├── README.md
└── pyDDE-Extractor-v2.py


/README.md:
--------------------------------------------------------------------------------
1 | # DDE-Extractor
2 | This script is used for extracting DDE in docx and xlsx
3 | 


--------------------------------------------------------------------------------
/pyDDE-Extractor-v2.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | 
 3 | '''
 4 |     Shitty Codes to extract DDE
 5 |     by Jacob Soo, @_jsoo_
 6 | 
 7 |     Hashes for samples:
 8 |     f945105f5a0bc8ea0d62a28ee62883ffc14377b6abec2d0841e88935fd8902d3
 9 |     09287128aaf96479f0aca8eedc3c78d3e863aae1368ed9eb62b5c2df98f92810
10 |     58bc300c0ab90fbbb1f51482eaf83ac274429ba81ea581fc56c2ecb2b501bed0
11 |     4654664436b505044cb9609595f3967bcbc8035e75904f81d8610c33268edc74
12 | '''
13 | 
14 | __author__ = "Jacob Soo, @_jsoo_"
15 | __version__ = "0.1"
16 | 
17 | import zipfile
18 | import sys, os, re
19 | 
20 | def _log(szString):
21 |     print(szString)
22 | 
23 | def ExtractDDE(szInputFile, szPath):
24 |     paragraphs = []
25 |     try:
26 |         document = zipfile.ZipFile(szInputFile)
27 |         xml_content = document.read(szPath)
28 |         document.close()
29 |         
30 |         matchObj = re.findall(r'(\<w\:fldSimple w\:instr\=\"(.*?)\"\>)|(\<w\:instrText xml\:space\=\"preserve\"\>(.*?)\<\/w\:instrText\>)|(\<w\:instrText>(.*?)\<\/w\:instrText>)', xml_content, re.DOTALL|re.UNICODE)
31 |         for item in matchObj:
32 |             if '<w:instrText xml' in item[2]:
33 |                 paragraphs.append(item[3])
34 |             elif '<w:instrText>' in item[4]:
35 |                 paragraphs.append(item[5])
36 |             elif '<w:fldSimple w:instr=' in item[0]:
37 |                 paragraphs.append(item[1])
38 |     except:
39 |         _log("[-] File possibly doesn't exist in %s!" % szPath)
40 |     return ''.join(paragraphs)
41 |     
42 | 
43 | if __name__ == '__main__':
44 |     if (len(sys.argv) < 2):
45 |         _log("[+] Usage: %s [Path_To_DOCX]" % sys.argv[0])
46 |         sys.exit(0)
47 |     else:
48 |         bFound = False
49 |         szIdentifier = ""
50 |         szPath = ""
51 |         _log("[+] Finding DDE from %s" % sys.argv[1])
52 |         
53 |         with zipfile.ZipFile(sys.argv[1], 'r') as f:
54 |             names = f.namelist()
55 |             for name in names:
56 |                 if 'xl/externalLinks/' in name:
57 |                     szIdentifier = "xlsx"
58 |                     break
59 |                 elif 'word/document.xml' in name:
60 |                     szIdentifier = "docx"
61 |                     break
62 |             f.close()
63 |             
64 |             if szIdentifier == 'xlsx':
65 |                 _log("[*] This is a xlsx sample.")
66 |                 locationArr = ['xl/externalLinks/externalLink1.xml']
67 |                 for iXML in locationArr:
68 |                     try:
69 |                         document = zipfile.ZipFile(sys.argv[1])
70 |                         xml_content = document.read(iXML)
71 |                         document.close()
72 |                         matchObj = re.findall(r'ddeService\=[\'|\"](.*?)[\'|\"]', xml_content, re.DOTALL|re.UNICODE)
73 |                         matchObj2 = re.findall(r'ddeTopic\=[\'|\"](.*?)[\'|\"]', xml_content, re.DOTALL|re.UNICODE)
74 |                         
75 |                         if matchObj and matchObj2:
76 |                             _log("[+] Found the following DDE in : %s" % iXML)
77 |                             _log("\t%s %s" % (matchObj[0], matchObj2[0]))
78 |                             bFound = True
79 |                             break
80 |                     except:
81 |                         _log("[-] Probably some issues with my codes")
82 |             elif szIdentifier == 'docx':
83 |                 _log("[*] This is a docx sample.")
84 |                 locationArr = ['word/document.xml', 'word/header1.xml', 'word/header2.xml', 'word/footer1.xml', 'word/footer2.xml']
85 |                 for iXML in locationArr:
86 |                     try:
87 |                         DDE_Codes = ExtractDDE(sys.argv[1], iXML)
88 |                         if DDE_Codes and not bFound:
89 |                             _log("[+] Found the following DDE in : %s" % iXML)
90 |                             _log("\t%s" % DDE_Codes)
91 |                             bFound = True
92 |                             break
93 |                         #else:
94 |                         #    _log("[-] Couldn't find anything at all :(")
95 |                     except:
96 |                         _log("[-] Probably some issues with my codes")


--------------------------------------------------------------------------------