mraptor is a script to detect malicious VBA Macros.
It can be used either as a command-line tool, or as a python module from your own applications.
It is part of the python-oletools package.
Usage: mraptor.py [options] <filename> [filename2 ...] Options: -h, --help show this help message and exit -r find files recursively in subdirectories. -z ZIP_PASSWORD, --zip=ZIP_PASSWORD if the file is a zip archive, open all files from it, using the provided password (requires Python 2.6+) -f ZIP_FNAME, --zipfname=ZIP_FNAME if the file is a zip archive, file(s) to be opened within the zip. Wildcards * and ? are supported. (default:*) -l LOGLEVEL, --loglevel=LOGLEVEL logging level debug/info/warning/error/critical (default=warning) -m, --matches Show matched strings. An exit code is returned based on the analysis result: - 0: No Macro - 1: Not MS Office - 2: Macro OK - 10: ERROR - 20: SUSPICIOUS
Scan a single file:
Scan a single file, stored in a Zip archive with password "infected":
mraptor.py malicious_file.xls.zip -z infected
Scan a collection of files stored in a folder:
Important: on Linux/MacOSX, always add double quotes around a file name when you use wildcards such as * and ?. Otherwise, the shell may replace the argument with the actual list of files matching the wildcards before starting the script.
How to use mraptor in Python applications