This new version of oledump.py adds option –vbadecompressskipattributes to decompress VBA code while skipping the initial attribute definitions (those that are hidden in the MS Office VBA Editor).
Here is an example of output with option -v you are familiar with:
When replacing option -v with option –vbadecompressskipattributes, the initial attributes are no longer displayed:
These attributes are actually hidden in the MS Office VBA Editor:
I added this option because lately, I’ve analyzed several samples where I had to extract all strings for further decoding, and the strings in the attribute definitions were interfering with the decoding. With this new options, I can prevent these strings from appearing in the output.
plugin_msg.py was updated to version 0.0.3 to include plugin option -k, to display only known MSG streams.
oledump_V0_0_37.zip (https)
MD5: BBC2F3B57266B557307E12E8BC950F98
SHA256: 573C73110CA35EE6451FD14EE7B7DCA3B53FF624ECCFF824799DA59F7767DA68
Didier Stevens 
[…] Update: oledump.py Version 0.0.37 […]
Pingback by Week 33 – 2018 – This Week In 4n6 — Sunday 19 August 2018 @ 9:06
[…] Update: oledump.py Version 0.0.37 […]
Pingback by Overview of Content Published in August | Didier Stevens — Wednesday 5 September 2018 @ 0:00