Didier Stevens


I produced videos for my oledump tool, you can find them on Didier Stevens Labs products page.

oledump.py is a program to analyze OLE files (Compound File Binary Format). These files contain streams of data. oledump allows you to analyze these streams.

Many applications use this file format, the best known is MS Office. .doc, .xls, .ppt, … are OLE files (docx, xlsx, … is the new file format: XML inside ZIP).

oledump has an embedded man page: run oledump.py -m to view it.

Run oledump on an .xls file and it will show you the streams:


The letter M next to stream 7, 8, 9 and 10 indicate that the stream contains VBA macros.

You can select a stream to dump its content:


The source code of VBA macros is compressed when stored inside a stream. Use option -v to decompress the VBA macros:


You can write plugins (in Python) to analyze streams. I developed 3 plugins. Plugin plugin_http_heuristics.py uses a couple of tricks to extract URLs from malicious, obfuscated VBA macros, like this:


You might have noticed that the file analyzed in the above screenshot is a zip file. Like many of my analysis programs, oledump.py can analyze a file inside a (password protected) zip file. This allows you to store your malware samples in password protected zip files (password infected), and then analyze them without having to extract them.

If you install the YARA Python module, you can scan the streams with YARA rules:


And if you suspect that the content of a stream is encoded, for example with XOR, you can try to brute-force the XOR key with a simple decoder I provide (or you can develop your own decoder in Python):


This program requires Python module OleFileIO_PL: http://www.decalage.info/python/olefileio

oledump_V0_0_27.zip (https)
MD5: A6C6728E20AE46A4FECC5F3976AF33BF
SHA256: 54FE550D5102A0E9428F6BD9B5170B50797EDA2076601634519CDBB574004A3C


  1. Hi Didier, thank you for the wonderful tool!

    Word macro’s are being used a lot recently for TorrentLocker, Dridex and now Rovnix distribution.

    Hoping you might be able to take a look at some recent extracted word macro’s and possibly add plugin functionality to extract badness or better detect these URL’s ?

    The URL obfuscation techniques used are quite varied…



    Comment by Nullsec — Wednesday 7 January 2015 @ 8:49

  2. Hi Didier, thank you for the wonderful tool!

    Word macro’s are being used a lot recently for TorrentLocker, Dridex and now Rovnix distribution.

    Hoping you might be able to take a look at some recent extracted word macro’s and possibly add plugin functionality to extract badness or better detect these URL’s ?

    The URL obfuscation techniques used are quite varied…



    Comment by digian — Wednesday 7 January 2015 @ 8:57

  3. Did you test the latest version op plugin_http_heuristics? I decodes 4 of your samples.

    Comment by Didier Stevens — Thursday 8 January 2015 @ 21:01

  4. Thanks, plugin_http_heuristics works a treat,
    PS. Could you plz delete previous duplicate post. =)

    Comment by Anonymous — Monday 12 January 2015 @ 8:23

  5. […] files are actually .doc and therefore in OLE format. In that case one of the best tool available is oledump.py from Didier Stevens (also known for his PDF tools…but we will talk about that in an upcoming […]

    Pingback by Word document analysis with oledump.py | SimonGaniere.ch — Monday 12 January 2015 @ 13:56

  6. Is it possible to use the plugin_http_heuristics to export the macro as decoded so I can view what else it is doing besides just knowing that it calls to a specific IP address?

    Comment by Greg Kelley — Tuesday 13 January 2015 @ 14:46

  7. You don’t need a plugin for that. Just select the stream containing macros (using option -s) and use option-v to vies the VBA code.

    Comment by Didier Stevens — Tuesday 13 January 2015 @ 14:48

  8. I did, but then I get obscured code

    Comment by Greg Kelley — Tuesday 13 January 2015 @ 14:56

  9. I see. You want a deobfuscator, and you think plugin_http_heuristics does this but does not show you the deobfuscated code?
    That’s not how the plugin works. It does not deobfuscate VBA code. It tries to deobfuscate strings.

