Didier Stevens

Tuesday 6 October 2020

Update: oledump.py Version 0.0.54

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of oledump.py adds a new variable for option -E: %MOFULEINFO%

This variable need to be used together with option -i: it contains the size of the compiled VBA code and the compressed VBA code. For example: 123+65.

There’s a new option (-s) for plugin plugin_http_heuristics: with this option, the plugin ignores space characters (useful for hexadecimal bytes separated by a space character, for example).

And there is a new plugin: plugin_msg_summary. This is a new type of plugin, a plugin that operates on the complete document. Before, plugins could only operate on individual streams, and were instantiated for each stream.

This plugin produces a summary of a .msg file (something we needed for our “Epic Manchego” research).

Here is an example:

This plugin has a couple of options, for example to produce JSON output or to add header or body information:



  1. First of all thank you for providing your excellent tools.

    A more general topic:

    Having analyzed dozens of MS-Office samples (here the focus on OOXML) from the malware-bazaar the question was, is there an easy way to identify the malware without Anti-Virus-software.

    A trial with checking only the magic-bytes, the existence of the elementary components like ‘docProps/core.xml’ etc and the special password “Velvet…” were promising.

    Depending on preferences Python or VBA are possible.

    Is there a chance to test the concept “in real live”?

    Comment by No — Thursday 8 October 2020 @ 8:44

  2. You can try YARA

    Comment by Didier Stevens — Thursday 8 October 2020 @ 19:15

  3. […] Blog post: Update: oledump.py Version 0.0.54 […]

    Pingback by oledump.py: plugin_msg_summary – Didier Stevens Videos — Sunday 11 October 2020 @ 21:54

  4. […] Blog post: Update: oledump.py Version 0.0.54 […]

    Pingback by strings.py: Pascal Strings – Didier Stevens Videos — Saturday 24 October 2020 @ 22:20

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.