setodaNote

忘れる用のメモ書き for Cybersecurity

oletools - OLEおよびMS Officeファイルを解析するためのPythonツール

oletools

OLEおよびMS Officeファイルを解析するためのPythonツール

確認時の最新版:2021-01-23 v0.56

悪質な文書を分析するツール

  • oleid:OLEファイルを分析して、悪質ファイルに含まれる特性を検出する
  • olevba:MS Officeドキュメント(OLEおよびOpenXML)からVBAマクロソースコードを抽出して分析する
  • MacroRaptor:悪意のあるVBAマクロを検出する
  • msodde:MS Officeドキュメント、RTFおよびCSVからDDE / DDEAUTOリンクを検出および抽出する
  • pyxswf:MS Officeドキュメント(Word、Excelなど)やRTFなどのファイルに埋め込まれているFlashオブジェクト(SWF)を検出、抽出、分析する
  • oleobj:OLEファイルから埋め込みオブジェクトを抽出する
  • rtfobj:RTFファイルから埋め込みオブジェクトを抽出する

OLEファイルの構造を分析するツール

  • OLEbrowse:個々のデータストリームを表示および抽出するためのOLEファイル(MS Word、Excel、Powerpointドキュメントなど)を参照するためのシンプルなGUI
  • olemeta:OLEファイルから標準のすべてのプロパティ(メタデータ)を抽出する
  • oletimes:すべてのストリームとストレージの作成タイムスタンプと修正タイムスタンプを抽出する
  • oledir:空ファイルと孤立したエントリを含む、OLEファイルのすべてのディレクトリエントリを表示する
  • olemap:OLEファイル内のすべてのセクタのマップを表示する

実際に使った時の結果表示例

  • 解析対象とした検体

    • ファイル名:oBfsC4t10n2.xls
    • MD5: 0C09FBDF98F0A6144A42FDE00FE21504
    • SHA1: BB4A594ECF90ED6B9E408C404B08620500FB4C02
    • SHA256: 1F156F86D45E28DAC74015051546305497ADB86B4E46BB7D9A84CCF5E25A12F4
  • oleid

    f:id:soji256:20210123213133p:plain:w520
    実行結果:oleid

# oleid oBfsC4t10n2.xls 
oleid 0.54 - http://decalage.info/oletools
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/oletools/issues

Filename: oBfsC4t10n2.xls
 Indicator                      Value              
 OLE format                     True               
 Has SummaryInformation stream  True               
 Application name               b'Microsoft Excel' 
 Encrypted                      False              
 Word Document                  False              
 VBA Macros                     False              
 Excel Workbook                 True               
 PowerPoint Presentation        False              
 Visio Drawing                  False              
 ObjectPool                     False              
 Flash objects                  0 
  • olevba
    ※パスワード付きzipのまま中身のファイル解析が可能 (-z ZIP_PASSWORD)
    ※ほかのコマンドと比較して、少し処理に時間がかかる。
    f:id:soji256:20210123213122p:plain:w520
    実行結果:olevba
# olevba -a oBfsC4t10n2.xls
olevba 0.56 on Python 3.8.3 - http://decalage.info/python/oletools
===============================================================================
FILE: oBfsC4t10n2.xls
Type: OLE
-------------------------------------------------------------------------------
VBA MACRO xlm_macro.txt 
in file: xlm_macro - OLE stream: 'xlm_macro'
+----------+--------------------+---------------------------------------------+
|Type      |Keyword             |Description                                  |
+----------+--------------------+---------------------------------------------+
|AutoExec  |Auto_Open           |Runs when the Excel Workbook is opened       |
|Suspicious|Open                |May open a file                              |
|Suspicious|CALL                |May call a DLL using Excel 4 Macros (XLM/XLF)|
|Suspicious|Windows             |May enumerate application windows (if        |
|          |                    |combined with Shell.Application object)      |
|Suspicious|FORMULA.FILL        |May modify Excel 4 Macro formulas at runtime |
|          |                    |(XLM/XLF)                                    |
|Suspicious|Hex Strings         |Hex-encoded strings were detected, may be    |
|          |                    |used to obfuscate strings (option --decode to|
|          |                    |see all)                                     |
|Suspicious|Base64 Strings      |Base64-encoded strings were detected, may be |
|          |                    |used to obfuscate strings (option --decode to|
|          |                    |see all)                                     |
|IOC       |rundll32.exe        |Executable file name                         |
+----------+--------------------+---------------------------------------------+
  • MacroRaptor
    ※パスワード付きzipのまま中身のファイル解析が可能 (-z ZIP_PASSWORD)
    f:id:soji256:20210123213110p:plain:w520
    実行結果:MacroRaptor
# mraptor oBfsC4t10n2.xls 
MacroRaptor 0.56 - http://decalage.info/python/oletools
This is work in progress, please report issues at https://github.com/decalage2/oletools/issues
----------+-----+----+--------------------------------------------------------
Result    |Flags|Type|File                                                    
----------+-----+----+--------------------------------------------------------
SUSPICIOUS|A-X  |OLE:|oBfsC4t10n2.xls                                         

