Articles and tools about Python, Cyber Security and more.

olevba - a tool to extract VBA Macro source code from MS Office documents (OLE and OpenXML)

olevba is a script to parse OLE and OpenXML files such as MS Office documents (e.g. Word, Excel), to detect VBA Macros, extract their source code in clear text, decode malware obfuscation (Hex/Base64/StrReverse/Dridex) and detect security-related patterns such as auto-executable macros, suspicious VBA keywords used by malware, and potential IOCs (IP addresses, URLs, executable filenames, etc). It is part of the python-oletools package.

Weaponized MS Office 97-2003 legacy/binary formats (doc, xls, ppt, ...)

This article describes the Microsoft Office 97-2003 legacy/binary file formats (doc, xls, ppt), related security issues and useful resources.

Tools to extract VBA Macro source code from MS Office Documents

This article presents several tools that can be used to extract VBA Macros source code from MS Office Documents, for malware analysis and forensics. It also provides an overview of how VBA Macros are stored.

oletimes - a tool to extract creation and modification timestamps of all streams and storages in OLE files

oletimes is a script to parse OLE files such as MS Office documents (e.g. Word, Excel), to extract creation and modification times of all streams and storages in the OLE file. It is part of the python-oletools package.

olemeta - a tool to extract all standard properties (metadata) from OLE files such as MS Office

olemeta is a script to parse OLE files such as MS Office documents (e.g. Word, Excel), to extract all standard properties present in the OLE file. It is part of the python-oletools package.

OleFileIO_PL: Experimental write features

Since version 0.32, OleFileIO_PL comes with experimental write features. For now it is possible to write sectors, and to write over an existing stream. More features will be added over time.

File Scanning Frameworks for Malware Analysis and Incident Response

This article presents several new open source frameworks meant to simplify static file scanning for malware analysis and incident response: MASTIFF, Viper, IRMA and a few others. Their goal is to provide an extensible framework to integrate many existing scanning tools.

How to convert Signsrch/Clamsrch signatures to Yara

This article explains how I converted Signsrch signatures to Yara rules, in order to include them in my tool Balbuzard. Signsrch signatures are useful for malware analysis, to detect standard constants used in many encryption and compression algorithms, and also some anti-debugging code.

Balbuzard - malware analysis tools to extract patterns of interest and crack obfuscation such as XOR

Balbuzard is a package of malware analysis tools in python to extract patterns from suspicious files (IP addresses, domain names, known file headers, interesting strings, etc). It can also crack malware obfuscation such as XOR, ROL, etc by bruteforcing and checking for those patterns.

Weaponized PDF

This article describes the PDF file format, related security issues and useful resources. [WORK IN PROGRESS]

Syndicate content