Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: Quick Tip: Extracting all VBA Code from a Maldoc SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Quick Tip: Extracting all VBA Code from a Maldoc

"How can I extract all VBA code with oledump from this malicious Word document?".

It's a question I get from time to time.

The answer: "oledump.py -s a -v sample.vir".

With -s a, you select all streams. And with -v, you decompress VBA code. The combination "-s a -v" makes that all module streams are selected and thier VBA code is decompressed:

If you need to know when each module starts, look for a line starting with "Attribute VB_Name = ".

One can also select all streams, and output their content as JSON data. I'll make a small update to oledump to add JSON output of VBA code.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

DidierStevens

505 Posts
ISC Handler
Nov 8th 2020

Sign Up for Free or Log In to start participating in the conversation!