search

decalage2 / oletools

oletools - python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging.
http://www.decalage.info/python/oletools
Other
2.88k stars 561 forks source link

olevba, oleid: add detection for CustomXML parts #785

Open decalage2 opened 1 year ago

decalage2 commented 1 year ago

See https://inquest.net/blog/2022/10/03/hiding-xml for an example of VBA macro using CustomXML to store a payload.

Also a new keyword ActiveDocument.CustomXMLParts to be added: https://learn.microsoft.com/en-us/office/vba/api/Office.CustomXMLParts

mgeeky commented 1 year ago

Another sample & vba snippet worth taking a look ¯_(ツ)_/¯

https://github.com/mgeeky/CustomXMLPart