This new version of oledump.py includes a new plugin to extract VBA code from PowerPoint files and an update to plugin plugin_http_heuristics.
plugin_http_heuristics was updated to increase the chance of success for the XOR dictionary attack, triggered by a maldoc sample I analyzed.
Two new options were added: -e and -k.
By default, plugin_http_heuristics searchers for keywords http: and https:. Using option -e, this list is extended with keywords msxml, adodb, shell, c:\, cmd and powershell.
With option -k, the default keyword list is replaced by your own list (using , as separator). Here I look for ftp (which is not present), remark that http is no longer detected:
oledump_V0_0_38.zip (https)
MD5: C1D7F71A390497A516F67D798BA25128
SHA256: 4CADEE69D024E9242CDA0CE3A9C22BCB1CAFF9D5BA2D946519C6B7C18F895B81
[…] Update: oledump.py Version 0.0.38 […]
Pingback by Week 43 – 2018 – This Week In 4n6 — Sunday 28 October 2018 @ 3:55
[…] Update: oledump.py Version 0.0.38 […]
Pingback by Overview of Content Published in October | Didier Stevens — Friday 2 November 2018 @ 0:00