Skip to content

OLE

Jump to bottom
merces edited this page May 30, 2023 · 1 revision

OLE files have many names. I've seen them being called:

  • OLE2 or MS-OLE2
  • Compound File Binary File (CFB)
  • Compound File Binary Format (CFBF)
  • Compound File
  • Compound Document format
  • Composite Document File V2 (CDF)
  • Structured Storage

OLE serves as file format for file types such as .doc, .xls, .msi, .rtf and more. Here you'll find a few tools to analyze them.

Less MSIérables

Also known as lessmsi, it is both a CLI and GUI tool to analyze Windows Installer (MSI) files. These files are basically relational databases containing tables with columns and rows. Some tables are particularly useful for malware analysists looking for malicious code in MSI files. To list all tables of a MSI file, use the following command:

C:\> lessmsi.exe l -t _Tables file.msi
Name,
AdminExecuteSequence,
Condition,
AdvtExecuteSequence,
PatchPackage,
Patch,
FeatureComponents,
_Validation,
ComboBox,
Property,
Component,
Control,
Dialog,
CheckBox,
Binary,
Registry,
TextStyle,
Upgrade,
RadioButton,
Media,
Directory,
CustomAction,
Error,
EventMapping,
ActionText,
AdminUISequence,
InstallExecuteSequence,
BootstrapperUISequence,
ListBox,
InstallUISequence,
LaunchCondition,
ListView,
ControlEvent,
ControlCondition,
Feature,
CreateFolder,
File,
Icon,
UIText,

The CustomAction table is commonly used by malware authors to execute code. By listing its entries, you'll probably find what you're looking for:

C:\> lessmsi.exe l -t CustomAction file.msi

You should also check the Property table entries as they can help you to find common patterns among MSI samples:

C:\> lessmsi.exe l -t Property file.msi

OfficeMalScanner

Still great tool to analyse Microsoft Office documents. It can extract macros and payloads. Open a Command Prompt and type:

OfficeMalScanner

oledump.py

CLI program to analyze OLE files, extract streams, etc. To access it, go to retoolkit -> Programming -> Python Command Prompt and type:

cd oledump
python oledump.py -h

oletools

Set of tools to analyze OLE files. To start, open retoolkit -> Programming -> Python Command Prompt and type:

oleid -h

Structured Storage Viewer

Also known as SSView or SSV, it's a GUI program to analyze OLE files, extract streams, etc. It can be a bit buggy sometimes, but it works. If you are analyzing MSI files, be aware that they support CustomAction tables. Both SSView and 7-Zip are able to extract streams from a MSI package.

XLMMacroDeobfuscator

Decode obfuscated XLM macros (also known as Excel 4.0 macros). To use it, go to retoolkit -> Programming -> Python Command Prompt and type:

xlmdeobfuscator -h
Clone this wiki locally