Oletools

- **2024-07-02 v0.60.2**:
- olevba:
- fixed a bug in open_slk (issue 797, PR 769)
- fixed a bug due to new PROJECTCOMPATVERSION record in dir stream (PR 723, issues 700, 701, 725, 791, 808, 811, 833)
- oleobj: fixed SyntaxError with Python 3.12 (PR 855), SyntaxWarning (PR 774)
- rtfobj: fixed SyntaxError with Python 3.12 (PR 854)
- clsid: added CLSIDs for MSI, Zed
- ftguess: added MSI, PNG and OneNote formats
- pyxswf: fixed python 3.12 compatibility (PR 841, issue 813)
- setup/requirements: allow pyparsing 3 to solve install issues (PR 812, issue 762)

- olevba:
- fixed a bug when calling XLMMacroDeobfuscator (PR 737)
- removed keyword "sample" causing false positives
- oleid: fixed OleID init issue (issue 695, PR 696)
- oleobj:
- added simple detection of CVE-2021-40444 initial stage
- added detection for customUI onLoad
- improved handling of incorrect filenames in OLE package (PR 451)
- rtfobj: fixed code to find URLs in OLE2Link objects for Py3 (issue 692)
- ftguess:
- added PowerPoint and XPS formats (PR 716)
- fixed issue with XPS and malformed documents (issue 711)
- added XLSB format (issue 758)
- improved logging with common module log_helper (PR 449)

More details about fixed issues and improvements in 0.60: https://github.com/decalage2/oletools/milestone/10?closed=1

- **2021-06-02 v0.60**:
- ftguess: new tool to identify file formats and containers (issue 680)
- oleid: (issue 679)
- each indicator now has a risk level
- calls ftguess to identify file formats
- calls olevba+mraptor to detect and analyse VBA+XLM macros
- olevba:
- when XLMMacroDeobfuscator is available, use it to extract and deobfuscate XLM macros
- rtfobj:
- use ftguess to identify file type of OLE Package (issue 682)
- fixed bug in re_executable_extensions
- crypto: added PowerPoint transparent password '/01Hannes Ruescher/01' (issue 627)
- setup: XLMMacroDeobfuscator, xlrd2 and pyxlsb2 added as optional dependencies

More details about fixed issues and improvements in 0.60: https://github.com/decalage2/oletools/milestone/10?closed=1

- **2021-05-07 v0.56.2**:
- olevba:
- updated plugin_biff to v0.0.22 to fix a bug (issues 647, 674)
- olevba, mraptor:
- added detection of Workbook_BeforeClose (issue 518)
- rtfobj:
- fixed bug when OLE package class name ends with null characters (issue 507, PR 648)
- oleid:
- fixed bug in check_excel (issue 584, PR 585)
- clsid:
- added several CLSIDs related to MS Office click-to-run issue CVE-2021-27058
- added checks to ensure that all CLSIDs are uppercase (PR 678)

More details about fixed issues and improvements in 0.56: https://github.com/decalage2/oletools/milestone/9?closed=1

- **2021-04-02 v0.56.1**:
- olevba:
- fixed bug when parsing some malformed files (issue 629)
- oleobj:
- fixed bug preventing detection of links 'externalReference', 'frame',
'hyperlink' (issue 641, PR 670)
- setup:
- avoid installing msoffcrypto-tool when platform is PyPy+Windows (issue 473)
- PyPI version is now a wheel package to improve installation and avoid antivirus
false positives due to test files (issues 215, 398)

More details about fixed issues and improvements in 0.56: https://github.com/decalage2/oletools/milestone/9?closed=1

- **2020-09-28 v0.56**:
- olevba/mraptor:
- added detection of trigger _OnConnecting
- olevba:
- updated plugin_biff to v0.0.17 to improve Excel 4/XLM macros parsing
- added simple analysis of Excel 4/XLM macros in XLSM files (PR 569)
- added detection of template injection (PR 569)
- added detection of many suspicious keywords (PR 591 and 569, see https://www.certego.net/en/news/advanced-vba-macros/)
- improved MHT detection (PR 532)
- added --no-xlm option to disable Excel 4/XLM macros parsing (PR 532)
- fixed bug when decompressing raw chunks in VBA (issue 575)
- fixed bug with email package due to monkeypatch for MHT parsing (issue 602, PR 604)
- fixed option --relaxed (issue 596, PR 595)
- enabled relaxed mode by default (issues 477, 593)
- fixed detect_vba_macros to always return VBA code as
unicode on Python 3 (issues 455, 477, 587, 593)
- replaced option --pcode by --show-pcode and --no-pcode,
replaced optparse by argparse (PR 479)
- oleform: improved form parsing (PR 532)
- oleobj: "Ole10Native" is now case insensitive (issue 541)
- clsid: added PDF (issue 552), Microsoft Word Picture (issue 571)
- ppt_parser: fixed bug on Python 3 (issues 177, 607, PR 450)

How to install with pip: https://github.com/decalage2/oletools/wiki/Install