OLETools Secure MCP Server

Overview

The OLETools Secure MCP Server is a lightweight, secure microservice built on FastMCP that empowers AI assistants to perform sophisticated static analysis of Microsoft Office files and related binary formats. By exposing a collection of specialized tools—oletools, XLMMacroDeobfuscator, pefile, and iocextract—the server turns a simple file upload into an automated threat‑detection workflow. This capability is crucial for developers who need to audit Office documents (Excel, Word, PowerPoint, XLL add‑ins) for malicious macros or hidden payloads without exposing their analysis logic to the client side.

What problem does it solve?

Malicious actors increasingly embed malware in Office documents via VBA, XLM macros, or DDE links. Traditional security solutions often rely on heuristic scanning or require manual unpacking of macros, which is time‑consuming and error‑prone. The MCP server automates this entire process, delivering a risk score, extracted indicators of compromise (URLs, IPs, hashes), and macro de‑obfuscation results in a single API call. Developers can integrate these findings directly into their AI workflows, enabling real‑time threat intelligence and automated incident response.

Core capabilities

• Macro analysis – Parses VBA (olevba) and XLM macros, performing de‑obfuscation to reveal hidden code paths.
• DDE link detection – Identifies Dynamic Data Exchange links that can be used for remote code execution.
• OLE object extraction – Recovers embedded objects that may contain additional payloads or malicious scripts.
• XLL export inspection – Uses pefile to analyze exported functions from XLL add‑ins, flagging suspicious calls.
• IOC extraction – Pulls out URLs, IP addresses, hashes, and email addresses from the document for threat correlation.
• File validation – Confirms MIME type and size using python‑magic, guarding against malformed inputs.
• Risk scoring – Applies a configurable heuristic to produce an overall risk classification, simplifying decision‑making for downstream systems.

Real‑world use cases

1. Email security gateways – An AI assistant can invoke the server to scan attachments before delivery, automatically quarantining high‑risk documents.
2. Endpoint protection – On first boot of a workstation, an AI‑driven agent queries the MCP server to audit Office files in user directories.
3. Incident response – When a suspicious document is reported, the analyst’s AI companion can run a full macro audit and return actionable findings.
4. Compliance monitoring – Organizations can programmatically enforce policy by rejecting documents that exceed a risk threshold.

Integration with AI workflows

Because the server adheres to the MCP protocol, any compatible client—such as Claude Desktop or other AI assistants—can discover its tools via the standard service discovery mechanism. Developers can simply reference tool names like or in prompts, and the assistant will delegate execution to the server. The response is returned as structured JSON, allowing downstream AI logic to parse results, trigger alerts, or feed them into a SIEM.

Unique advantages

• Zero‑trust microservice – The server runs in isolation, limiting exposure of the underlying analysis tools.
• Extensible scoring – The risk model is configurable, enabling organizations to tailor sensitivity to their threat landscape.
• Multi‑format support – Beyond Office documents, the server handles XLL add‑ins and other OLE containers in a unified interface.
• Open source tooling – Leveraging well‑maintained libraries such as oletools and pefile ensures up‑to‑date detection capabilities.

In summary, the OLETools Secure MCP Server transforms static Office document analysis into a declarative, AI‑friendly service. It streamlines threat detection for developers, enhances security workflows, and provides a robust foundation for building intelligent document‑inspection solutions.