    Comment by Didier Stevens — Tuesday 13 January 2015 @ 19:18

  10. […] wrote a short guide using Python. If you want to take the simpler route, Didier Steven’s OLE Dump tool has a plug-in that will automatically decode and extract these URLs, as shown […]

    Pingback by Dridex Banking Trojan Begins 2015 with a Bang - Palo Alto Networks BlogPalo Alto Networks Blog — Friday 16 January 2015 @ 23:45

  11. […] I converted Jim Clausing’s PEiD rules to YARA rules so that I can use them to detect executable code in suspect Microsoft Office Documents with my oledump tool. […]

    Pingback by Converting PEiD Signatures To YARA Rules | Didier Stevens — Thursday 22 January 2015 @ 0:57

  12. […] oledump.py […]

    Pingback by oledump With plugin_biff | Didier Stevens Videos — Friday 23 January 2015 @ 9:57

  13. Here’s another new Dridex obfuscation mechanism (found in a Word document). Any possibility you could update the plugin_http_heuristics plugin?
    John McCash

    Comment by Anonymous — Wednesday 4 February 2015 @ 16:08

  14. Do you the MD5 of the sample John?

    Comment by Didier Stevens — Wednesday 4 February 2015 @ 18:14

  15. I believe it was cd5fdb7574010fd23f9501523fdc2aa4. The filename was invoice4780242454.doc, and the included download address was hxxp://www[.]stoneledgepens[.]com/blog/wp-content/uploads/vv.exe.

    Comment by Anonymous — Friday 6 February 2015 @ 20:56

  16. Didier, great tool! I found a possible error in the script. 3fec5921bd1f9a2cca4f5c707a51aded and 10b7af49f09c882f5b16c87f31353bc4 show “string index out of range” errors. In the Decompress method, you check “while len(remainder) != 0” but in the DecompressChunk method, you check the first 2 bytes. Let me know if you need to me to send you the files.

    Comment by Jose Ole — Monday 23 February 2015 @ 14:31

  17. Also, 02a0f412b52324d10635f9562a5c24fc and 4a2d6df0a23911188c3a00c7bfc025f9 are examples of “math domain error” on the first line of the OffsetBits method. len(data) is 0 at that point.

    Comment by Jose Ole — Monday 23 February 2015 @ 14:46

  18. @Jose I had a look, that first file is corrupted. That’s why decompressing the macro fails.

    Comment by Didier Stevens — Monday 23 February 2015 @ 20:15

  19. @Jose Seems the 4 files are corrupted.

    Comment by Didier Stevens — Monday 23 February 2015 @ 20:57

  20. @Didier Thanks for taking a look. If I change “len(remainder) != 0” to “len(remainder) > 1” the first two files are able to continue on without error and even finds an embedded executable in stream 21 of the first and a macro of interest in stream 13 in the other.

    Comment by Jose Ole — Monday 23 February 2015 @ 21:21

  21. @Jose Yes, I’ll make a new version to handle the error.

    Comment by Didier Stevens — Monday 23 February 2015 @ 21:23

  22. Great. Thanks for your help.

    Comment by Jose Ole — Monday 23 February 2015 @ 21:27

  23. For the math domain error, I just changed the “else” on the line before “numberOfOffsetBits = OffsetBits(decompressedChunk)” to “elif len(decompressedChunk) > 0”

    Comment by Jose Ole — Monday 23 February 2015 @ 21:33

  24. […] You can find oledump.py here. […]

    Pingback by oledump And Yet Another XML (Bis) | Didier Stevens Videos — Sunday 29 March 2015 @ 0:07

  25. […] It was too tempting to make some manual investigations. Using Didier Stevens’s tool oledump, I extracted the following […]

    Pingback by Malicious MS Word Document not Detected by AV Software | /dev/random — Tuesday 7 April 2015 @ 18:27

  26. Hi Didier, great tool! I have added a simple patch to 0.0.13 based on Rodel Medrez’s macrodump to extract all VBA macros in one go. I think it could be useful to everyone — do you think you could add this feature to the next version?

    > def VBAdump(ole):
    > for fname in ole.listdir():
    > stream = ole.openstream(fname).read()
    > if ‘\x00Attribut’ in stream:
    > print PrintableName(fname)
    > StdoutWriteChunked(SearchAndDecompress(stream))
    > #print(‘%2d: %s %6d %s’ % (counter, IFF(‘\x00Attribut’ in stream, ‘M’, ‘ ‘), len(stream), PrintableName(fname)))
    > return
    > if options.VBAdump:
    > VBAdump(ole)
    > return
    > oParser.add_option(‘-V’, ‘–VBAdump’, action=’store_true’, default=False, help=’attempt to dump all VBA macros’)

    Comment by Tamas — Thursday 9 April 2015 @ 18:23

  27. @Tamas Did you know that you can perform an operation on all streams by selecting all streams, like this: -s a
    So to see all macros you give options -s a -v

