How to use the oletools.oleid.Indicator function in oletools
To help you get started, we’ve selected a few oletools examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
decalage2 / oletools / oletools / oleid.py View on Github 
def check_properties(self):
"""
Read summary information required for other check_* functions
:returns: 2 :py:class:`Indicator`s (for presence of summary info and
application name) or None if file was not opened
"""
suminfo = Indicator('has_suminfo', False,
name='Has SummaryInformation stream')
self.indicators.append(suminfo)
appname = Indicator('appname', 'unknown', _type=str,
name='Application name')
self.indicators.append(appname)
if not self.ole:
return None, None
self.suminfo_data = {}
# check stream SummaryInformation (not present e.g. in encrypted ppt)
if self.ole.exists("\x05SummaryInformation"):
suminfo.value = True
self.suminfo_data = self.ole.getproperties("\x05SummaryInformation")
# check application name:
appname.value = self.suminfo_data.get(0x12, 'unknown')
return suminfo, appnamedef check_word(self):
"""
Check whether this file is a word document
If this finds evidence of encryption, will correct/add encryption
indicator.
:returns: 2 :py:class:`Indicator`s (for word and vba_macro) or None if
file was not opened
"""
word = Indicator(
'word', False, name='Word Document',
description='Contains a WordDocument stream, very likely to be a '
'Microsoft Word Document.')
self.indicators.append(word)
macros = Indicator('vba_macros', False, name='VBA Macros')
self.indicators.append(macros)
if not self.ole:
return None, None
if self.ole.exists('WordDocument'):
word.value = True
# check for VBA macros:
if self.ole.exists('Macros'):
macros.value = True
return word, macrosdef check_powerpoint(self):
"""
Check whether this file is a powerpoint presentation
see also: :py:func:`ppt_record_parser.is_ppt`
:returns: :py:class:`Indicator` for whether this is a powerpoint
presentation or not or None if file was not opened
"""
ppt = Indicator(
'ppt', False, name='PowerPoint Presentation',
description='Contains a PowerPoint Document stream, very likely to '
'be a Microsoft PowerPoint Presentation.')
self.indicators.append(ppt)
if not self.ole:
return None
if self.ole.exists('PowerPoint Document'):
ppt.value = True
return pptdef check_properties(self):
"""
Read summary information required for other check_* functions
:returns: 2 :py:class:`Indicator`s (for presence of summary info and
application name) or None if file was not opened
"""
suminfo = Indicator('has_suminfo', False,
name='Has SummaryInformation stream')
self.indicators.append(suminfo)
appname = Indicator('appname', 'unknown', _type=str,
name='Application name')
self.indicators.append(appname)
if not self.ole:
return None, None
self.suminfo_data = {}
# check stream SummaryInformation (not present e.g. in encrypted ppt)
if self.ole.exists("\x05SummaryInformation"):
suminfo.value = True
self.suminfo_data = self.ole.getproperties("\x05SummaryInformation")
# check application name:
appname.value = self.suminfo_data.get(0x12, 'unknown')
return suminfo, appnamedef check_flash(self):
"""
Check whether this file contains flash objects
:returns: :py:class:`Indicator` for count of flash objects or None if
file was not opened
"""
flash = Indicator(
'flash', 0, _type=int, name='Flash objects',
description='Number of embedded Flash objects (SWF files) detected '
'in OLE streams. Not 100% accurate, there may be false '
'positives.')
self.indicators.append(flash)
if not self.ole:
return None
for stream in self.ole.listdir():
data = self.ole.openstream(stream).read()
found = detect_flash(data)
# just add to the count of Flash objects:
flash.value += len(found)
#print stream, found
return flashdef check_encrypted(self):
"""
Check whether this file is encrypted.
Might call check_properties.
:returns: :py:class:`Indicator` for encryption or None if file was not
opened
"""
# we keep the pointer to the indicator, can be modified by other checks:
encrypted = Indicator('encrypted', False, name='Encrypted')
self.indicators.append(encrypted)
if not self.ole:
return None
encrypted.value = crypto.is_encrypted(self.ole)
return encrypteddef check_word(self):
"""
Check whether this file is a word document
If this finds evidence of encryption, will correct/add encryption
indicator.
:returns: 2 :py:class:`Indicator`s (for word and vba_macro) or None if
file was not opened
"""
word = Indicator(
'word', False, name='Word Document',
description='Contains a WordDocument stream, very likely to be a '
'Microsoft Word Document.')
self.indicators.append(word)
macros = Indicator('vba_macros', False, name='VBA Macros')
self.indicators.append(macros)
if not self.ole:
return None, None
if self.ole.exists('WordDocument'):
word.value = True
# check for VBA macros:
if self.ole.exists('Macros'):
macros.value = True
return word, macrosdef check_object_pool(self):
"""
Check whether this file contains an ObjectPool stream.
Such a stream would be a strong indicator for embedded objects or files.
:returns: :py:class:`Indicator` for ObjectPool stream or None if file
was not opened
"""
objpool = Indicator(
'ObjectPool', False, name='ObjectPool',
description='Contains an ObjectPool stream, very likely to contain '
'embedded OLE objects or files.')
self.indicators.append(objpool)
if not self.ole:
return None
if self.ole.exists('ObjectPool'):
objpool.value = True
return objpooldef check(self):
"""
Open file and run all checks on it.
:returns: list of all :py:class:`Indicator`s created
"""
# check if it is actually an OLE file:
oleformat = Indicator('ole_format', True, name='OLE format')
self.indicators.append(oleformat)
if self.ole:
oleformat.value = True
elif not olefile.isOleFile(self.filename):
oleformat.value = False
return self.indicators
else:
# parse file:
self.ole = olefile.OleFileIO(self.filename)
# checks:
self.check_properties()
self.check_encrypted()
self.check_word()
self.check_excel()
self.check_powerpoint()
self.check_visio()oletools
Python tools to analyze security characteristics of MS Office and OLE files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), for Malware Analysis and Incident Response #DFIR
Package Health Score
77 / 100Popular oletools functions
- oletools.common.log_helper.log_helper
- oletools.common.log_helper.log_helper.enable_logging
- oletools.common.log_helper.log_helper.get_or_create_silent_logger
- oletools.msodde
- oletools.msodde.process_maybe_encrypted
- oletools.oleid.Indicator
- oletools.oleobj
- oletools.oleobj.OleNativeStream
- oletools.olevba
- oletools.olevba.VBA_Parser
- oletools.olevba3.VBA_Parser
- oletools.ooxml
- oletools.ooxml.BadOOXML
- oletools.ooxml.XmlParser
- oletools.ppt_parser.PptUnexpectedData
- oletools.record_base
- oletools.rtfobj.RtfObjParser
- oletools.thirdparty.tablestream.tablestream
- oletools.thirdparty.tablestream.tablestream.TableStream
- oletools.thirdparty.xglob.xglob.iter_files