0.54.1:
    • olevba: decompress_stream now accepts both bytes and bytearray (fixes #422)

How to install/update with pip: https://github.com/decalage2/oletools/wiki/Install

oletools v0.54

08 Apr 18:57
Compare
Choose a tag to compare

Main changes in oletools 0.54:

  • olevba, msodde: added support for encrypted MS Office files
  • olevba: added detection and extraction of XLM/XLF Excel 4 macros
  • olevba, mraptor: added detection of VBA running Excel 4 macros
  • olevba: detect and display special characters such as backspace
  • olevba: colorized output showing suspicious keywords in the VBA code
  • olevba, mraptor: full Python 3 compatibility, no separate olevba3/mraptor3 anymore
  • olevba: improved handling of code pages and unicode
  • olevba: fixed a false-positive in VBA macro detection
  • rtfobj: improved OLE Package handling, improved Equation object detection
  • oleobj: added detection of external links to objects in OpenXML
  • replaced third party packages by PyPI dependencies

How to install with pip: https://github.com/decalage2/oletools/wiki/Install

oletools v0.53.1

13 Jun 21:59
Compare
Choose a tag to compare

2018-06-13 v0.53.1: Bugfix release
- rtfobj: fixed issue #316, whitespace after \bin on Python 3
- olevba3: fixed #320, chr instead of unichr on python 3
- olevba3: fixed #322, import reduce from functools