This is a substitution cipher detector & decoder plugin for Microsoft Office documents. Essentially, this is Sigpedia for Macros. What I'm trying to say is I think you'll find this helpful if you can navigate all the trolling. Feb 2017 Update: This now supports PointsToInches character encoding (new FIN8 technique)!
Usage: python oledump.py -p plugin_officecrackros <path/to/file.doc>
- Please understand that, like all good hacked together tools, I stopped as soon as it worked - with much room for improvement
- If you found the tool helpful, let me know @itsreallynick
- oledump
- Didier Stevens, who is awesome, created this tool
- oledump has been included in this repository
- https://github.com/DidierStevens/DidierStevensSuite/blob/master/oledump.py
- oledump requires olefile python library:
easy_install olefile
- Didier Stevens, who is awesome, created this tool
- Malicious Microsoft Office Document using encoded macros
- Specifically: macros substitution noise used by FIN8; also seen for Nymaim ransomware delivery
- Try it yourself:
CRUSH IT.- Remove extraneous text in multiple line matches (improve regular expressions)
- Add back in substitution / dropchar detection based on character histogramming