Skip to content

Changelog

Jump to bottom
Philippe Lagadec edited this page May 28, 2024 · 69 revisions

Python-oletools Changelog

  • 2024-05-28 v0.60.2dev5:

    • olevba:
      • fixed a bug in open_slk (issue #797, PR #769)
      • fixed a bug due to new PROJECTCOMPATVERSION record in dir stream (PR #723, issues #700, #701, #725, #791, #808, #811, #833)
    • oleobj: fixed SyntaxError with Python 3.12 (PR #855), SyntaxWarning (PR #774)
    • rtfobj: fixed SyntaxError with Python 3.12 (PR #854)
    • clsid: added CLSIDs for MSI, Zed
    • ftguess: added MSI, PNG and OneNote formats
    • setup/requirements: allow pyparsing 3 to solve install issues (PR #812, issue #762)

  • 2022-05-09 v0.60.1:

    • olevba:
      • fixed a bug when calling XLMMacroDeobfuscator (PR #737)
      • removed keyword "sample" causing false positives
    • oleid: fixed OleID init issue (issue #695, PR #696)
    • oleobj:
      • added simple detection of CVE-2021-40444 initial stage
      • added detection for customUI onLoad
      • improved handling of incorrect filenames in OLE package (PR #451)
    • rtfobj: fixed code to find URLs in OLE2Link objects for Py3 (issue #692)
    • ftguess:
      • added PowerPoint and XPS formats (PR #716)
      • fixed issue with XPS and malformed documents (issue #711)
      • added XLSB format (issue #758)
    • improved logging with common module log_helper (PR #449)

  • 2021-06-02 v0.60:

    • ftguess: new tool to identify file formats and containers (issue #680)
    • oleid: (issue #679)
      • each indicator now has a risk level
      • calls ftguess to identify file formats
      • calls olevba+mraptor to detect and analyse VBA+XLM macros
    • olevba:
      • when XLMMacroDeobfuscator is available, use it to extract and deobfuscate XLM macros
    • rtfobj:
      • use ftguess to identify file type of OLE Package (issue #682)
      • fixed bug in re_executable_extensions
    • crypto: added PowerPoint transparent password '/01Hannes Ruescher/01' (issue #627)
    • setup: XLMMacroDeobfuscator, xlrd2 and pyxlsb2 added as optional dependencies

  • 2021-05-07 v0.56.2:

    • olevba:
      • updated plugin_biff to v0.0.22 to fix a bug (issues #647, #674)
    • olevba, mraptor:
      • added detection of Workbook_BeforeClose (issue #518)
    • rtfobj:
      • fixed bug when OLE package class name ends with null characters (issue #507, PR #648)
    • oleid:
      • fixed bug in check_excel (issue #584, PR #585)
    • clsid:
      • added several CLSIDs related to MS Office click-to-run issue CVE-2021-27058
      • added checks to ensure that all CLSIDs are uppercase (PR #678)

  • 2021-04-02 v0.56.1:

    • olevba:
      • fixed bug when parsing some malformed files (issue #629)
    • oleobj:
      • fixed bug preventing detection of links 'externalReference', 'frame', 'hyperlink' (issue #641, PR #670)
    • setup:
      • avoid installing msoffcrypto-tool when platform is PyPy+Windows (issue #473)
      • PyPI version is now a wheel package to improve installation and avoid antivirus false positives due to test files (issues #215, #398)

  • 2020-09-28 v0.56:

    • olevba/mraptor:
      • added detection of trigger _OnConnecting
    • olevba:
      • updated plugin_biff to v0.0.17 to improve Excel 4/XLM macros parsing
      • added simple analysis of Excel 4/XLM macros in XLSM files (PR #569)
      • added detection of template injection (PR #569)
      • added detection of many suspicious keywords (PR #591 and #569, see https://www.certego.net/en/news/advanced-vba-macros/)
      • improved MHT detection (PR #532)
      • added --no-xlm option to disable Excel 4/XLM macros parsing (PR #532)
      • fixed bug when decompressing raw chunks in VBA (issue #575)
      • fixed bug with email package due to monkeypatch for MHT parsing (issue #602, PR #604)
      • fixed option --relaxed (issue #596, PR #595)
      • enabled relaxed mode by default (issues #477, #593)
      • fixed detect_vba_macros to always return VBA code as unicode on Python 3 (issues #455, #477, #587, #593)
      • replaced option --pcode by --show-pcode and --no-pcode, replaced optparse by argparse (PR #479)
    • oleform: improved form parsing (PR #532)
    • oleobj: "Ole10Native" is now case insensitive (issue #541)
    • clsid: added PDF (issue #552), Microsoft Word Picture (issue #571)
    • ppt_parser: fixed bug on Python 3 (issues #177, #607, PR #450)