    Comment by Didier Stevens — Thursday 9 April 2015 @ 21:40

  28. […] new version of oledump (small bugfix and updated […]

    Pingback by Update: oledump.py Version 0.0.14 | Didier Stevens — Monday 13 April 2015 @ 0:01

  29. Thanks very much @Didier to get back to this. I did not know this option, however, I have tried and the problem with that is that it selects every streams not just the VBA ones. As a result we will see many “Error: unable to decompress” messages for the ones not compressed VBAs, and also I saw “VBA/dir” displayed in an unformatted way — which is not what I wanted. In the other hand your direction is better than mine. It would be nice to have “-sv” or “-sm” for selecting all VBA macros and maybe could extend this to “-sw” for word docs, “-sx” for xls, “-se” for embedded objects etc. Just few ideas 🙂

    Comment by Tamas — Thursday 16 April 2015 @ 21:25

  30. PS: What I was thinking is something like this:

    $ diff oledump-0.0.14.py oledump-0.0.14p.py
    < if options.select == 'a' or ('%s%d' % (prefix, counter)) == options.select:
    < StdoutWriteChunked(DumpFunction(DecompressFunction(DecodeFunction(decoders, options, ole.openstream(fname).read()))))
    stream = ole.openstream(fname).read()
    > if options.select == ‘a’ \
    > or (‘%s%d’ % (prefix, counter)) == options.select \
    > or (options.select == ‘m’ and SearchAndDecompressSub(stream) != None) :
    > StdoutWriteChunked(DumpFunction(DecompressFunction(DecodeFunction(decoders, options, stream))))
    > if options.select != ‘a’ \
    > and options.select != ‘m’:

    Comment by Tamas — Thursday 16 April 2015 @ 23:38

  31. […] will warn you that it contains macros! To analyze them, let’s use Didier Stevens’s tool oledump to analyze the […]

    Pingback by Hack in Paris Challenge Wrap-Up | /dev/random — Wednesday 29 April 2015 @ 20:23

  32. Just a oledump typo I noticed. Towards the top it says “XML insize ZIP.” I think you meant “inside.”

    Comment by Anonymous — Saturday 9 May 2015 @ 14:34

  33. Thanks!

    Comment by Didier Stevens — Sunday 10 May 2015 @ 20:12

  34. I used your latest version oledump_V0_0_15.zip and using the similar command like emldump.py E8397CA1635.doc -s 3 -d | oledump.py -p plugin_http_heuristics.py. I am not getting the pastebinURL. But while executing i can able view the pastebin link through fiddler.Please help me.

    Comment by Bharani — Wednesday 13 May 2015 @ 18:56

  35. You also need to use the dridex plugin.

    Comment by Didier Stevens — Wednesday 13 May 2015 @ 18:57

  36. In this blog they never used the dridex plugin “http://bartblaze.blogspot.be/2015/05/new-malicious-office-docs-trick.html”.please suggest me where i have to provide dridex plugin in the command “emldump.py E8397CA1635.doc -s 3 -d | oledump.py -p plugin_http_heuristics.py”

    Comment by Bharani — Wednesday 13 May 2015 @ 19:13

  37. It’s simple, read the man: oledump.py -m emldump.py E8397CA1635.doc -s 3 -d | oledump.py -p plugin_http_heuristics,plugin_dridex

    Comment by Didier Stevens — Wednesday 13 May 2015 @ 19:15

  38. This one also not working.I have send you the malware sample in your gmail ID.

    Comment by Bharani — Wednesday 13 May 2015 @ 19:28

  39. Thank you so much for your updated version.It is working fine.Once again thanks.

    Comment by Bharani — Thursday 14 May 2015 @ 11:51

  40. Hello Didier,

    Your scripts are wonderful. I am currently use oledump (with added exit codes) as external addon with my own antispam to filter (and quarantine) office documents which contain macros. Works like a charm.


    Comment by Philippe — Thursday 4 June 2015 @ 18:13

  41. @Philippe Cool, that’s a good idea. Can you tell me more about the exit codes you use?

    Comment by Didier Stevens — Thursday 4 June 2015 @ 18:19

  42. Thank you for this very useful tool which was a great help today against “.doc” malware attacks


    Comment by Anonymous — Tuesday 9 June 2015 @ 15:51

  43. Hi Didier

    Typically, if you run an enterprise mail server, as I do (for, let say an administration, sort of), you should quarantine each and every office document containing VBA. Exactly what I do, with your precious tool. I use sys.exit(exitcode) where exitcode is set when a document contains macro module.

