Hi, I see that olefy is calling olevba as an external script, and capturing its output + exit code. I think this is error prone and may lead to issues if we change the display or behaviour of olevba.
I would advise to import olevba and to use its python API instead:
https://github.com/decalage2/oletools/wiki/olevba#how-to-use-olevba-in-python-applications
Moreover, olevba is meant for malware analysts to look at the details of a file when they know it's suspicious or malicious.
If your goal is to decide (automatically) if a file is innocuous or suspicious, I would suggest to try mraptor instead. It is built on top of olevba, but applies a simple algorithm to detect suspicious keywords, and returns a clear result:
https://github.com/decalage2/oletools/wiki/mraptor
For example, it is used in the project MacroMilter for sendmail/postfix:
https://github.com/sbidy/MacroMilter
I have not yet documented the mraptor API, so for now you need to look at the code. But it's not a complex API.
Hi, I see that olefy is calling olevba as an external script, and capturing its output + exit code. I think this is error prone and may lead to issues if we change the display or behaviour of olevba.
I would advise to import olevba and to use its python API instead:
https://github.com/decalage2/oletools/wiki/olevba#how-to-use-olevba-in-python-applications
Moreover, olevba is meant for malware analysts to look at the details of a file when they know it's suspicious or malicious.
If your goal is to decide (automatically) if a file is innocuous or suspicious, I would suggest to try mraptor instead. It is built on top of olevba, but applies a simple algorithm to detect suspicious keywords, and returns a clear result:
https://github.com/decalage2/oletools/wiki/mraptor
For example, it is used in the project MacroMilter for sendmail/postfix:
https://github.com/sbidy/MacroMilter
I have not yet documented the mraptor API, so for now you need to look at the code. But it's not a complex API.