This new version of oledump.py has a feature to display Ad Hoc YARA rules using option –verbose.
In this example, I show a string Ad Hoc YARA rule to search for string attri (-y #s#attri). By including option –verbose, the YARA rule generated by oledump for string attri is displayed first:
Plugin plugin_http_heuristics has a new option: -c –contains.
By default, plugin_http_heuristics looks for (obfuscated) strings that start with keywords (http:// and https:// by default). Option -c changes this behavior: when this option is used, the keywords are searched in the entire string, and not just at the start.
In this example, I use this feature to search for the filename of the dropped executable (strings containing “.exe”):
And I also include plugin_vba: this is an old plugin that I failed to release. It searches for string concatenation in VBA code.