    Nowadays, those trojan loaders (2 or 3 stages) are very poorly detected by antiviruses. It is easy to remove and quarantine possibly dangerous documents (by their extensions), but you cannot refuse those office documents because they are part of our administrative work.

    And this is where oledump.py play a very useful role. It comes as an addon of my (own-brewed) antispam, Spam-HL, which itself is called by my mail server (MDaemon).

    I added a module that identifies the attachments both by their extensions and their signature, and process them accordingly. This way, even a .doc which would have been renamed in .docx would raise a “mitsmatch” and… a quarantine. I also make use of your PDF tool, even if it is not able to scan 100% of the documents. I just search for Javascript flags…

    This way, 99,5% of the spam and 100% of the viruses are stopped before reaching my (so precious) users.

    This is a must, since my server is well known and very exposed, I get almost all versions of zero-day trojans, each and every day… They would gently pass any antivirus solution, without problem (I have Kaspersky on the mail server, Clam on the firewall, and Avira on the Workstations : just a bunch of useless crap. The only thing the antiviruses are able to catch without failing, nowadays, is your money. Technically speaking they are worse than old dos-era antivirus like Thunderbyte or even MsAntivirus.

    Anyway , this is the way I use your tools. Again, thank you for making them widely available.


    Comment by Philippe — Saturday 13 June 2015 @ 11:26

  44. […] is a new version of oledump with a couple of bugfixes and a new feature: […]

    Pingback by Update: oledump.py Version 0.0.17 – ExitCode | Didier Stevens — Friday 26 June 2015 @ 9:44

  45. […] supposto potesse contenere un file exe nascoto o delle macro malevole, così abbiamo lanciato oledump per analizzare i vari settori del […]

    Pingback by Analisi Documento Word con Macro Malevole - Shielder — Saturday 27 June 2015 @ 12:45

  46. Dear Didier,

    Thats great work, thanks for your effort. Heuristic HTTP analysis is very nice , however many macro enabled malwares, they mostly try to exploit the outlook MAPI function, where it has been used as a keylogger or document leaking tools. Have you ever worked on detecting such functions?



    Comment by pascal — Monday 29 June 2015 @ 8:56

  47. @pascal Do you have a sample? Can you share the MD5?

    Comment by Didier Stevens — Monday 29 June 2015 @ 20:27

  48. […] AutomaticDestinations files are the OLE files, so you can analyze them with oledump. There are a couple of tools that can extract information from these […]

    Pingback by Jump List Forensics | Didier Stevens — Monday 3 August 2015 @ 0:01

  49. […] oledump: Examine suspicious Microsoft Office files […]

    Pingback by REMnux: Distribución de Linux especializada en en el análisis de malware | Skydeep — Thursday 20 August 2015 @ 1:49

  50. […] Demoing the new –cut option in my dump tools like oledump.py […]

    Pingback by Cut Cut Cut … | Didier Stevens Videos — Tuesday 13 October 2015 @ 0:47

  51. […] further dig into these artifacts we will use another great tool. Oledump created by Didier Stevens. This tool allows you to analyze OLE files. As stated in the manual page: […]

    Pingback by Malicious Office Document delivering Dyre | Count Upon Security — Tuesday 13 October 2015 @ 22:14

  52. Hi , I try to use latest version oledump_V0_0_18.zip with python 3.5 and olefile-0.41but when I use C:\oledump>oledump.py File “C:\oledump\oledump.py”, line 710 exec open(plugin, ‘r’) in globals(), globals()
    What’s wrong?

    Comment by Fabrizio — Tuesday 27 October 2015 @ 15:31

  53. Python 3 is the problem. Read this: https://blog.didierstevens.com/2015/07/20/if-you-have-a-problem-running-my-tools/

    Comment by Didier Stevens — Tuesday 27 October 2015 @ 15:34

  54. […] oledump reveals VBA macros in the document, but the plugins are not able to extract a URL: […]

    Pingback by Analysis Of An Office Maldoc With Encrypted Payload (Quick And Dirty) | Didier Stevens — Thursday 5 November 2015 @ 0:01

  55. […] is another tool for office document analysis (also to mention: didier stevens oledump) which also supports pre 2007 file formats. When applying it once for the word document it extracts […]

    Pingback by Teaser on the Troopers16 Incident Analysis Workshop: Analyzing the current Spam Flood - Insinuator — Friday 18 December 2015 @ 11:56