Flags: A=AutoExec, W=Write, X=Execute
Exit code: 20 - SUSPICIOUS
  • msodde
    ※今回の検体では検出しなかったので、せめてデバッグログ付きで出力。
    f:id:soji256:20210123213059p:plain:w520
    実行結果:msodde
# msodde -l debug oBfsC4t10n2.xls 
msodde 0.55 - http://decalage.info/python/oletools
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/oletools/issues

Opening file: oBfsC4t10n2.xls
DEBUG    Is OLE. Checking streams to see whether this is xls
DEBUG    Finding streams in ole file
DEBUG    direntry  0 Root Entry: no stream (root)
DEBUG    direntry  1 Workbook: is stream of size 833805
DEBUG    Process file as excel 2003 (xls)
DEBUG    Finding streams in ole file
DEBUG    direntry  0 Root Entry: no stream (root)
DEBUG    direntry  1 Workbook: is stream of size 833805
DEBUG    direntry  2 SummaryInformation: is stream of size 4096
DEBUG    direntry  3 DocumentSummaryInformation: is stream of size 4096
DDE Links:
  • pyxswf
    f:id:soji256:20210123213043p:plain:w520
    実行結果:pyxswf
# pyxswf oBfsC4t10n2.xls 
pyxswf 0.54 - http://decalage.info/python/oletools
Please report any issue at https://github.com/decalage2/oletools/issues


[SUMMARY] 0 SWF(s) in MD5:248281a8216a8340469ec88659ec7e1a:oBfsC4t10n2.xls
  • oleobj
    ※パスワード付きzipのまま中身のファイル解析が可能 (-z ZIP_PASSWORD)
    ※今回の検体では検出しなかったので、せめてデバッグログ付きで出力。
    f:id:soji256:20210123213029p:plain:w520
    実行結果:oleobj
# oleobj -l debug oBfsC4t10n2.xls 
oleobj 0.56 - http://decalage.info/oletools
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/oletools/issues

-------------------------------------------------------------------------------
File: 'oBfsC4t10n2.xls'
DEBUG    working on file by name
DEBUG    Finding streams in ole file
DEBUG    direntry  0 Root Entry: no stream (root)
DEBUG    direntry  1 Workbook: is stream of size 833805
DEBUG    direntry  2 SummaryInformation: is stream of size 4096
DEBUG    direntry  3 DocumentSummaryInformation: is stream of size 4096
INFO     is ole file: oBfsC4t10n2.xls
DEBUG    Checking stream '\x05DocumentSummaryInformation'
DEBUG    Checking stream '\x05SummaryInformation'
DEBUG    Checking stream 'Workbook'
  • rtfobj
    ※パスワード付きzipのまま中身のファイル解析が可能 (-z ZIP_PASSWORD)
    ※今回の検体では検出しなかったので、せめてデバッグログ付きで出力。

f:id:soji256:20210123213017p:plain:w520
実行結果:rtfobj

# rtfobj -l debug oBfsC4t10n2.xls 
rtfobj 0.55.2 on Python 3.8.3 - http://decalage.info/python/oletools
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/oletools/issues

