Python Oletools Setup, Use – Microsoft Office File Analysis

April 6, 2020 / Security / , , / Leave a Comment

How can python oletools help you

Python OleTools by Decalage are very powerful toolset to analyze Microsoft OLE2 type files – Outlook (*eml), Word (*.doc, *.docx), Excel (*.xls, *.xlsx). For full and updated list of tools (with descriptions and wiki help pages) check out oletools GitHub page. These tools can help you with Forensics and Malware Analysis of the Microsoft Office files and find Malicious VBA scripts (but not limited to).

In addition to the “oletools”, you can check our oledump python tool usage guide, our OfficeMalScanner usage guide and the script that was developed by us ExcelSheetUnhide Powershell script usage and examples for more Microsoft Office Malware Analysis options.

Installing python oletools

It is important to note that oletools are installed in FLARE VM. To know more about the VM, you can visit our FLARE VM installation article.

The folks that developed oletools recommend using python 3, so this is what we’re going to install:
1. Download the latest version of python 3
2. Execute the file and setup python 3
*** I would suggest installing it to custom directory, which is “C:\” and giving it the name of your major version. Like, if you’re installing python 3.8.2, install it to “C:\Pyhon38”. Since, Python 2 was installed to the root directory (Example: “C:\Python27”), it is better to do the same with Python 3.
3. You can use “pip3.exe” to install oletools for python 3. If you installed it in custom directory that was suggested above, then the executable will be in “C:\Python38\Scripts\pip3.exe”. Just remember if you have another major version of Python 3, to change the directory accordingly.
Running “pip3.exe” from the exact directory to install oletools from Command Prompt:

"C:\Python38\Scripts\pip3.exe" install oletools

You can also use “pip3” directly without the full path:

pip3 install oletools

To update oletools with pip3:

pip3 install -U oletools

*** Check more installation tips from Decalage on the Oletools wiki Install page. There are installation instructions for Linux and Mac also.

Oletools Usage

After installing the oletools with “pip3”, each tool is added to the PATH environment variable, so you can use them from Command Prompt directly. Oleid help example:

oleid -h

Oleid analyzing “C:\YourFile.xls”:

oleid C:\YourFile.xls

Leave a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.