Packages and Binaries:
oletools
Analyze MS OLE2 files and MS Office documents
Tools to analyze Microsoft OLE2 files (also called Structured Storage, Compound
File Binary Format or Compound Document File Format), such as Microsoft Office
97-2003 documents, MSI files or Outlook messages, mainly for malware analysis,
forensics and debugging. It is based on the olefile parser.
Installed size: 1.90 MB
How to install: sudo apt install oletools
Dependencies:
- python3
- python3-colorclass
- python3-easygui
- python3-msoffcrypto-tool
- python3-olefile
- python3-pcodedmp
- python3-pyparsing
ezhexviewer
ftguess
root@kali:~# ftguess -h
ftguess 0.60.2 on Python 3.13.12 - http://decalage.info/python/oletools
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/oletools/issues
Usage: ftguess [options] <filename> [filename2 ...]
Options:
-h, --help show this help message and exit
-r find files recursively in subdirectories.
-z ZIP_PASSWORD, --zip=ZIP_PASSWORD
if the file is a zip archive, open first file from it,
using the provided password
-f ZIP_FNAME, --zipfname=ZIP_FNAME
if the file is a zip archive, file(s) to be opened
within the zip. Wildcards * and ? are supported.
(default:*)
-l LOGLEVEL, --loglevel=LOGLEVEL
logging level debug/info/warning/error/critical
(default=warning)
mraptor
root@kali:~# mraptor -h
Usage: mraptor [options] <filename> [filename2 ...]
Options:
-h, --help show this help message and exit
-r find files recursively in subdirectories.
-z ZIP_PASSWORD, --zip=ZIP_PASSWORD
if the file is a zip archive, open all files from it,
using the provided password (requires Python 2.6+)
-f ZIP_FNAME, --zipfname=ZIP_FNAME
if the file is a zip archive, file(s) to be opened
within the zip. Wildcards * and ? are supported.
(default:*)
-l LOGLEVEL, --loglevel=LOGLEVEL
logging level debug/info/warning/error/critical
(default=warning)
-m, --matches Show matched strings.
msodde
root@kali:~# msodde -h
usage: msodde [-h] [-j] [--nounquote] [-l LOGLEVEL] [-p PASSWORD] [-d] [-f]
[-a]
FILE
A python tool to detect and extract DDE links in MS Office files
positional arguments:
FILE path of the file to be analyzed
options:
-h, --help show this help message and exit
-j, --json Output in json format. Do not use with -ldebug
--nounquote don't unquote values
-l, --loglevel LOGLEVEL
logging level debug/info/warning/error/critical
(default=warning)
-p, --password PASSWORD
if encrypted office files are encountered, try
decryption with this password. May be repeated.
Filter which OpenXML field commands are returned:
Only applies to OpenXML (e.g. docx) and rtf, not to OLE (e.g. .doc). These
options are mutually exclusive, last option found on command line
overwrites earlier ones.
-d, --dde-only Return only DDE and DDEAUTO fields
-f, --filter Return all fields except harmless ones
-a, --all-fields Return all fields, irrespective of their contents
olebrowse
oledir
root@kali:~# oledir -h
Usage: oledir [options] <filename> [filename2 ...]
Options:
-h, --help show this help message and exit
-r find files recursively in subdirectories.
-z ZIP_PASSWORD, --zip=ZIP_PASSWORD
if the file is a zip archive, open all files from it,
using the provided password (requires Python 2.6+)
-f ZIP_FNAME, --zipfname=ZIP_FNAME
if the file is a zip archive, file(s) to be opened
within the zip. Wildcards * and ? are supported.
(default:*)
olefile
root@kali:~# olefile -h
Usage: olefile [options] <filename> [filename2 ...]
Options:
-h, --help show this help message and exit
-c check all streams (for debugging purposes)
-p extract all user-defined propertires
-d debug mode, shortcut for -l debug (displays a lot of
debug information, for developers only)
-l LOGLEVEL, --loglevel=LOGLEVEL
logging level debug/info/warning/error/critical
(default=warning)
oleid
root@kali:~# oleid -h
oleid 0.60.1 - http://decalage.info/oletools
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/oletools/issues
usage: oleid [-h] [FILE ...]
oleid.py oleid is a script to analyze OLE files such as MS Office documents
(e.g. Word, Excel), to detect specific characteristics that could potentially
indicate that the file is suspicious or malicious, in terms of security (e.g.
malware). For example it can detect VBA macros, embedded Flash objects,
fragmentation. The results is displayed as ascii table (but could be returned
or printed in other formats like CSV, XML or JSON in future). oleid project
website: http://www.decalage.info/python/oleid oleid is part of the python-
oletools package: http://www.decalage.info/python/oletools
positional arguments:
FILE Name of files to process
options:
-h, --help show this help message and exit
olemap
root@kali:~# olemap -h
Usage: olemap [options] <filename> [filename2 ...]
Options:
-h, --help show this help message and exit
-r find files recursively in subdirectories.
-z ZIP_PASSWORD, --zip=ZIP_PASSWORD
if the file is a zip archive, open all files from it,
using the provided password (requires Python 2.6+)
-f ZIP_FNAME, --zipfname=ZIP_FNAME
if the file is a zip archive, file(s) to be opened
within the zip. Wildcards * and ? are supported.
(default:*)
--header Display the OLE header (default: yes)
--fat Display the FAT (default: no)
--minifat Display the MiniFAT (default: no)
-x, --exdata Display a hex dump of extra data at end of file
olemeta
root@kali:~# olemeta -h
olemeta 0.54 - http://decalage.info/python/oletools
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/oletools/issues
Usage: olemeta [options] <filename> [filename2 ...]
Options:
-h, --help show this help message and exit
-r find files recursively in subdirectories.
-z ZIP_PASSWORD, --zip=ZIP_PASSWORD
if the file is a zip archive, open all files from it,
using the provided password (requires Python 2.6+)
-f ZIP_FNAME, --zipfname=ZIP_FNAME
if the file is a zip archive, file(s) to be opened
within the zip. Wildcards * and ? are supported.
(default:*)
oleobj
root@kali:~# oleobj -h
oleobj 0.60.1 - http://decalage.info/oletools
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/oletools/issues
usage: usage: oleobj [options] <filename> [filename2 ...]
positional arguments:
FILE Office files to parse (same as -i)
options:
-h, --help show this help message and exit
-r find files recursively in subdirectories.
-d OUTPUT_DIR use specified directory to output files.
-z, --zip ZIP_PASSWORD
if the file is a zip archive, open first file from it,
using the provided password (requires Python 2.6+)
-f, --zipfname ZIP_FNAME
if the file is a zip archive, file(s) to be opened
within the zip. Wildcards * and ? are supported.
(default:*)
-l, --loglevel LOGLEVEL
logging level debug/info/warning/error/critical
(default=warning)
-i, --more-input FILE
Additional file to parse (same as positional
arguments)
-v, --verbose verbose mode, set logging to DEBUG (overwrites -l)
oletimes
root@kali:~# oletimes -h
oletimes 0.54 - http://decalage.info/python/oletools
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/oletools/issues
Usage: oletimes [options] <filename> [filename2 ...]
Options:
-h, --help show this help message and exit
-r find files recursively in subdirectories.
-z ZIP_PASSWORD, --zip=ZIP_PASSWORD
if the file is a zip archive, open all files from it,
using the provided password (requires Python 2.6+)
-f ZIP_FNAME, --zipfname=ZIP_FNAME
if the file is a zip archive, file(s) to be opened
within the zip. Wildcards * and ? are supported.
(default:*)
olevba
root@kali:~# olevba -h
usage: usage: olevba [options] <filename> [filename2 ...]
positional arguments:
filenames Files to analyze
options:
-h, --help show this help message and exit
-r find files recursively in subdirectories.
-z, --zip ZIP_PASSWORD
if the file is a zip archive, open all files from it,
using the provided password.
-p, --password PASSWORD
if encrypted office files are encountered, try
decryption with this password. May be repeated.
-f, --zipfname ZIP_FNAME
if the file is a zip archive, file(s) to be opened
within the zip. Wildcards * and ? are supported.
(default: *)
-a, --analysis display only analysis results, not the macro source
code
-c, --code display only VBA source code, do not analyze it
--decode display all the obfuscated strings with their decoded
content (Hex, Base64, StrReverse, Dridex, VBA).
--attr display the attribute lines at the beginning of VBA
source code
--reveal display the macro source code after replacing all the
obfuscated strings by their decoded content.
-l, --loglevel LOGLEVEL
logging level debug/info/warning/error/critical
(default=warning)
--deobf Attempt to deobfuscate VBA expressions (slow)
--relaxed Do not raise errors if opening of substream fails
(this option is now deprecated, enabled by default)
--show-pcode Show disassembled P-code (using pcodedmp)
--no-pcode Disable extraction and analysis of pcode
--no-xlm Do not extract XLM Excel macros. This may speed up
analysis of large files.
Output mode (mutually exclusive):
-t, --triage triage mode, display results as a summary table
(default for multiple files)
-d, --detailed detailed mode, display full results (default for
single file)
-j, --json json mode, detailed in json format (never default)
pyxswf
root@kali:~# pyxswf -h
pyxswf 0.54 - http://decalage.info/python/oletools
Please report any issue at https://github.com/decalage2/oletools/issues
Usage:
pyxswf.py
pyxswf is a script to detect, extract and analyze Flash objects (SWF) that may
be embedded in files such as MS Office documents (e.g. Word, Excel),
which is especially useful for malware analysis.
pyxswf is an extension to xxxswf.py published by Alexander Hanel on
http://hooked-on-mnemonics.blogspot.nl/2011/12/xxxswfpy.html
Compared to xxxswf, it can extract streams from MS Office documents by parsing
their OLE structure properly (-o option), which is necessary when streams are
fragmented.
Stream fragmentation is a known obfuscation technique, as explained on
http://www.breakingpointsystems.com/resources/blog/evasion-with-ole2-fragmentation/
It can also extract Flash objects from RTF documents, by parsing embedded
objects encoded in hexadecimal format (-f option).
pyxswf project website: http://www.decalage.info/python/pyxswf
pyxswf is part of the python-oletools package:
http://www.decalage.info/python/oletools
usage: pyxswf [options] <file.bad>
Options:
-h, --help show this help message and exit
-x, --extract Extracts the embedded SWF(s), names it MD5HASH.swf &
saves it in the working dir. No addition args needed
-y, --yara Scans the SWF(s) with yara. If the SWF(s) is
compressed it will be deflated. No addition args
needed
-s, --md5scan Scans the SWF(s) for MD5 signatures. Please see func
checkMD5 to define hashes. No addition args needed
-H, --header Displays the SWFs file header. No addition args needed
-d, --decompress Deflates compressed SWFS(s)
-r PATH, --recdir=PATH
Will recursively scan a directory for files that
contain SWFs. Must provide path in quotes
-c, --compress Compresses the SWF using Zlib
-o, --ole Parse an OLE file (e.g. Word, Excel) to look for SWF
in each stream
-f, --rtf Parse an RTF file to look for SWF in each embedded
object
rtfobj
root@kali:~# rtfobj -h
rtfobj 0.60.1 on Python 3.13.12 - http://decalage.info/python/oletools
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/oletools/issues
Usage: rtfobj [options] <filename> [filename2 ...]
Options:
-h, --help show this help message and exit
-r find files recursively in subdirectories.
-z ZIP_PASSWORD, --zip=ZIP_PASSWORD
if the file is a zip archive, open first file from it,
using the provided password (requires Python 2.6+)
-f ZIP_FNAME, --zipfname=ZIP_FNAME
if the file is a zip archive, file(s) to be opened
within the zip. Wildcards * and ? are supported.
(default:*)
-l LOGLEVEL, --loglevel=LOGLEVEL
logging level debug/info/warning/error/critical
(default=warning)
-s SAVE_OBJECT, --save=SAVE_OBJECT
Save the object corresponding to the provided number
to a file, for example "-s 2". Use "-s all" to save
all objects at once.
-d OUTPUT_DIR use specified directory to save output files.
Updated on: 2026-May-25