-
Notifications
You must be signed in to change notification settings - Fork 502
OLE
OLE files have many names. I've seen them being called:
- OLE2 or MS-OLE2
- Compound File Binary File (CFB)
- Compound File Binary Format (CFBF)
- Compound File
- Compound Document format
- Composite Document File V2 (CDF)
- Structured Storage
OLE serves as file format for file types such as .doc
, .xls
, .msi
, .rtf
and more. Here you'll find a few tools to analyze them.
Also known as lessmsi, it is both a CLI and GUI tool to analyze Windows Installer (MSI) files. These files are basically relational databases containing tables with columns and rows. Some tables are particularly useful for malware analysists looking for malicious code in MSI files. To list all tables of a MSI file, use the following command:
C:\> lessmsi.exe l -t _Tables file.msi
Name,
AdminExecuteSequence,
Condition,
AdvtExecuteSequence,
PatchPackage,
Patch,
FeatureComponents,
_Validation,
ComboBox,
Property,
Component,
Control,
Dialog,
CheckBox,
Binary,
Registry,
TextStyle,
Upgrade,
RadioButton,
Media,
Directory,
CustomAction,
Error,
EventMapping,
ActionText,
AdminUISequence,
InstallExecuteSequence,
BootstrapperUISequence,
ListBox,
InstallUISequence,
LaunchCondition,
ListView,
ControlEvent,
ControlCondition,
Feature,
CreateFolder,
File,
Icon,
UIText,
The CustomAction
table is commonly used by malware authors to execute code. By listing its entries, you'll probably find what you're looking for:
C:\> lessmsi.exe l -t CustomAction file.msi
You should also check the Property
table entries as they can help you to find common patterns among MSI samples:
C:\> lessmsi.exe l -t Property file.msi
Still great tool to analyse Microsoft Office documents. It can extract macros and payloads. Open a Command Prompt and type:
OfficeMalScanner
CLI program to analyze OLE files, extract streams, etc. To access it, go to retoolkit -> Programming -> Python Command Prompt
and type:
cd oledump
python oledump.py -h
Set of tools to analyze OLE files. To start, open retoolkit -> Programming -> Python Command Prompt
and type:
oleid -h
Also known as SSView or SSV, it's a GUI program to analyze OLE files, extract streams, etc. It can be a bit buggy sometimes, but it works. If you are analyzing MSI files, be aware that they support CustomAction tables. Both SSView and 7-Zip are able to extract streams from a MSI package.
Decode obfuscated XLM macros (also known as Excel 4.0 macros). To use it, go to retoolkit -> Programming -> Python Command Prompt
and type:
xlmdeobfuscator -h