Oletools

- olevba:
- added support for SLK files and XLM macro extraction from SLK
- VBA Stomping detection
- integrated pcodedmp to extract and disassemble P-code
- detection of suspicious keywords and IOCs in P-code
- new option --pcode to display P-code disassembly
- improved detection of auto execution triggers
- rtfobj: added URL carver for CVE-2017-0199
- better handling of unicode for systems with locale that does not support UTF-8, e.g. LANG=C (PR 365)
- tests:
- test files can now be encrypted, to avoid antivirus alerts (PR 217, issue 215)
- tests that trigger antivirus alerts have been temporarily disabled (issue 215)

How to install with pip: https://github.com/decalage2/oletools/wiki/Install

This is a bugfix release for [oletools 0.54](https://github.com/decalage2/oletools/releases/tag/v0.54).

Changes:
- **2019-05-23 v0.54.2**:
- msoffcrypto-tool is now a required dependency (simplified install)
- plugin_biff: fixed issues 428, 434 and 444, improved Python 3 support
- olevba, msodde, crypto: improved handling of encrypted files (PR 441)
- olevba: initialize VBA_Parser.xlm_macros (fixes 433)
- various fixes (PR 446)
- olevba and msodde now handle documents encrypted with common passwords such
as 123, 1234, 4321, 12345, 123456, VelvetSweatShop automatically.
- **2019-04-09 v0.54.1**:
- olevba: decompress_stream now accepts both bytes and bytearray (fixes 422)

How to install/update with pip: https://github.com/decalage2/oletools/wiki/Install

* olevba, msodde: added support for encrypted MS Office files
* olevba: added detection and extraction of XLM/XLF Excel 4 macros
* olevba, mraptor: added detection of VBA running Excel 4 macros
* olevba: detect and display special characters such as backspace
* olevba: colorized output showing suspicious keywords in the VBA code
* olevba, mraptor: full Python 3 compatibility, no separate olevba3/mraptor3 anymore
* olevba: improved handling of code pages and unicode
* olevba: fixed a false-positive in VBA macro detection
* rtfobj: improved OLE Package handling, improved Equation object detection
* oleobj: added detection of external links to objects in OpenXML
* replaced third party packages by PyPI dependencies

How to install with pip: https://github.com/decalage2/oletools/wiki/Install

**2018-06-13 v0.53.1**: Bugfix release
- rtfobj: fixed issue 316, whitespace after \bin on Python 3
- olevba3: fixed 320, chr instead of unichr on python 3
- olevba3: fixed 322, import reduce from functools

- olevba and mraptor can now parse Word/PowerPoint 2007+ pure XML files (aka Flat OPC format)
- improved support for VBA forms in olevba (oleform)
- rtfobj now displays the CLSID of OLE objects, which is the best way to identify them. Known-bad CLSIDs such as MS Equation Editor are highlighted in red.
- Updated rtfobj to handle obfuscated RTF samples.
- rtfobj now handles the "\\'" obfuscation trick seen in recent samples such as https://twitter.com/buffaloverflow/status/989798880295444480, by emulating the MS Word bug described in https://securelist.com/disappearing-bytes/84017/
- msodde: improved detection of DDE formulas in CSV files
- oledir now displays the tree of storage/streams, along with CLSIDs and their meaning.
- common.clsid contains the list of known CLSIDs, and their links to CVE vulnerabilities when relevant.
- oleid now detects encrypted OpenXML files
- fixed bugs in oleobj, rtfobj, oleid, olevba

- New tool msodde to detect and extract DDE links from MS Office files, RTF and CSV;
- Fixed bugs in olevba, rtfobj and olefile, to better handle malformed/obfuscated files;
- Performance improvements in olevba and rtfobj;
- VBA form parsing in olevba;
- Office 2007+ support in oleobj.