Didier Stevens

Wednesday 19 December 2018

Update:oledump.py Version 0.0.40

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version adds option –password to use a different password than infected for samples inside password protected ZIP files.

And plugin_biff adds support for MS Excel 4.0 macros:

oledump_V0_0_40.zip (https)
MD5: 4013CC3A01D4CAE481EAA099A080B07F
SHA256: C5EC0B7B1EFA69D9EB6572F61D866ECEA7952FEADA06943377F8178C7A252E70

9 Comments »

  1. This can be used with xlsx (is different bu xls)?
    I try to use (pyton 3.6.4 )like you wrote into oledump.py and your article :

    C:\Python364>python.exe oledump_V0_0_40\oledump.py test.xlsx
    File “oledump_V0_0_40\oledump.py”, line 974
    exec open(plugin, ‘r’) in globals(), globals()
    ^
    SyntaxError: invalid syntax

    C:\Python364>python.exe oledump_V0_0_40\oledump.py test.xls
    File “oledump_V0_0_40\oledump.py”, line 974
    exec open(plugin, ‘r’) in globals(), globals()
    ^
    SyntaxError: invalid syntax

    C:\Python364>python.exe oledump_V0_0_40\oledump.py -p plugin_biff –pluginoption
    s “-o BOUNDSHEET” test.xls
    File “oledump_V0_0_40\oledump.py”, line 974
    exec open(plugin, ‘r’) in globals(), globals()
    ^
    SyntaxError: invalid syntax

    Comment by Cătălin George Feștilă — Wednesday 19 December 2018 @ 13:56

  2. This is a Python 2 program.

    Comment by Didier Stevens — Sunday 23 December 2018 @ 8:14

  3. […] Update:oledump.py Version 0.0.40 […]

    Pingback by Overview of Content Published in December | Didier Stevens — Tuesday 1 January 2019 @ 0:01

  4. How do i know what does the Auto_Open execute? I have a sample that doesn’t seem to have that label when opened in Excel, but your tool suggests it’s there somewhere:

    Plugin: BIFF plugin
    0018 28 LABEL : Cell Value, String Constant – build-in-name 1 Auto_Open
    00000000: 21 00 00 06 07 00 00 00 !…….
    00000008: 00 00 00 00 00 00 00 01 ……..
    00000010: 65 79 66 76 37 3A 00 00 eyfv7:..
    ‘ 00000018: FB A0 46 00 \xfb\xa0F.’
    002a 2 PRINTHEADERS : Print Row/Column Labels
    00000000: 00 00 ..
    00fd 10 LABELSST : Cell Value, String Constant/ SST
    ‘ 00000000: 5E F5 CE 00 0F 00 00 00 ^\xf5\xce…..’
    00000008: 00 00 ..
    002a 2 PRINTHEADERS : Print Row/Column Labels
    00000000: 00 00 ..

    Comment by Anon Bluehat — Wednesday 13 May 2020 @ 10:28

  5. Ah yes, this is a Zloader maldoc I suppose? Can you share the hash?

    The last 4 bytes of LABEL give you the row and columns (2 bytes, litte-endian): FB A0 46 00

    0x0046 -> 70. So that’s column 71 (IIRC the index is 0 based for columns and rows).

    Comment by Didier Stevens — Wednesday 13 May 2020 @ 10:33

  6. C:\lab_files>python oledump.py document1.xls
    File “oledump.py”, line 335
    exec open(plugin, ‘r’) in globals(), globals()
    ^
    SyntaxError: invalid syntax

    Comment by SM-M — Sunday 20 September 2020 @ 21:13

  7. Sorry – my comment was the one above (#6). This is the error I’m getting and I’m not sure what I’m missing. I am new at all this so I apologize if the question is asinine

    Comment by SM-M — Sunday 20 September 2020 @ 21:15

  8. This is the error I’m getting and I’m not sure what I’m missing. I am new at all this so I apologize if the question is asinine:

    C:\Users\Mohorov\Desktop\Lab4_temp\lab_files>python oledump.py document1.xls
    File “oledump.py”, line 335
    exec open(plugin, ‘r’) in globals(), globals()
    ^
    SyntaxError: invalid syntax

    Comment by SM-M — Sunday 20 September 2020 @ 21:15

  9. This looks like you are using Python 3, and an old version of oledump.py (0.0.40) that does not support Python 3.

    Comment by Didier Stevens — Wednesday 30 September 2020 @ 16:23


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.