===============================================================================
File: 'oBfsC4t10n2.xls' - size: 849920 bytes
---+----------+---------------------------------------------------------------
id |index     |OLE Object                                                     
---+----------+---------------------------------------------------------------
DEBUG    b'g' is a destination control word: starting a new destination at index 37FBh
DEBUG    b'g' is a destination control word: starting a new destination at index 1AF9Dh
DEBUG    b'g' is a destination control word: starting a new destination at index 1B484h
DEBUG    b'g' is a destination control word: starting a new destination at index 209D6h
DEBUG    b'g' is a destination control word: starting a new destination at index 2E43Dh
DEBUG    b'g' is a destination control word: starting a new destination at index 3A799h
  • olebrowse
    f:id:soji256:20210123212624p:plain:w520
    実行結果:olebrowse (メインメニュー)

f:id:soji256:20210123212719p:plain:w520
実行結果:olebrowse (アクションメニュー)

f:id:soji256:20210123212924p:plain:w520
実行結果:olebrowse (Hex ビューア)

  • olemeta
    ※パスワード付きzipのまま中身のファイル解析が可能 (-z ZIP_PASSWORD)
    f:id:soji256:20210123212542p:plain:w520
    実行結果:olemeta
# olemeta oBfsC4t10n2.xls 
olemeta 0.54 - http://decalage.info/python/oletools
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/oletools/issues
===============================================================================
FILE: oBfsC4t10n2.xls

Properties from the SummaryInformation stream:
+---------------------+------------------------------+
|Property             |Value                         |
+---------------------+------------------------------+
|codepage             |1252                          |
|author               |0xdf                          |
|last_saved_by        |0xdf                          |
|create_time          |2020-03-23 14:19:10           |
|last_saved_time      |2020-04-25 18:43:56           |
|creating_application |Microsoft Excel               |
|security             |0                             |
+---------------------+------------------------------+

Properties from the DocumentSummaryInformation stream:
+---------------------+------------------------------+
|Property             |Value                         |
+---------------------+------------------------------+
|codepage_doc         |1252                          |
|scale_crop           |False                         |
|company              |                              |
|links_dirty          |False                         |
|shared_doc           |False                         |
|hlinks_changed       |False                         |
|version              |1048576                       |
+---------------------+------------------------------+
  • oletimes
    ※パスワード付きzipのまま中身のファイル解析が可能 (-z ZIP_PASSWORD)
    f:id:soji256:20210123212459p:plain:w520
    実行結果:oletimes
# oletimes oBfsC4t10n2.xls 
oletimes 0.54 - http://decalage.info/python/oletools
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/oletools/issues
===============================================================================
FILE: oBfsC4t10n2.xls