  56. […] emldump is able to analyze the multipart MIME file, and detect the MSO file (part 3). oledump can analyze MSO […]

    Pingback by MIME File With “Header” | Didier Stevens — Tuesday 22 December 2015 @ 0:00

  57. […] you can see a part of code used in that macros. Kasperksy extracted it using oledump tool written by Didier Stevens […]

    Pingback by APT BlackEnergy. Cyber attacks in Ukraine. GREAT’s analisys. | Russian Hackers INFO — Saturday 30 January 2016 @ 2:46

  58. […] you can see a part of code used in that macros. Kasperksy extracted it using oledump tool written by Didier Stevens […]

    Pingback by APT BlackEnergy. Cyber attacks in Ukraine. GREAT's analisys. ⋆ Russian Hackers INFO — Saturday 30 January 2016 @ 4:31

  59. when I run python oledump.py “file.doc” I get an error File “oledump.py”, line 768
    exec open(plugin, ‘r’) in globals(), globals()

    Comment by Anonymous — Monday 1 February 2016 @ 20:17

  60. […] même étapes que pour Dridex. Pour la suite, nous allons extraire les macro du fichier office via oledump (le cousin belge du breton […]

    Pingback by Locky l’épidémie | Cryptobourrin — Saturday 20 February 2016 @ 9:04

  61. […] are two good tools, that I know of, for looking at Microsoft Office files, Didier Stevens’ oledump; and Decalage’s oletools. Oletools contains the olevba.py script which will do some useful […]

    Pingback by An Exercise in Deobfuscating MS Word Macros Using Linux | Malware Musings — Sunday 21 February 2016 @ 10:22

  62. Hi,
    I’m getting the following error with oledump 0.0.22 , Python 2.7, OleFileIO_PL-0.30 (although i’ve tried newer versions including the latest one), OS: Win 8.1 Pro x64
    C:\oledump>oledump.py SCAN_Invoice.doc
    Traceback (most recent call last):
    File “C:\oledump\oledump.py”, line 1588, in
    File “C:\oledump\oledump.py”, line 1585, in Main
    return OLEDump(args[0], options)
    File “C:\oledump\oledump.py”, line 1495, in OLEDump
    oXML = xml.dom.minidom.parse(oStringIO)
    File “C:\Python27\lib\xml\dom\minidom.py”, line 1918, in parse
    return expatbuilder.parse(file)
    File “C:\Python27\lib\xml\dom\expatbuilder.py”, line 928, in parse
    result = builder.parseFile(file)
    File “C:\Python27\lib\xml\dom\expatbuilder.py”, line 207, in parseFile
    parser.Parse(buffer, 0)
    xml.parsers.expat.ExpatError: syntax error: line 1, column 0

    Comment by Anonymous — Sunday 28 February 2016 @ 12:17

  63. That’s most likely because the file you are analyzing is not an OLE file, but a heavily obfuscated MIME type file. I’ve seen several these last days. You have to start the analysis with my emldump.py tool. What is the MD5 of your sample?

    Comment by Didier Stevens — Sunday 28 February 2016 @ 14:40

  64. Thanks for the quick reply.
    The MD5 of the file is faf75220c0423f94658618c9169b3568 ; SHA1 ca60ed32b312417a6213d1db12c19c3682dc4622

    Comment by Anonymous — Sunday 28 February 2016 @ 15:06

  65. It’s indeed an obfuscated MIME type file. Here is the command to analyze it (extract the URL):
    findstr /v AJ7ESAgBBEIGllvGiAgBhpiWAwIAnwaICAEAnsRICAEKCEg faf75220c0423f94658618c9169b3568.vir | emldump.py -s 6 -d | oledump.py -s 12 -d | re-search.py -n url

    The findstr command will filter out the second line in the MIME type file that causes emldump.py to not recognize the MIME structure.

    Comment by Didier Stevens — Sunday 28 February 2016 @ 15:28

  66. It worked.
    Two questions (this is my first shot at looking through malware-type documents in order to understand how they do what they do):
    1. is there any way i could output the macros to a plain text file?
    2. the string used as an argument for findstr – is it standard to all MIME type files?

    Thanks a lot for the help and the awesome tools!

    Comment by Anonymous — Sunday 28 February 2016 @ 16:11

  67. 1) yes, use option -s to select the stream(s) and -v to decompress the macros. Many of my Python tools (including oledump.py) come with a man page: use option -m or –man.
    2) no, not at all, this second line in the file is not standard, it is included by the maldoc authors to confuse MIME type file parsers and decoders.

