oletimes

decalage2 edited this page Feb 18, 2018 · 3 revisions

oletimes

oletimes is a script to parse OLE files such as MS Office documents (e.g. Word, Excel), to extract creation and modification times of all streams and storages in the OLE file.

It is part of the python-oletools package.

Usage

oletimes.py <file>

Example

Checking the malware sample DIAN_caso-5415.doc:

>oletimes.py DIAN_caso-5415.doc

+----------------------------+---------------------+---------------------+
| Stream/Storage name        | Modification Time   | Creation Time       |
+----------------------------+---------------------+---------------------+
| Root                       | 2014-05-14 12:45:24 | None                |
| '\x01CompObj'              | None                | None                |
| '\x05DocumentSummaryInform | None                | None                |
| ation'                     |                     |                     |
| '\x05SummaryInformation'   | None                | None                |
| '1Table'                   | None                | None                |
| 'Data'                     | None                | None                |
| 'Macros'                   | 2014-05-14 12:45:24 | 2014-05-14 12:45:24 |
| 'Macros/PROJECT'           | None                | None                |
| 'Macros/PROJECTwm'         | None                | None                |
| 'Macros/VBA'               | 2014-05-14 12:45:24 | 2014-05-14 12:45:24 |
| 'Macros/VBA/ThisDocument'  | None                | None                |
| 'Macros/VBA/_VBA_PROJECT'  | None                | None                |
| 'Macros/VBA/__SRP_0'       | None                | None                |
| 'Macros/VBA/__SRP_1'       | None                | None                |
| 'Macros/VBA/__SRP_2'       | None                | None                |
| 'Macros/VBA/__SRP_3'       | None                | None                |
| 'Macros/VBA/dir'           | None                | None                |
| 'WordDocument'             | None                | None                |
+----------------------------+---------------------+---------------------+

How to use oletimes in Python applications

TODO


python-oletools documentation

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.