Philippe Lagadec edited this page Mar 26, 2018 · 2 revisions


msodde is a script to parse MS Office documents (e.g. Word, Excel, RTF, XML), to detect and extract DDE links such as DDEAUTO, that have been used to run malicious commands to deliver malware. It also supports CSV files, which may contain Excel formulas to run executable files using DDE (technique known as "CSV injection"). For Word documents, it can extract all the other fields, and identify suspicious ones.

Supported formats:

  • Word 97-2003 (.doc, .dot), Word 2007+ (.docx, .dotx, .docm, .dotm)
  • Excel 97-2003 (.xls), Excel 2007+ (.xlsx, .xlsm, .xlsb)
  • RTF
  • CSV (exported from / imported into Excel)
  • XML (exported from Word 2003, Word 2007+, Excel 2003, Excel 2007+)

For Word documents, msodde detects the use of QUOTE to obfuscate DDE commands (see this article), and deobfuscates it automatically.

Special thanks to Christian Herdtweck and Etienne Stalmans, who contributed large parts of the code.

msodde can be used either as a command-line tool, or as a python module from your own applications.

It is part of the python-oletools package.

References about DDE exploitation


usage: msodde [-h] [-j] [--nounquote] [-l LOGLEVEL] [-d] [-f] [-a] FILE

positional arguments:
  FILE                  path of the file to be analyzed

optional arguments:
  -h, --help            show this help message and exit
  -j, --json            Output in json format. Do not use with -ldebug
  --nounquote           don't unquote values
  -l LOGLEVEL, --loglevel LOGLEVEL
                        logging level debug/info/warning/error/critical

Filter which OpenXML field commands are returned:
  Only applies to OpenXML (e.g. docx) and rtf, not to OLE (e.g. .doc). These
  options are mutually exclusive, last option found on command line
  overwrites earlier ones.

  -d, --dde-only        Return only DDE and DDEAUTO fields
  -f, --filter          Return all fields except harmless ones
  -a, --all-fields      Return all fields, irrespective of their contents


Scan a single file:

msodde file.doc

Scan a Word document, extracting all fields:

msodde -a file.doc

How to use msodde in Python applications

This is work in progress. The API is expected to change in future versions.

python-oletools documentation

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.