    Comment by Didier Stevens — Sunday 28 February 2016 @ 16:22

  68. Hi Didier! Great tools and great work!

    Please help on this: https://www.virustotal.com/en/file/1b3d43d2d2a6d67858dd3867b976f2f3921417ad155c9f49bbbd5f269b0e2c48/analysis/

    python ~/File_Analysis/emldump.py -H -s 6 -d INV00849\ -\ 66106986.doc_original | python ~/File_Analysis/oledump_V0_0_22/oledump.py -s 9 -v

    We want to get the malicious URLs but we couldn’t yet.

    Thank you in advance!

    Comment by Anonymous — Monday 7 March 2016 @ 15:33

  69. Try this:

    emldump.py -f -s application/x-mso -d d6d14a38460a95ea17193dcc6720a02b.vir.zip | oledump.py -s 20

    Comment by Didier Stevens — Monday 7 March 2016 @ 16:00

  70. Thank you very much! Amazing and great tools!

    Comment by Anonymous — Monday 7 March 2016 @ 17:00

  71. […] used oledump to extract the […]

    Pingback by Infocaos | Locky Ransomware Arrives via Email Attachment — Wednesday 16 March 2016 @ 16:02

  72. Hi Didier, thanks for your tools and effort on these. Trying emldump and oledump on this: https://www.virustotal.com/file/7755a176bb16d014aed21b0827734eb044c54aad1829396eb9a413729b4f0b4a/analysis/1458316211/ the macros look incomplete? I think there is supposed to be a download URL

    Comment by Anonymous — Friday 18 March 2016 @ 18:40

  73. No, it’s complete. But it contains a VBE file. Take a look at my last blogpost.

    Comment by Didier Stevens — Wednesday 23 March 2016 @ 19:34

  74. […] scripting content inside the doc, it was not in easily-readable text format. Didier Stevens “oledump.py” came to the […]

    Pingback by Writeup – WhereWouldWeBeWithout (Bsides Canberra 2016) | Advanced Persistent Jest — Friday 22 April 2016 @ 11:09

  75. […] zipdump can also be used to pipe a sample into my other analysis tools like oledump.py. […]

    Pingback by Major Update For zipdump.py | Didier Stevens — Wednesday 1 June 2016 @ 0:00

  76. Running into an issue with https://www.virustotal.com/en/file/e8dfe85021bdddb33bdb63ef7f6dab8f76baaf419f3332581bccefacf0d9213a/analysis/

    I have version 0.42 of olefileio_pl installed and running version 0.0.24 of oledump.py. See error below;

    A: word\vbaProject.bin
    Traceback (most recent call last):
    File “/tmp/bits/oledump/oledump.py”, line 1624, in
    File “/tmp/bits/oledump/oledump.py”, line 1621, in Main
    return OLEDump(args[0], options)
    File “/tmp/bits/oledump/oledump.py”, line 1522, in OLEDump
    ole = olefile.OleFileIO(cStringIO.StringIO(content))
    File “/usr/lib/python2.7/site-packages/olefile/olefile.py”, line 1142, in __init__
    self.open(filename, write_mode=write_mode)
    File “/usr/lib/python2.7/site-packages/olefile/olefile.py”, line 1399, in open
    self.loaddirectory(self.sectDirStart)#i32(header, 48))
    File “/usr/lib/python2.7/site-packages/olefile/olefile.py”, line 1723, in loaddirectory
    self.directory_fp = self._open(sect)
    File “/usr/lib/python2.7/site-packages/olefile/olefile.py”, line 1796, in _open
    if not self.ministream:
    AttributeError: OleFileIO instance has no attribute ‘ministream’

    Comment by Par Osterberg Medina — Tuesday 14 June 2016 @ 14:42

  77. First and foremost… Thank you for this tool! I have one suggestion to make, based on a malicious document I received… I was really unable to decode the payload using the decoders provided with oledump.py, but had immediate success using the Windows Script Decoder that I found there; https://gist.github.com/bcse/1834878 It may be a decoder you’d like to take a look at. Thanks.

    Comment by Denis Roy — Thursday 30 June 2016 @ 22:51

  78. Answer to Osterberg Medina: this error happens with some malformed files. olefile has been improved since version 0.43 to handle them properly. You may update olefile easily using “pip install -U olefile”, or download the latest version from https://pypi.python.org/pypi/olefile/#downloads. Philippe.

