Enrichment functions

MQL is highly extensible and can integrate virtually any tool or service to build better detection rules.


Request a function!

Don't see a function you want? Let us know via email or Slack!



beta.oletools(input: Attachment) -> OleToolsOutput

Oletools, developed by Philippe Lagadec, analyzes Microsoft OLE2 files such as Microsoft Office documents for malware and other suspicious indicators.

Use beta.oletools to analyze attachments for malware or suspicious indicators like VBA macros, remote OLE objects, encryption, and more.

// detect suspicious macros
any(attachments, beta.oletools(.).indicators.vba_macros.exists)
any(attachments, beta.oletools(.).indicators.vba_macros.risk == "high")

// detect potential attempts to exploit CVE-2021-40444  (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444)
any(attachments, any(beta.oletools(.).relationships, iregex_search(.target, ".*html:http.*")))

// detect external OLE object relationships
any(attachments, beta.oletools(.).indicators.external_relationships.count > 0)

// detect encrypted Office documents
any(attachments, beta.oletools(.).indicators.encryption.exists)

// detect macros that attempt to auto-execute when the document is opened
any(attachments, any(beta.oletools(.).macros.keywords, .type == "autoexec"))

// detect suspicious macro source code
any(attachments, iregex_search(beta.oletools(.).macros.vba_code_all_modules, ".*kernel32.*", ".*GetProcessId.*"))

View detection rules that use this function


Coming soon

  • Binary explosion
  • YARA support
  • External API integrations, like VirusTotal
  • Analyze binaries from external URLs, like Google Drive and drive-by downloads