Clone this wiki locally
2016-11-01 v0.50: all oletools now support python 2 and 3.
- olevba: several bugfixes and improvements.
- mraptor: improved detection, added mraptor_milter for Sendmail/Postfix integration.
- rtfobj: brand new RTF parser, obfuscation-aware, improved display, detect executable files in OLE Package objects.
- setup: now creates handy command-line scripts to run oletools from any directory.
- 2016-06-10 v0.47: olevba added PPT97 macros support, improved handling of malformed/incomplete documents, improved error handling and JSON output, now returns an exit code based on analysis results, new --relaxed option. rtfobj: improved parsing to handle obfuscated RTF documents, added -d option to set output dir. Moved repository and documentation to GitHub.
- 2016-04-19 v0.46: olevba does not deobfuscate VBA expressions by default (much faster), new option --deobf to enable it. Fixed color display bug on Windows for several tools.
- 2016-04-12 v0.45: improved rtfobj to handle several anti-analysis tricks, improved olevba to export results in JSON format.
- 2016-03-11 v0.44: improved olevba to extract and analyse strings from VBA Forms.
- 2016-03-04 v0.43: added new tool MacroRaptor (mraptor) to detect malicious macros, bugfix and slight improvements in olevba.
- 2016-02-07 v0.42: added two new tools oledir and olemap, better handling of malformed files and several bugfixes in olevba, improved display for olemeta.
- 2015-09-22 v0.41: added new --reveal option to olevba, to show the macro code with VBA strings deobfuscated.
- 2015-09-17 v0.40: Improved macro deobfuscation in olevba, to decode Hex and Base64 within VBA expressions. Display printable deobfuscated strings by default. Improved the VBA_Parser API. Improved performance. Fixed issue #23 with sys.stderr.
- 2015-06-19 v0.12: olevba can now deobfuscate VBA expressions with any combination of Chr, Asc, Val, StrReverse, Environ, +, &, using a VBA parser built with pyparsing. New options to display only the analysis results or only the macros source code. The analysis is now done on all the VBA modules at once.
- 2015-05-29 v0.11: Improved parsing of MHTML and ActiveMime/MSO files in olevba, added several suspicious keywords to VBA scanner (thanks to @ozhermit and Davy Douhine for the suggestions)
- 2015-05-06 v0.10: olevba now supports Word MHTML files with macros, aka "Single File Web Page" (.mht) - see issue #10 for more info
- 2015-03-23 v0.09: olevba now supports Word 2003 XML files, added anti-sandboxing/VM detection
- 2015-02-08 v0.08: olevba can now decode strings obfuscated with Hex/StrReverse/Base64/Dridex and extract IOCs. Added new triage mode, support for non-western codepages with olefile 0.42, improved API and display, several bugfixes.
- 2015-01-05 v0.07: improved olevba to detect suspicious keywords and IOCs in VBA macros, can now scan several files and open password-protected zip archives, added a Python API, upgraded OleFileIO_PL to olefile v0.41
- 2014-08-28 v0.06: added olevba, a new tool to extract VBA Macro source code from MS Office documents (97-2003 and 2007+). Improved documentation
- 2013-07-24 v0.05: added new tools olemeta and oletimes
- 2013-04-18 v0.04: fixed bug in rtfobj, added documentation for rtfobj
- 2012-11-09 v0.03: Improved pyxswf to extract Flash objects from RTF
- 2012-10-29 v0.02: Added oleid
- 2012-10-09 v0.01: Initial version of olebrowse and pyxswf
See also the changelog in each source file for more details.