    Comment by decalage0 — Monday 11 July 2016 @ 20:50

  79. […] oledump will allow you to dump the various streams of the document, or if you’re in a tight analysis environment and speed is more important than thoroughness, you could just ‘ride-or-die’ and execute the macro. I have always thought DMX and Fetty were onto something, so let’s go for ‘ride-or-die’. […]

    Pingback by WildFire Ransomware Catching On - OpenDNS Security Labs — Wednesday 13 July 2016 @ 17:31

  80. I received a file this morning on my email client and after doing some research, I came across this tool. I was able to successfully view the stream with the macro, however I’m at a loss on how to decrypt it.

    This is what comes up when I run oledump.py with the VBA summary plugin.


    Comment by Rarona00 — Monday 8 August 2016 @ 18:58

  81. What’s the md5 hash?

    If you don’t know how to read code, you can’t decode it.

    Comment by Didier Stevens — Monday 8 August 2016 @ 19:13

  82. Dang, I was hoping one of your plugins would be able to do it automatically….the http heuristic plugin doesn’t pull up anything. I definitely don’t know how to read code. I was just curious what it was trying to download exactly.

    Comment by rarona — Monday 8 August 2016 @ 19:26

  83. This doesn’t look like a downloader, but a dropper. That’s why my plugins can’t help. If you give me the MD5 hash, I can take a look.

    Comment by Didier Stevens — Monday 8 August 2016 @ 19:36

  84. […] So it is a simple Doc file (non xml). Let’s use olevba from Oletools and oledump […]

    Pingback by Weaponized DOC with TeslaCrypt (?) « int3 (0xcc) — Saturday 3 September 2016 @ 10:10

  85. […] the first two steps identifying the streams the VBA macro was located and extracting the code with oledump-py by didier stevens. We found the embedded exe file ojGLBWnEuEy.exe is being run by the VBA […]

    Pingback by Documents From Hell Part 2 | War and Code — Saturday 10 September 2016 @ 3:53

  86. […] extract stream information, including dates. The script appears to be complementary to Didier’s oledump. More […]

    Pingback by Week 36 – 2016 – This Week In 4n6 — Sunday 11 September 2016 @ 12:10

  87. Hi I’m having a problem eith using your tool oledump/ Is there any chance to analyze my file

    Comment by mario — Wednesday 28 September 2016 @ 13:06

  88. If it’s on VirusTotal then post the hash here.

    Comment by Didier Stevens — Wednesday 28 September 2016 @ 13:08

  89. […] Preuve que les pirates se lassent peut-être : en tous les cas, la puissance olevba ou oledump peut s’exprimer pleinement pour en extraire rapidement des informations pertinentes à […]

    Pingback by Anodin Odin | Cryptobourrin — Monday 3 October 2016 @ 12:28

  90. […] oledump.py and […]

    Pingback by oledump xor kpa | Didier Stevens Videos — Friday 7 October 2016 @ 12:19

  91. Hi Didier,

    First let me say thanks for all your work! I was hoping you could provide some advice on a file i been looking at. I’m trying to extract the URL from the file using oledump.py and the http_heuristics plug in. When I ran it it provided me with an encoded output. I was wondering if there is another plugin i should use in conjunction to de-obfuscate the output. Here is the MD5 hash at VT below.


    Thank you!

    Comment by HFW — Monday 10 October 2016 @ 21:55

  92. […] oledump.py, translate.py, […]

    Pingback by Maldoc VBA: .pub File | Didier Stevens Videos — Tuesday 11 October 2016 @ 10:38

  93. It’s too complex for the plugins, you have to decode it manually. Here is one way to do this: https://videos.didierstevens.com/2016/10/11/maldoc-vba-decoder-xls/

    Comment by Didier Stevens — Tuesday 11 October 2016 @ 11:02

  94. Thanks! I attempted to follow the instructions you provided in your video but it appears that this one (and its siblings) is proving to be uniquely different that does not want to spit out the ascii or unicode dump from the decoder.xls. Would you have any additional thoughts on a strategy to extract the shellcode?

    Comment by HFW — Tuesday 11 October 2016 @ 15:08

  95. I was able to extract the payload following the method I showed in the video. The payload is a command that drops and executes a VBS script via cmd.exe.

    The encoded payload is in variable BlsNUgCJ in Sub TZOqN3O.

