Releases: decalage2/oletools
oletools v0.60.2
- 2024-07-02 v0.60.2:
- olevba:
- oleobj: fixed SyntaxError with Python 3.12 (PR #855), SyntaxWarning (PR #774)
- rtfobj: fixed SyntaxError with Python 3.12 (PR #854)
- clsid: added CLSIDs for MSI, Zed
- ftguess: added MSI, PNG and OneNote formats
- pyxswf: fixed python 3.12 compatibility (PR #841, issue #813)
- setup/requirements: allow pyparsing 3 to solve install issues (PR #812, issue #762)
oletools v0.60.1
2022-05-09 v0.60.1:
- olevba:
- fixed a bug when calling XLMMacroDeobfuscator (PR #737)
- removed keyword "sample" causing false positives - oleid: fixed OleID init issue (issue #695, PR #696)
- oleobj:
- added simple detection of CVE-2021-40444 initial stage
- added detection for customUI onLoad
- improved handling of incorrect filenames in OLE package (PR #451) - rtfobj: fixed code to find URLs in OLE2Link objects for Py3 (issue #692)
- ftguess:
- added PowerPoint and XPS formats (PR #716)
- fixed issue with XPS and malformed documents (issue #711)
- added XLSB format (issue #758) - improved logging with common module log_helper (PR #449)
More details about fixed issues and improvements in 0.60: https://github.com/decalage2/oletools/milestone/10?closed=1
oletools v0.60
- 2021-06-02 v0.60:
- ftguess: new tool to identify file formats and containers (issue #680)
- oleid: (issue #679)
- each indicator now has a risk level
- calls ftguess to identify file formats
- calls olevba+mraptor to detect and analyse VBA+XLM macros
- olevba:
- when XLMMacroDeobfuscator is available, use it to extract and deobfuscate XLM macros
- rtfobj:
- use ftguess to identify file type of OLE Package (issue #682)
- fixed bug in re_executable_extensions
- crypto: added PowerPoint transparent password '/01Hannes Ruescher/01' (issue #627)
- setup: XLMMacroDeobfuscator, xlrd2 and pyxlsb2 added as optional dependencies
More details about fixed issues and improvements in 0.60: https://github.com/decalage2/oletools/milestone/10?closed=1
oletools v0.56.2
- 2021-05-07 v0.56.2:
- olevba:
- olevba, mraptor:
- added detection of Workbook_BeforeClose (issue #518)
- rtfobj:
- oleid:
- clsid:
- added several CLSIDs related to MS Office click-to-run issue CVE-2021-27058
- added checks to ensure that all CLSIDs are uppercase (PR #678)
More details about fixed issues and improvements in 0.56: https://github.com/decalage2/oletools/milestone/9?closed=1
oletools v0.56.1
- 2021-04-02 v0.56.1:
- olevba:
- fixed bug when parsing some malformed files (issue #629)
- oleobj:
- setup:
- olevba:
More details about fixed issues and improvements in 0.56: https://github.com/decalage2/oletools/milestone/9?closed=1
oletools v0.56
- 2020-09-28 v0.56:
- olevba/mraptor:
- added detection of trigger _OnConnecting
- olevba:
- updated plugin_biff to v0.0.17 to improve Excel 4/XLM macros parsing
- added simple analysis of Excel 4/XLM macros in XLSM files (PR #569)
- added detection of template injection (PR #569)
- added detection of many suspicious keywords (PR #591 and #569, see https://www.certego.net/en/news/advanced-vba-macros/)
- improved MHT detection (PR #532)
- added --no-xlm option to disable Excel 4/XLM macros parsing (PR #532)
- fixed bug when decompressing raw chunks in VBA (issue #575)
- fixed bug with email package due to monkeypatch for MHT parsing (issue #602, PR #604)
- fixed option --relaxed (issue #596, PR #595)
- enabled relaxed mode by default (issues #477, #593)
- fixed detect_vba_macros to always return VBA code as
unicode on Python 3 (issues #455, #477, #587, #593) - replaced option --pcode by --show-pcode and --no-pcode,
replaced optparse by argparse (PR #479)
- oleform: improved form parsing (PR #532)
- oleobj: "Ole10Native" is now case insensitive (issue #541)
- clsid: added PDF (issue #552), Microsoft Word Picture (issue #571)
- ppt_parser: fixed bug on Python 3 (issues #177, #607, PR #450)
- olevba/mraptor:
How to install with pip: https://github.com/decalage2/oletools/wiki/Install
oletools v0.55
Main changes in oletools v0.55:
- olevba:
- added support for SLK files and XLM macro extraction from SLK
- VBA Stomping detection
- integrated pcodedmp to extract and disassemble P-code
- detection of suspicious keywords and IOCs in P-code
- new option --pcode to display P-code disassembly
- improved detection of auto execution triggers
- rtfobj: added URL carver for CVE-2017-0199
- better handling of unicode for systems with locale that does not support UTF-8, e.g. LANG=C (PR #365)
- tests:
How to install with pip: https://github.com/decalage2/oletools/wiki/Install
oletools v0.54.2
This is a bugfix release for oletools 0.54.
Changes:
- 2019-05-23 v0.54.2:
- msoffcrypto-tool is now a required dependency (simplified install)
- plugin_biff: fixed issues #428, #434 and #444, improved Python 3 support
- olevba, msodde, crypto: improved handling of encrypted files (PR #441)
- olevba: initialize VBA_Parser.xlm_macros (fixes #433)
- various fixes (PR #446)
- olevba and msodde now handle documents encrypted with common passwords such
as 123, 1234, 4321, 12345, 123456, VelvetSweatShop automatically.
- 2019-04-09 v0.54.1:
- olevba: decompress_stream now accepts both bytes and bytearray (fixes #422)
How to install/update with pip: https://github.com/decalage2/oletools/wiki/Install
oletools v0.54
Main changes in oletools 0.54:
- olevba, msodde: added support for encrypted MS Office files
- olevba: added detection and extraction of XLM/XLF Excel 4 macros
- olevba, mraptor: added detection of VBA running Excel 4 macros
- olevba: detect and display special characters such as backspace
- olevba: colorized output showing suspicious keywords in the VBA code
- olevba, mraptor: full Python 3 compatibility, no separate olevba3/mraptor3 anymore
- olevba: improved handling of code pages and unicode
- olevba: fixed a false-positive in VBA macro detection
- rtfobj: improved OLE Package handling, improved Equation object detection
- oleobj: added detection of external links to objects in OpenXML
- replaced third party packages by PyPI dependencies
How to install with pip: https://github.com/decalage2/oletools/wiki/Install