2025-02-12 16:39:17 -05:00
|
|
|
# olevba
|
|
|
|
|
|
|
|
|
|
> Parse OLE and OpenXML files (e.g., DOC, XLS, PPT, etc.) to extract VBA macros, deobfuscate, and analyze malicious code.
|
|
|
|
|
> Part of the `python-oletools` suite.
|
|
|
|
|
> For more information: <https://github.com/decalage2/oletools>.
|
|
|
|
|
|
|
|
|
|
- Analyze a file, showing both macro code and analysis results:
|
|
|
|
|
|
|
|
|
|
`olevba {{path/to/file}}`
|
|
|
|
|
|
|
|
|
|
- Recursively analyze all supported files in a directory:
|
|
|
|
|
|
|
|
|
|
`olevba -r {{path/to/directory}}`
|
|
|
|
|
|
|
|
|
|
- Provide a password for encrypted Microsoft Office files (may be repeated):
|
|
|
|
|
|
2025-04-22 06:20:48 +03:00
|
|
|
`olevba {{[-p|--password]}} {{password}} {{path/to/encrypted_file}}`
|
2025-02-12 16:39:17 -05:00
|
|
|
|
|
|
|
|
- Display only analysis results, without showing macro source code:
|
|
|
|
|
|
2025-04-22 06:20:48 +03:00
|
|
|
`olevba {{[-a|--analysis]}} {{path/to/file}}`
|
2025-02-12 16:39:17 -05:00
|
|
|
|
|
|
|
|
- Display only macro source code:
|
|
|
|
|
|
2025-04-22 06:20:48 +03:00
|
|
|
`olevba {{[-c|--code]}} {{path/to/file}}`
|
2025-02-12 16:39:17 -05:00
|
|
|
|
|
|
|
|
- Show obfuscated strings and their decoded content:
|
|
|
|
|
|
|
|
|
|
`olevba --decode {{path/to/file}}`
|
