New oledump.py plugin: plugin_version_vba

Published: 2019-12-23. Last Updated: 2019-12-23 17:43:57 UTC
by Didier Stevens (Version: 1)
0 comment(s)

In diary entry "VBA Office Document: Which Version?", I explain how to identify the Office version that was used to create a document with VBA macros.

I have now an oledump.py plugin (plugin_version_vba) that automates this task:

In this example, the version number is 00AF, and that corresponds to Office 2016 or 2019 32-bit.

If the version number is not known, like with this AutoCAD .dwg file, you'll get a question mark:

The version number is 009A, but that does not correspond to an Office version I know.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

Keywords: oledump vba version
0 comment(s)
ISC Stormcast For Monday, December 23rd 2019 https://isc.sans.edu/podcastdetail.html?id=6800

Comments

Login here to join the discussion.


Diary Archives