  • 2019-12-16 v0.55.2:

    • rtfobj:
      • removed "\rtf" from the list of destination control words (issue #522)
      • fixed process_file to detect Equation class (issue #525)

  • 2019-12-03 v0.55:

    • olevba:
      • added support for SLK files and XLM macro extraction from SLK
      • VBA Stomping detection
      • integrated pcodedmp to extract and disassemble P-code
      • detection of suspicious keywords and IOCs in P-code
      • new option --pcode to display P-code disassembly
      • improved detection of auto execution triggers
    • rtfobj: added URL carver for CVE-2017-0199
    • better handling of unicode for systems with locale that does not support UTF-8, e.g. LANG=C (PR #365)
    • tests:
      • test files can now be encrypted, to avoid antivirus alerts (PR #217, issue #215)
      • tests that trigger antivirus alerts have been temporarily disabled (issue #215)

  • 2019-05-22 v0.54.2:

    • msoffcrypto-tool is now a required dependency (simplified install)
    • plugin_biff: fixed issues #428, #434 and #444, improved Python 3 support
    • olevba, msodde, crypto: improved handling of encrypted files (PR #441)
    • olevba: initialize VBA_Parser.xlm_macros (fixes #433)
    • various fixes (PR #446)
    • olevba and msodde now handle documents encrypted with common passwords such as 123, 1234, 4321, 12345, 123456, VelvetSweatShop automatically.

  • 2019-04-09 v0.54.1:

    • olevba: decompress_stream now accepts both bytes and bytearray (fixes #422)

  • 2019-04-04 v0.54:

    • olevba, msodde: added support for encrypted MS Office files
    • olevba: added detection and extraction of XLM/XLF Excel 4 macros (thanks to plugin_biff from Didier Stevens' oledump)
    • olevba, mraptor: added detection of VBA running Excel 4 macros
    • olevba: detect and display special characters such as backspace
    • olevba: colorized output showing suspicious keywords in the VBA code
    • olevba, mraptor: full Python 3 compatibility, no separate olevba3/mraptor3 anymore
    • olevba: improved handling of code pages and unicode
    • olevba: fixed a false-positive in VBA macro detection
    • rtfobj: improved OLE Package handling, improved Equation object detection
    • oleobj: added detection of external links to objects in OpenXML
    • replaced third party packages by PyPI dependencies

  • 2018-06-13 v0.53.1:

    • rtfobj: fixed issue #316, whitespace after \bin on Python 3
    • olevba3: fixed #320, chr instead of unichr on python 3
    • olevba3: fixed #322, import reduce from functools

  • 2018-05-30 v0.53:

    • olevba and mraptor can now parse Word/PowerPoint 2007+ pure XML files (aka Flat OPC format)
    • improved support for VBA forms in olevba (oleform)
    • rtfobj now displays the CLSID of OLE objects, which is the best way to identify them. Known-bad CLSIDs such as MS Equation Editor are highlighted in red.
    • Updated rtfobj to handle obfuscated RTF samples.
    • rtfobj now handles the "\'" obfuscation trick seen in recent samples such as https://twitter.com/buffaloverflow/status/989798880295444480, by emulating the MS Word bug described in https://securelist.com/disappearing-bytes/84017/
    • msodde: improved detection of DDE formulas in CSV files
    • oledir now displays the tree of storage/streams, along with CLSIDs and their meaning.
    • common.clsid contains the list of known CLSIDs, and their links to CVE vulnerabilities when relevant.
    • oleid now detects encrypted OpenXML files
    • fixed bugs in oleobj, rtfobj, oleid, olevba

  • 2018-03-11 v0.52.2:

    • Fixed issue #265 (error when installing on Python 3)

  • 2018-02-18 v0.52:

    • New tool msodde to detect and extract DDE links from MS Office files, RTF and CSV;
    • Fixed bugs in olevba, rtfobj and olefile, to better handle malformed/obfuscated files;
    • Performance improvements in olevba and rtfobj;
    • VBA form parsing in olevba;
    • Office 2007+ support in oleobj.

