Didier Stevens

Monday 10 February 2020

Update: oledump.py Version 0.0.45

Filed under: maldoc,My Software,Update — Didier Stevens @ 0:00

This new version of oledump.py has a feature to display Ad Hoc YARA rules using option –verbose.

In this example, I show a string Ad Hoc YARA rule to search for string attri (-y #s#attri). By including option –verbose, the YARA rule generated by oledump for string attri is displayed first:

Plugin plugin_http_heuristics has a new option: -c –contains.

By default, plugin_http_heuristics looks for (obfuscated) strings that start with keywords (http:// and https:// by default). Option -c changes this behavior: when this option is used, the keywords are searched in the entire string, and not just at the start.

In this example, I use this feature to search for the filename of the dropped executable (strings containing “.exe”):

And I also include plugin_vba: this is an old plugin that I failed to release. It searches for string concatenation in VBA code.


oledump_V0_0_45.zip (https)
SHA256: FB75B1E19E5067751E2DE1AD21826245B7E11EDBE03278566484754F606F3965


  1. […] Blog post: Update: oledump.py Version 0.0.45 […]

    Pingback by oledump: plugin_http_heuristics – Didier Stevens Videos — Monday 10 February 2020 @ 20:02

  2. […] Update: oledump.py Version 0.0.45 […]

    Pingback by Week 7 – 2020 – This Week In 4n6 — Sunday 16 February 2020 @ 7:34

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.