This new version adds option –password to use a different password than infected for samples inside password protected ZIP files.
And plugin_biff adds support for MS Excel 4.0 macros:
oledump_V0_0_40.zip (https)
MD5: 4013CC3A01D4CAE481EAA099A080B07F
SHA256: C5EC0B7B1EFA69D9EB6572F61D866ECEA7952FEADA06943377F8178C7A252E70
This can be used with xlsx (is different bu xls)?
I try to use (pyton 3.6.4 )like you wrote into oledump.py and your article :
C:\Python364>python.exe oledump_V0_0_40\oledump.py test.xlsx
File “oledump_V0_0_40\oledump.py”, line 974
exec open(plugin, ‘r’) in globals(), globals()
^
SyntaxError: invalid syntax
C:\Python364>python.exe oledump_V0_0_40\oledump.py test.xls
File “oledump_V0_0_40\oledump.py”, line 974
exec open(plugin, ‘r’) in globals(), globals()
^
SyntaxError: invalid syntax
C:\Python364>python.exe oledump_V0_0_40\oledump.py -p plugin_biff –pluginoption
s “-o BOUNDSHEET” test.xls
File “oledump_V0_0_40\oledump.py”, line 974
exec open(plugin, ‘r’) in globals(), globals()
^
SyntaxError: invalid syntax
Comment by Cătălin George Feștilă — Wednesday 19 December 2018 @ 13:56
This is a Python 2 program.
Comment by Didier Stevens — Sunday 23 December 2018 @ 8:14
[…] Update:oledump.py Version 0.0.40 […]
Pingback by Overview of Content Published in December | Didier Stevens — Tuesday 1 January 2019 @ 0:01
How do i know what does the Auto_Open execute? I have a sample that doesn’t seem to have that label when opened in Excel, but your tool suggests it’s there somewhere:
Plugin: BIFF plugin
0018 28 LABEL : Cell Value, String Constant – build-in-name 1 Auto_Open
00000000: 21 00 00 06 07 00 00 00 !…….
00000008: 00 00 00 00 00 00 00 01 ……..
00000010: 65 79 66 76 37 3A 00 00 eyfv7:..
‘ 00000018: FB A0 46 00 \xfb\xa0F.’
002a 2 PRINTHEADERS : Print Row/Column Labels
00000000: 00 00 ..
00fd 10 LABELSST : Cell Value, String Constant/ SST
‘ 00000000: 5E F5 CE 00 0F 00 00 00 ^\xf5\xce…..’
00000008: 00 00 ..
002a 2 PRINTHEADERS : Print Row/Column Labels
00000000: 00 00 ..
Comment by Anon Bluehat — Wednesday 13 May 2020 @ 10:28
Ah yes, this is a Zloader maldoc I suppose? Can you share the hash?
The last 4 bytes of LABEL give you the row and columns (2 bytes, litte-endian): FB A0 46 00
0x0046 -> 70. So that’s column 71 (IIRC the index is 0 based for columns and rows).
Comment by Didier Stevens — Wednesday 13 May 2020 @ 10:33
C:\lab_files>python oledump.py document1.xls
File “oledump.py”, line 335
exec open(plugin, ‘r’) in globals(), globals()
^
SyntaxError: invalid syntax
Comment by SM-M — Sunday 20 September 2020 @ 21:13
Sorry – my comment was the one above (#6). This is the error I’m getting and I’m not sure what I’m missing. I am new at all this so I apologize if the question is asinine
Comment by SM-M — Sunday 20 September 2020 @ 21:15
This is the error I’m getting and I’m not sure what I’m missing. I am new at all this so I apologize if the question is asinine:
C:\Users\Mohorov\Desktop\Lab4_temp\lab_files>python oledump.py document1.xls
File “oledump.py”, line 335
exec open(plugin, ‘r’) in globals(), globals()
^
SyntaxError: invalid syntax
Comment by SM-M — Sunday 20 September 2020 @ 21:15
This looks like you are using Python 3, and an old version of oledump.py (0.0.40) that does not support Python 3.
Comment by Didier Stevens — Wednesday 30 September 2020 @ 16:23