1Jan

Tools To Extract Vbaproject.bin

1 Jan 2000admin
Latest version

Released:

If you change the extention to.zip you can extract the content. There you should find the file wordvbaProject.bin that contains the VBA macros. I'd be very surprised if the tools can't perform at least the same level of analysis.

Python tools to analyze security characteristics of MS Office and OLE files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), for Malware Analysis and Incident Response #DFIR

Project description

oletools is a package ofpython tools to analyze Microsoft OLE2files(also called Structured Storage, Compound File Binary Format or CompoundDocument File Format), such as Microsoft Office documents or Outlookmessages, mainly for malware analysis, forensics and debugging. It isbased on the olefile parser. Seehttp://www.decalage.info/python/oletools for more info.

Quick links:Homepage -Download/Install- Documentation -ReportIssues/Suggestions/Questions- Contact the Author -Repository - Updates onTwitterCheatsheet

Note: python-oletools is not related to OLETools published by BeCubedSoftware.

News

  • 2019-12-03 v0.55:
    • olevba:
      • added support for SLK files and XLM macro extraction from SLK
      • VBA Stomping detection
      • integrated pcodedmp to extract and disassemble P-code
      • detection of suspicious keywords and IOCs in P-code
      • new option –pcode to display P-code disassembly
      • improved detection of auto execution triggers
    • rtfobj: added URL carver for CVE-2017-0199
    • better handling of unicode for systems with locale that does notsupport UTF-8, e.g. LANG=C (PR #365)
    • tests:
      • test files can now be encrypted, to avoid antivirus alerts (PR#217, issue #215)
      • tests that trigger antivirus alerts have been temporarilydisabled (issue #215)
  • 2019-05-22 v0.54.2:
    • bugfix release: fixed several issues related to encrypteddocuments and XLM/XLF Excel 4 macros
    • msoffcrypto-tool is now installed by default to handle encrypteddocuments
    • olevba and msodde now handle documents encrypted with commonpasswords such as 123, 1234, 4321, 12345, 123456, VelvetSweatShopautomatically.
  • 2019-04-04 v0.54:
    • olevba, msodde: added support for encrypted MS Office files
    • olevba: added detection and extraction of XLM/XLF Excel 4 macros(thanks to plugin_biff from Didier Stevens’ oledump)
    • olevba, mraptor: added detection of VBA running Excel 4 macros
    • olevba: detect and display special characters such as backspace
    • olevba: colorized output showing suspicious keywords in the VBAcode
    • olevba, mraptor: full Python 3 compatibility, no separateolevba3/mraptor3 anymore
    • olevba: improved handling of code pages and unicode
    • olevba: fixed a false-positive in VBA macro detection
    • rtfobj: improved OLE Package handling, improved Equation objectdetection
    • oleobj: added detection of external links to objects in OpenXML
    • replaced third party packages by PyPI dependencies
  • 2018-05-30 v0.53:
    • olevba and mraptor can now parse Word/PowerPoint 2007+ pure XMLfiles (aka Flat OPC format)
    • improved support for VBA forms in olevba (oleform)
    • rtfobj now displays the CLSID of OLE objects, which is the bestway to identify them. Known-bad CLSIDs such as MS Equation Editorare highlighted in red.
    • Updated rtfobj to handle obfuscated RTF samples.
    • rtfobj now handles the “’” obfuscation trick seen in recentsamples such ashttps://twitter.com/buffaloverflow/status/989798880295444480, byemulating the MS Word bug described inhttps://securelist.com/disappearing-bytes/84017/
    • msodde: improved detection of DDE formulas in CSV files
    • oledir now displays the tree of storage/streams, along with CLSIDsand their meaning.
    • common.clsid contains the list of known CLSIDs, and their links toCVE vulnerabilities when relevant.
    • oleid now detects encrypted OpenXML files
    • fixed bugs in oleobj, rtfobj, oleid, olevba

See the fullchangelog formore information.

Tools:

Tools to analyze malicious documents

  • oleid: toanalyze OLE files to detect specific characteristics usually found inmalicious files.
  • olevba: toextract and analyze VBA Macro source code from MS Office documents(OLE and OpenXML).
  • MacroRaptor:to detect malicious VBA Macros
  • msodde: todetect and extract DDE/DDEAUTO links from MS Office documents, RTFand CSV
  • pyxswf: todetect, extract and analyze Flash objects (SWF) that may be embeddedin files such as MS Office documents (e.g. Word, Excel) and RTF,which is especially useful for malware analysis.
  • oleobj: toextract embedded objects from OLE files.
  • rtfobj: toextract embedded objects from RTF files.

Tools to analyze the structure of OLE files

  • olebrowse:A simple GUI to browse OLE files (e.g. MS Word, Excel, Powerpointdocuments), to view and extract individual data streams.
  • olemeta: toextract all standard properties (metadata) from OLE files.
  • oletimes:to extract creation and modification timestamps of all streams andstorages.
  • oledir: todisplay all the directory entries of an OLE file, including free andorphaned entries.
  • olemap: todisplay a map of all the sectors in an OLE file.

