oletools - Tools to analyze MS OLE2 files and MS Office documents, for malware analysis, forensics and debugging

Friday, April 7, 2017

oletools is a package of python tools to analyze Microsoft OLE2 files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging. It is based on the olefile parser. See http://www.decalage.info/python/oletools for more info.

  • 2016-11-01 v0.50: all oletools now support python 2 and 3.
    • olevba: several bugfixes and improvements.
    • mraptor: improved detection, added mraptor_milter for Sendmail/Postfix integration.
    • rtfobj: brand new RTF parser, obfuscation-aware, improved display, detect executable files in OLE Package objects.
    • setup: now creates handy command-line scripts to run oletools from any directory.
  • 2016-06-10 v0.47: olevba added PPT97 macros support, improved handling of malformed/incomplete documents, improved error handling and JSON output, now returns an exit code based on analysis results, new --relaxed option. rtfobj: improved parsing to handle obfuscated RTF documents, added -d option to set output dir. Moved repository and documentation to GitHub.
  • 2016-04-19 v0.46: olevba does not deobfuscate VBA expressions by default (much faster), new option --deobf to enable it. Fixed color display bug on Windows for several tools.
  • 2016-04-12 v0.45: improved rtfobj to handle several anti-analysis tricks, improved olevba to export results in JSON format.
See the full changelog for more information.

  • olebrowse: A simple GUI to browse OLE files (e.g. MS Word, Excel, Powerpoint documents), to view and extract individual data streams.
  • oleid: to analyze OLE files to detect specific characteristics usually found in malicious files.
  • olemeta: to extract all standard properties (metadata) from OLE files.
  • oletimes: to extract creation and modification timestamps of all streams and storages.
  • oledir: to display all the directory entries of an OLE file, including free and orphaned entries.
  • olemap: to display a map of all the sectors in an OLE file.
  • olevba: to extract and analyze VBA Macro source code from MS Office documents (OLE and OpenXML).
  • MacroRaptor: to detect malicious VBA Macros
  • pyxswf: to detect, extract and analyze Flash objects (SWF) that may be embedded in files such as MS Office documents (e.g. Word, Excel) and RTF, which is especially useful for malware analysis.
  • oleobj: to extract embedded objects from OLE files.
  • rtfobj: to extract embedded objects from RTF files.
  • and a few others (coming soon)

Projects using oletools:
oletools are used by a number of projects and online malware analysis services, including Viper, REMnux, FAME, Hybrid-analysis.com, Joe Sandbox, Deepviz, Laika BOSS, Cuckoo Sandbox, Anlyz.io, ViperMonkey, pcodedmp, dridex.malwareconfig.com, and probably VirusTotal. (Please contact me if you have or know a project using oletools)

Download and Install:
The recommended way to download and install/update the latest stable release of oletools is to use pip:
  • On Linux/Mac: sudo -H pip install -U oletools
  • On Windows: pip install -U oletools
This should automatically create command-line scripts to run each tool from any directory: olevba, mraptor, rtfobj, etc.
To get the latest development version instead:
  • On Linux/Mac: sudo -H pip install -U https://github.com/decalage2/oletools/archive/master.zip
  • On Windows: pip install -U https://github.com/decalage2/oletools/archive/master.zip
See the documentation for other installation options.

The latest version of the documentation can be found online, otherwise a copy is provided in the doc subfolder of the package.

Subscribe via e-mail for updates!