Multi-OLE

    Published: 2025-01-12. Last Updated: 2025-01-12 11:44:08 UTC
    by Didier Stevens (Version: 1)
    0 comment(s)

    VBA macros and embedded files/objects are stored as OLE files inside OOXML files.

    You can have .docm files with many OLE files, like this one, analyzed with zipdump.py:

    If you analyze this with oledump.py, each OLE file inside the ZIP container will get its own letter prefix:

    Use this letter prefix to select the correct stream, like this for the VBA code stream:

    If it's the first OLE file (prefix A) you want to analyze with oledump.py, it's actually not necessary to include the letter:

    But the letter is required for any other OLE file:

    Although it is not case-sensitive:

    Didier Stevens
    Senior handler
    blog.DidierStevens.com

    Keywords:
    0 comment(s)

      Comments

      Login here to join the discussion.


      Diary Archives