Projects using oletools:

oletools are used by a number of projects and online malware analysisservices, including ACE,Anlyz.io,AssemblyLine,CAPE, CuckooSandbox,DARKSURGEON,Deepviz,dridex.malwareconfig.com,FAME,FLARE-VM,Hybrid-analysis.com, JoeSandbox, LaikaBOSS,MacroMilter,mailcow,malshare.io,malware-repo, MalwareRepository Framework (MRF),olefy,PeekabooAV,pcodedmp,PyCIRCLean,REMnux,Snake,SNDBOX,Strelka,stoQ,TheHive/Cortex,TSUGURI Linux,Vba2Graph,Viper,ViperMonkey,YOMI, and probablyVirusTotal. And quite a few otherprojects onGitHub.(Please contact me if you have orknow a project using oletools)

Download and Install:

The recommended way to download and install/update the latest stablerelease of oletools is to usepip:

  • On Linux/Mac: sudo -H pip install -U oletools
  • On Windows: pip install -U oletools

This should automatically create command-line scripts to run each toolfrom any directory: olevba, mraptor, rtfobj, etc.

To get the latest development version instead:

  • On Linux/Mac:sudo -H pip install -Uhttps://github.com/decalage2/oletools/archive/master.zip
  • On Windows:pip install -Uhttps://github.com/decalage2/oletools/archive/master.zip

See thedocumentationfor other installation options.

Documentation:

The latest version of the documentation can be foundonline, otherwise acopy is provided in the doc subfolder of the package.

How to Suggest Improvements, Report Issues or Contribute:

This is a personal open-source project, developed on my spare time. Anycontribution, suggestion, feedback or bug report is welcome.

To suggest improvements, report a bug or any issue, please use theissue reporting page,providing all the information and files to reproduce the problem.

You may also contact the authordirectly to provide feedback.

The code is available in a GitHubrepository. You may use it tosubmit enhancements using forks and pull requests.

License

This license applies to the python-oletools package, apart from thethirdparty folder which contains third-party files published with theirown license.

The python-oletools package is copyright (c) 2012-2019 Philippe Lagadec(http://www.decalage.info)

All rights reserved.

Redistribution and use in source and binary forms, with or withoutmodification, are permitted provided that the following conditions aremet:

  • Redistributions of source code must retain the above copyrightnotice, this list of conditions and the following disclaimer.
  • Redistributions in binary form must reproduce the above copyrightnotice, this list of conditions and the following disclaimer in thedocumentation and/or other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “ASIS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITEDTO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR APARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHTHOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITEDTO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, ORPROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OFLIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDINGNEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THISSOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

olevba contains modified source code from the officeparser project,published under the following MIT License (MIT):

officeparser is copyright (c) 2014 John William Davison

Permission is hereby granted, free of charge, to any person obtaining acopy of this software and associated documentation files (the“Software”), to deal in the Software without restriction, includingwithout limitation the rights to use, copy, modify, merge, publish,distribute, sublicense, and/or sell copies of the Software, and topermit persons to whom the Software is furnished to do so, subject tothe following conditions:

The above copyright notice and this permission notice shall be includedin all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESSOR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANYCLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THESOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Release historyRelease notifications RSS feed

0.55.1

0.55

0.54.2

0.54.1

0.54

0.53.1

0.53

0.52.5

0.52.4

0.52.3

0.52.2

0.52.1

0.52

Shareware remotesight for mac. License: Shareware $25.87. Total downloads: 112 (1 last week) Latest version: 1.2. Our software library provides a free download of RemoteSight 1.2 for Mac. The program lies within Internet & Network Tools, more precisely Download Managers. This application was developed to work on Mac OS X 10.5.0 or later.

0.51

0.50

0.47

0.46

0.45

0.44

0.42.1

0.42

0.41

0.40

0.12

0.11

0.10.1

0.10

0.09

0.08

0.08a pre-release

0.07

0.06

0.05

0.04

0.03

0.02

0.01

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Files for oletools, version 0.55.1
Filename, sizeFile typePython versionUpload dateHashes
Filename, size oletools-0.55.1.zip (3.1 MB) File type Source Python version None Upload dateHashes
Close

Hashes for oletools-0.55.1.zip

Hashes for oletools-0.55.1.zip
AlgorithmHash digest
SHA256edea57914c4040e7d0d64cfd88c84355d4305548d761d476fbac21ee26b25d8d
MD5e267c4f51ac9a184815cedf0d3b04e54
BLAKE2-256a4561fdf589a15d9cc666666205d0ae4fbb6c55ca57362aa824eb5d5c4dd3753

I have received a phishing email with the usual bogus bill in the form of a Word document. I am curious about what the probable virus wants to do so I would like to inspect the code.At the moment Word opens the docx in protected mode, and I am not going to disable that as I assume that the VBA macro would execute immediately.I know that a VM might be a solution, but excluding that (I don't have one to hand), is there a simple way to see the macro code without executing it? I'm thinking something like open it in Notepad or similar.

I know Notepad doesn't read.docx but along those lines. Microsoft Office fileas are actually nothing but glorified zip files. If you change the extention to.zip you can extract the content. There you should find the file wordvbaProject.bin that contains the VBA macros. However, as the extention suggests, this file is binary and is not much help in letting you read the source code.Fortunately Microsoft has published the specs for the format, and there are a number of programs that can help you. I have not tried any of them, but there is a nice list on. Check it out for more details!

These are the programs listed there:.A minor detail: A docx file should not contain a macro, as those are not allowed in docx files. According to:Word lets you save macros in two Word file types: a Word Macro-Enabled Document file (.docm) and a Word Macro-Enabled Template file (.dotm). Upload it to VirusTotal. Not only will you find out how many antivirus programs detect it automatically and what their classification is, but on the 'File Details' tab you can see the macro and VBA code embedded in the document.Example (which I received several months ago in a message nearly identical to the one you describe):Ok, this one was an old format Word Document (OLE Compound Document File), not the new ZIP+XML format. I'd be very surprised if the tools can't perform at least the same level of analysis on the DOCX.