olevba+mraptor - detect strong encryption which hides macros

decalage2 / oletools

oletools - python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging.

http://www.decalage.info/python/oletools

Other

2.94k stars 564 forks source link

olevba+mraptor - detect strong encryption which hides macros #96

Open decalage2 opened 8 years ago

decalage2 commented 8 years ago

At least with strong encryption added to MS Office 2010, VBA macros are hidden in the encrypted package, and olevba/mraptor cannot detect them.

Need to detect encryption (in each format: OLE, OpenXML, XML, MHT), to identify which version of encryption is used, and whether macros are hidden or not.

olevba and mraptor should not report "no macros" when they may be hidden by encryption.

decalage2 commented 8 years ago

reference: MS-OFFCRYPTO

potential implementation: https://github.com/herumi/msoffice

decalage2 commented 6 years ago

Use https://github.com/nolze/msoffcrypto-tool to detect encryption

decalage2 commented 6 years ago

I think olevba and mraptor should report an error when strong encryption is detected, since the presence of VBA macros cannot be confirmed.