+----------------------------+---------------------+---------------+
| Stream/Storage name        | Modification Time   | Creation Time |
+----------------------------+---------------------+---------------+
| Root                       | 2021-01-23 07:21:27 | None          |
| '\x05DocumentSummaryInform | None                | None          |
| ation'                     |                     |               |
| '\x05SummaryInformation'   | None                | None          |
| 'Workbook'                 | None                | None          |
+----------------------------+---------------------+---------------+
  • oledir
    ※パスワード付きzipのまま中身のファイル解析が可能 (-z ZIP_PASSWORD)
    f:id:soji256:20210123212956p:plain:w520
    実行結果:oledir
# oledir oBfsC4t10n2.xls 
oledir 0.54 - http://decalage.info/python/oletools
OLE directory entries in file oBfsC4t10n2.xls:
----+------+-------+----------------------+-----+-----+-----+--------+------
id  |Status|Type   |Name                  |Left |Right|Child|1st Sect|Size  
----+------+-------+----------------------+-----+-----+-----+--------+------
0   |<Used>|Root   |Root Entry            |-    |-    |2    |FFFFFFFE|0     
1   |<Used>|Stream |Workbook              |-    |-    |-    |0       |833805
2   |<Used>|Stream |\x05SummaryInformation|1    |3    |-    |65D     |4096  
3   |<Used>|Stream |\x05DocumentSummaryInf|-    |-    |-    |665     |4096  
    |      |       |ormation              |     |     |     |        |      
----+----------------------------+------+--------------------------------------
id  |Name                        |Size  |CLSID                                 
----+----------------------------+------+--------------------------------------
0   |Root Entry                  |-     |00020820-0000-0000-C000-000000000046  
    |                            |      |Microsoft Microsoft Excel 97-2003     
    |                            |      |Worksheet (Excel.Sheet.8)             
3   |\x05DocumentSummaryInformati|4096  |                                      
    |on                          |      |                                      
2   |\x05SummaryInformation      |4096  |                                      
1   |Workbook                    |833805|  
  • olemap ※パスワード付きzip対応 (-z ZIP_PASSWORD)
    f:id:soji256:20210123212602p:plain:w520
    実行結果:olemap
# olemap oBfsC4t10n2.xls 
olemap 0.55 - http://decalage.info/python/oletools
-------------------------------------------------------------------------------
FILE: oBfsC4t10n2.xls

OLE HEADER:
+------------------------+----------------+-----------------------------------+
|Attribute               |Value           |Description                        |
+------------------------+----------------+-----------------------------------+
|OLE Signature (hex)     |D0CF11E0A1B11AE1|Should be D0CF11E0A1B11AE1         |
|Header CLSID            |                |Should be empty (0)                |
|Minor Version           |003E            |Should be 003E                     |
|Major Version           |0003            |Should be 3 or 4                   |
|Byte Order              |FFFE            |Should be FFFE (little endian)     |
|Sector Shift            |0009            |Should be 0009 or 000C             |
|# of Dir Sectors        |0               |Should be 0 if major version is 3  |
|# of FAT Sectors        |13              |                                   |
|First Dir Sector        |0000067A        |(hex)                              |
|Transaction Sig Number  |0               |Should be 0                        |
|MiniStream cutoff       |4096            |Should be 4096 bytes               |
|First MiniFAT Sector    |FFFFFFFE        |(hex)                              |
|# of MiniFAT Sectors    |0               |                                   |
|First DIFAT Sector      |FFFFFFFE        |(hex)                              |
|# of DIFAT Sectors      |0               |                                   |
+------------------------+----------------+-----------------------------------+

CALCULATED ATTRIBUTES:
+------------------------+----------------+-----------------------------------+
|Attribute               |Value           |Description                        |
+------------------------+----------------+-----------------------------------+
|Sector Size (bytes)     |512             |Should be 512 or 4096 bytes        |
|Actual File Size (bytes)|849920          |Real file size on disk             |
|Max File Size in FAT    |852480.0        |Max file size covered by FAT       |
|Extra data beyond FAT   |0               |Only if file is larger than FAT    |
|                        |                |coverage                           |
|Extra data offset in FAT|000CF800        |Offset of the 1st free sector at   |
|                        |                |end of FAT                         |
|Extra data size         |0               |Size of data starting at the 1st   |
|                        |                |free sector at end of FAT          |
+------------------------+----------------+-----------------------------------+

To display the FAT or MiniFAT structures, use options --fat or --minifat, and -h for help.

参考文献

更新履歴

  • 2018/07/21 新規作成
  • 2020/03/19 表記を一部修正
  • 2021/01/23 実際に使った時の結果表示例を追記