This Assemblyline service extracts metadata and network information, and reports anomalies in Microsoft OLE and XML documents using the Python library py-oletools
NOTE: This service does not require you to buy a licence and is preinstalled and working after a default installation
The Oletools service will report the following information for each file when present:
Macros (AL tag: TECHNIQUE_MACROS):
- SHA256 (AL tag: OLE_MACRO_SHA256);
- Suspicious strings (AL tak: OLE_MACRO_SUSPICIOUS_STRINGS);
- Network indicators.
Embedded document streams:
- FrankenStrings Patterns module results
- Base64 encoded content
Extraction for both VBA scripts in macros, embedded streams and suspicious xml is performed by the service.