This new version of oledump.py adds a new variable for option -E: %MOFULEINFO%
This variable need to be used together with option -i: it contains the size of the compiled VBA code and the compressed VBA code. For example: 123+65.
There’s a new option (-s) for plugin plugin_http_heuristics: with this option, the plugin ignores space characters (useful for hexadecimal bytes separated by a space character, for example).
And there is a new plugin: plugin_msg_summary. This is a new type of plugin, a plugin that operates on the complete document. Before, plugins could only operate on individual streams, and were instantiated for each stream.
This plugin produces a summary of a .msg file (something we needed for our “Epic Manchego” research).
Here is an example:
This plugin has a couple of options, for example to produce JSON output or to add header or body information:
First of all thank you for providing your excellent tools.
A more general topic:
Having analyzed dozens of MS-Office samples (here the focus on OOXML) from the malware-bazaar the question was, is there an easy way to identify the malware without Anti-Virus-software.
A trial with checking only the magic-bytes, the existence of the elementary components like ‘docProps/core.xml’ etc and the special password “Velvet…” were promising.
Depending on preferences Python or VBA are possible.
Is there a chance to test the concept “in real live”?
Comment by No — Thursday 8 October 2020 @ 8:44
You can try YARA
Comment by Didier Stevens — Thursday 8 October 2020 @ 19:15
[…] Blog post: Update: oledump.py Version 0.0.54 […]
Pingback by oledump.py: plugin_msg_summary – Didier Stevens Videos — Sunday 11 October 2020 @ 21:54
[…] Blog post: Update: oledump.py Version 0.0.54 […]
Pingback by strings.py: Pascal Strings – Didier Stevens Videos — Saturday 24 October 2020 @ 22:20