Olescan
A lightweight wrapper aggregating the functionality of several tools to scan and detect malicious contents embedded within MS OLE2 and MS Office documents
Install / Use
/learn @CanIPhish/OlescanREADME
olescan
olescan is a lightweight wrapper aggregating the functionality of several oletools to facilitate automated scanning of MS OLE2 and MS Office documents. The tool is not designed to cover advanced maldoc analysis but is to assist Level 1 Support Teams in performing a preliminary analysis before escalating to Level 2/3 Support Teams (i.e. InfoSec Professionals).
It's analysis capabilities include:
- Scanning of macro-enabled file-types and detection of macros, embedded flash content or file encryption (oleid)
- Automatic code extraction, VBA stomping detection, decoding of common obfuscation methods including Hex encoding, StrReverse, Base64, Dridex, VBA expressions, and identification of IOCs and suspicious VBA keywords from decoded strings (olvevba)
- Scanning and detection of malicious VBA Macros using generic heuristics to check for auto - execution, system / memory writes and / or file execution outside the VBA context (mraptor)
Setup:<br/> Requires a Windows OS and installation of the oletools utility. Please see https://github.com/Rices/olescan/wiki for an overview of manual setup, along with a Dockerfile for building of a local olescan image.
Pre-compiled binaries can be found under https://github.com/Rices/olescan/tree/master/oletriage/bin/Debug
Analysis Result: olescan will provide a suspicion rating between 0-100%
Key:
0-15% - RARE
16-40% - UNLIKELY
41-59% - POSSIBLE
60-84% - LIKELY
85-100% - ALMOST CERTAIN
Please see (https://github.com/decalage2/oletools) and/or (https://github.com/decalage2/ViperMonkey) for extremely useful analysis tools.
Usage: olescan [Options] <filename>
Options:
-h, --help show help message and exit
-b, --batch input a pipe delimited list in-place of <filename> for scanning automation
-o, --output output scanning results into a delimited text file (e.g. -o "C:\results.csv")
-v, --verbose output the verbose analysis to console
Example Usage: <br/>
olescan "MaliciousDoc.xls" <-- Basic Analysis Result<br/>
olescan -v "MaliciousDoc.xls" <-- Verbose Analysis Output (Results of olevba & mraptor)<br/>
olescan -v -b -o "C:\Results.csv" "C:\DocumentList.csv" <-- Verbose Analysis Output from a batch scan of documents is saved to Results.csv
Related Skills
docs-writer
99.3k`docs-writer` skill instructions As an expert technical writer and editor for the Gemini CLI project, you produce accurate, clear, and consistent documentation. When asked to write, edit, or revie
model-usage
339.1kUse CodexBar CLI local cost usage to summarize per-model usage for Codex or Claude, including the current (most recent) model or a full model breakdown. Trigger when asked for model-level usage/cost data from codexbar, or when you need a scriptable per-model summary from codexbar cost JSON.
project-overview
FlightPHP Skeleton Project Instructions This document provides guidelines and best practices for structuring and developing a project using the FlightPHP framework. Instructions for AI Coding A
Design
Campus Second-Hand Trading Platform \- General Design Document (v5.0 \- React Architecture \- Complete Final Version)1\. System Overall Design 1.1. Project Overview This project aims t