  • 2017-06-29 v0.51:

    • added the oletools cheatsheet
    • improved rtfobj to handle malformed RTF files, detect vulnerability CVE-2017-0199
    • olevba: improved deobfuscation and Mac files support
    • mraptor: added more ActiveX macro triggers
    • added DocVarDump.vba to dump document variables using Word
    • olemap: can now detect and extract extra data at end of file, improved display
    • oledir, olemeta, oletimes: added support for zip files and wildcards
    • many bugfixes in all the tools
    • improved Python 2+3 support

  • 2016-11-01 v0.50: all oletools now support python 2 and 3.

    • olevba: several bugfixes and improvements.
    • mraptor: improved detection, added mraptor_milter for Sendmail/Postfix integration.
    • rtfobj: brand new RTF parser, obfuscation-aware, improved display, detect executable files in OLE Package objects.
    • setup: now creates handy command-line scripts to run oletools from any directory.

  • 2016-06-10 v0.47: olevba added PPT97 macros support, improved handling of malformed/incomplete documents, improved error handling and JSON output, now returns an exit code based on analysis results, new --relaxed option. rtfobj: improved parsing to handle obfuscated RTF documents, added -d option to set output dir. Moved repository and documentation to GitHub.

  • 2016-04-19 v0.46: olevba does not deobfuscate VBA expressions by default (much faster), new option --deobf to enable it. Fixed color display bug on Windows for several tools.

  • 2016-04-12 v0.45: improved rtfobj to handle several anti-analysis tricks, improved olevba to export results in JSON format.

  • 2016-03-11 v0.44: improved olevba to extract and analyse strings from VBA Forms.

  • 2016-03-04 v0.43: added new tool MacroRaptor (mraptor) to detect malicious macros, bugfix and slight improvements in olevba.

  • 2016-02-07 v0.42: added two new tools oledir and olemap, better handling of malformed files and several bugfixes in olevba, improved display for olemeta.

  • 2015-09-22 v0.41: added new --reveal option to olevba, to show the macro code with VBA strings deobfuscated.

  • 2015-09-17 v0.40: Improved macro deobfuscation in olevba, to decode Hex and Base64 within VBA expressions. Display printable deobfuscated strings by default. Improved the VBA_Parser API. Improved performance. Fixed issue #23 with sys.stderr.

  • 2015-06-19 v0.12: olevba can now deobfuscate VBA expressions with any combination of Chr, Asc, Val, StrReverse, Environ, +, &, using a VBA parser built with pyparsing. New options to display only the analysis results or only the macros source code. The analysis is now done on all the VBA modules at once.

  • 2015-05-29 v0.11: Improved parsing of MHTML and ActiveMime/MSO files in olevba, added several suspicious keywords to VBA scanner (thanks to @ozhermit and Davy Douhine for the suggestions)

  • 2015-05-06 v0.10: olevba now supports Word MHTML files with macros, aka "Single File Web Page" (.mht) - see issue #10 for more info

  • 2015-03-23 v0.09: olevba now supports Word 2003 XML files, added anti-sandboxing/VM detection

  • 2015-02-08 v0.08: olevba can now decode strings obfuscated with Hex/StrReverse/Base64/Dridex and extract IOCs. Added new triage mode, support for non-western codepages with olefile 0.42, improved API and display, several bugfixes.

  • 2015-01-05 v0.07: improved olevba to detect suspicious keywords and IOCs in VBA macros, can now scan several files and open password-protected zip archives, added a Python API, upgraded OleFileIO_PL to olefile v0.41

  • 2014-08-28 v0.06: added olevba, a new tool to extract VBA Macro source code from MS Office documents (97-2003 and 2007+). Improved documentation

  • 2013-07-24 v0.05: added new tools olemeta and oletimes

  • 2013-04-18 v0.04: fixed bug in rtfobj, added documentation for rtfobj

  • 2012-11-09 v0.03: Improved pyxswf to extract Flash objects from RTF

  • 2012-10-29 v0.02: Added oleid

  • 2012-10-09 v0.01: Initial version of olebrowse and pyxswf

See also the changelog in each source file for more details.

Clone this wiki locally