search

decalage2 / oletools

oletools - python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging.
http://www.decalage.info/python/oletools
Other
2.92k stars 563 forks source link

Olevba: Add switch parameter to choose either XLMMacroDeobfuscator or plugin_biff for XLM-macros analysis #748

Open antmaxi opened 2 years ago

antmaxi commented 2 years ago

At the moment XLMMacroDeobfuscator can't process files like .slk (it's not supported file extension there)

However, if XLMMacroDeobfuscator is installed, it is automatically used for xlm-analysis in the current code, so one can't choose to use plugin_biff (one can only disable XLM-analysis fully with --no-xlm) https://github.com/decalage2/oletools/blob/dfbcabb957644769d17dfbb367eb3a52167c0506/oletools/olevba.py#L321

Because of that, either slk of xlsb+ files are not processed in any case, missing some possible malware

I suggest having command line parameter allowing to choose what to use for XML-processing explicitly

decalage2 commented 2 years ago

OK, I need to rewrite the processing of XLM Macros, to fall back to plugin_biff/SLK parsing/XML parsing when XLMMacroDeobfuscator fails. And indeed, it could be useful to have a CLI parameter to control which parser is used.