    Comment by Didier Stevens — Tuesday 11 October 2016 @ 15:24

  96. […] oledump.py, […]

    Pingback by Maldoc VBA: decoder.xls | Didier Stevens Videos — Friday 14 October 2016 @ 13:27

  97. […] oledump.py, […]

    Pingback by Analyzing Office Maldocs With Decoder.xls | Didier Stevens — Friday 14 October 2016 @ 13:27

  98. […] oledump.py, […]

    Pingback by Maldoc VBA: Decoding With Excel | Didier Stevens Videos — Monday 17 October 2016 @ 7:49

  99. Hi Didier,

    I spent the past couple days trying to re-trace your steps on how you extracted the payload but to no avail. What was the function that you used to track down the decoding? I didn’t want to run the entire sub in TZOqN3O since it included the GetObject call.

    Comment by HFW — Tuesday 18 October 2016 @ 21:00

  100. […] The VBA macro code can be extracted with a free open-source tool: oledump.py. […]

    Pingback by Malicious Document Targets Belgian Users | NVISO LABS – blog — Wednesday 16 November 2016 @ 6:59

  101. I just downloaded oledump so i could examine a MS Word document and when I run oledump.py on Python 3.5 it returns a syntax error at this point “exec open(plugin, ‘r’) in globals(), globals()” at the end of the word “open”. I don’t know Python and don’t know what to do. I would like to examine the macros in a Word doc.

    Comment by Craig Gallichotte — Tuesday 22 November 2016 @ 17:44

  102. Thank you, Didier.

    Comment by Craig — Tuesday 22 November 2016 @ 20:26

  103. […] a look with oledump.py at this sample (md5 b231884cf0e4f33d84912e7a452d3a10), we see it contains a large VBA macro […]

    Pingback by Analyzing an Office Maldoc with a VBA Emulator | NVISO LABS – blog — Wednesday 7 December 2016 @ 14:01

  104. […] Tools: oledump.py […]

    Pingback by Sleeping VBS Really Wants To Sleep | Didier Stevens Videos — Sunday 11 December 2016 @ 21:19

  105. First, thank you for writing this.

    I’m getting an error when I attempt to run oledump.py on Win8.1 x64 with Python 3.6.0 x64. The error, on line 787, is:

    exec open(plugin, ‘r’) in globals(), globals()
    SyntaxError: invalid syntax

    I have decompressed all the files in the .zip archive to a directory and attempted to run the oledump.py script with a .doc file as an argument
    python \oledump\oledump.py 30347.doc


    Comment by Mark — Wednesday 11 January 2017 @ 20:55

  106. […] sample we received is a .docx file, with oledump.py we can confirm it doesn’t contain VBA […]

    Pingback by Maldoc: It’s not all VBA these days | NVISO LABS – blog — Wednesday 8 February 2017 @ 9:04

  107. […] The next step is to examine any embedded scripts that may be in the document. To do so, we need to decode the document and extract the VBA Module Streams based on the MS-OVBA specification published by Microsoft. There are several good open source tools that are available to extract these streams (e.g., oledump written by Didier Stevens). […]

    Pingback by Microsoft Office Malware Dropper targets Apple Mac OSX – Kevin Douglas — Sunday 19 February 2017 @ 20:00

  108. I have a macro file inside another macro file. to the readout from oledump is

    python oledump.oy -v bad.docx

    A: Word/embeddings/oleObject4.bin
    A1: Value
    A2: ‘\x01Ole10Native’
    A3: Value

    B1: Value
    B2: ‘\x01Ole10Native’

    How might i read those Objects? None of them are marked as M for Macro.

    Comment by Robert — Wednesday 1 March 2017 @ 0:29

  109. This doesn’t look like normal output from oledump. Did you sanitize the output?

    Comment by Didier Stevens — Wednesday 1 March 2017 @ 6:33

  110. […] oledump.py, re-search.py and […]

    Pingback by Maldoc Deobfuscation: Character Removal | Didier Stevens Videos — Monday 6 March 2017 @ 9:05

  111. […] new version of oledump.py adds some extra features for YARA rule […]

    Pingback by Update: oledump.py Version 0.0.27 | Didier Stevens — Tuesday 7 March 2017 @ 0:00

  112. […] using Oledump.py to analyze this Word document we get the following […]

    Pingback by .LNK downloader and bitsadmin.exe in malicious Office document | NVISO LABS – blog — Friday 24 March 2017 @ 10:56

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: