-
Notifications
You must be signed in to change notification settings - Fork 563
msodde
msodde is a script to parse MS Office documents (e.g. Word, Excel, RTF, XML), to detect and extract DDE links such as DDEAUTO, that have been used to run malicious commands to deliver malware. It also supports CSV files, which may contain Excel formulas to run executable files using DDE (technique known as "CSV injection"). For Word documents, it can extract all the other fields, and identify suspicious ones.
Supported formats:
- Word 97-2003 (.doc, .dot), Word 2007+ (.docx, .dotx, .docm, .dotm)
- Excel 97-2003 (.xls), Excel 2007+ (.xlsx, .xlsm, .xlsb)
- RTF
- CSV (exported from / imported into Excel)
- XML (exported from Word 2003, Word 2007+, Excel 2003, Excel 2007+)
For Word documents, msodde detects the use of QUOTE to obfuscate DDE commands (see this article), and deobfuscates it automatically.
Special thanks to Christian Herdtweck and Etienne Stalmans, who contributed large parts of the code.
msodde can be used either as a command-line tool, or as a python module from your own applications.
It is part of the python-oletools package.
- https://www.contextis.com/blog/comma-separated-vulnerabilities
- http://www.exploresecurity.com/from-csv-to-cmd-to-qwerty/
- https://pwndizzle.blogspot.nl/2017/03/office-document-macros-ole-actions-dde.html
- https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/
- http://staaldraad.github.io/2017/10/23/msword-field-codes/
- https://xorl.wordpress.com/2017/12/11/microsoft-excel-csv-code-execution-injection-method/
- http://georgemauer.net/2017/10/07/csv-injection.html
- http://blog.7elements.co.uk/2013/01/cell-injection.html
- https://appsecconsulting.com/blog/csv-formula-injection
- https://www.owasp.org/index.php/CSV_Injection
usage: msodde.py [-h] [-j] [--nounquote] [-l LOGLEVEL] [-p PASSWORD] [-d] [-f]
[-a]
FILE
positional arguments:
FILE path of the file to be analyzed
optional arguments:
-h, --help show this help message and exit
-j, --json Output in json format. Do not use with -ldebug
--nounquote don't unquote values
-l LOGLEVEL, --loglevel LOGLEVEL
logging level debug/info/warning/error/critical
(default=warning)
-p PASSWORD, --password PASSWORD
if encrypted office files are encountered, try
decryption with this password. May be repeated.
Filter which OpenXML field commands are returned:
Only applies to OpenXML (e.g. docx) and rtf, not to OLE (e.g. .doc). These
options are mutually exclusive, last option found on command line
overwrites earlier ones.
-d, --dde-only Return only DDE and DDEAUTO fields
-f, --filter Return all fields except harmless ones
-a, --all-fields Return all fields, irrespective of their contents
New in v0.54: the -p option can now be used to decrypt encrypted documents using the provided password(s).
Scan a single file:
msodde file.doc
Scan a Word document, extracting all fields:
msodde -a file.doc
This is work in progress. The API is expected to change in future versions.