-
Notifications
You must be signed in to change notification settings - Fork 562
oletimes
decalage2 edited this page Apr 8, 2019
·
4 revisions
oletimes is a script to parse OLE files such as MS Office documents (e.g. Word, Excel), to extract creation and modification times of all streams and storages in the OLE file.
It is part of the python-oletools package.
oletimes <file>
Checking the malware sample DIAN_caso-5415.doc:
>oletimes DIAN_caso-5415.doc
+----------------------------+---------------------+---------------------+
| Stream/Storage name | Modification Time | Creation Time |
+----------------------------+---------------------+---------------------+
| Root | 2014-05-14 12:45:24 | None |
| '\x01CompObj' | None | None |
| '\x05DocumentSummaryInform | None | None |
| ation' | | |
| '\x05SummaryInformation' | None | None |
| '1Table' | None | None |
| 'Data' | None | None |
| 'Macros' | 2014-05-14 12:45:24 | 2014-05-14 12:45:24 |
| 'Macros/PROJECT' | None | None |
| 'Macros/PROJECTwm' | None | None |
| 'Macros/VBA' | 2014-05-14 12:45:24 | 2014-05-14 12:45:24 |
| 'Macros/VBA/ThisDocument' | None | None |
| 'Macros/VBA/_VBA_PROJECT' | None | None |
| 'Macros/VBA/__SRP_0' | None | None |
| 'Macros/VBA/__SRP_1' | None | None |
| 'Macros/VBA/__SRP_2' | None | None |
| 'Macros/VBA/__SRP_3' | None | None |
| 'Macros/VBA/dir' | None | None |
| 'WordDocument' | None | None |
+----------------------------+---------------------+---------------------+
TODO