Didier Stevens

Sunday 4 September 2022

Update: oledump.py Version 0.0.70

Filed under: maldoc,My Software,Update,video — Didier Stevens @ 15:38

This is an update to plugin plugin_vba_dco.py, improving generalization and adding option -p.

You can watch this maldoc analysis video to learn how to use the generalization feature of this plugin:

oledump_V0_0_70.zip (http)
MD5: D6EC4FD6B7BE60E01A98922BC06A1E8F
SHA256: E9EE79501A08E896A601F1AFDDB6D3C05D9A2A1FD5899D44AC422DD79E4EF678


  1. Thank you very much for the 2nd analysis.

    788d024f97427ada10554af66467bb63e0fb257ce2dbadfb8faa9575c1d359e5 (Malware Bazaar) is the first “Word for the Web” I have seen. Except mail-adresses in app.xml ‘Creator’ and ‘Modifyedby’ I could not find the malicious part. As found in Ukraine, it is likely from Russia.

    Comment by Anonymous — Monday 5 September 2022 @ 8:01

  2. Why do you think this sample contains malicious code?

    Comment by Didier Stevens — Monday 5 September 2022 @ 15:43

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.