Didier Stevens

Friday 11 March 2016

Update: oledump.py Version 0.0.23

Filed under: maldoc,Malware,My Software,Update — Didier Stevens @ 9:44

I’m providing a 2-day training at Brucon Spring Training 2016: “Analysing Malicious Documents“. Use promo-code SPRING16 for a 10% discount.

This new version of oledump brings an update to the –cut option and a new plugin: plugin_hifo.

As I documented in this ISC Diary entry, maldocs can store URLs in properties of userforms:

20160221-185714

The plugin plugin_hifo is a simple plugin that looks for streams that end with /o and then searches for strings starting with http (hence the name: http in form /o).

20160311-103509

oledump_V0_0_23.zip (https)
MD5: 991910FF4AA47808A5BBCE0CC109D41A
SHA256: 612B6FD06856C7790D2F66B29286E7B89D35D8354ADB167CA512CC1CDE3F6C47

1 Comment »

  1. […] Didier Stevens updated oledump to version 0.0.23 with an update to the cut option and a new plugin: plugin_hifo. The new plugin looks for streams that end with /o and then searches for strings starting with http. Update: oledump.py Version 0.0.23 […]

    Pingback by Week 10 – 2016 – Thisweekin4n6 — Sunday 13 March 2016 @ 12:46


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.