Binary Microsoft office files (.doc
, .xls
) are in the OLE2 format.
OOXML Office files (.docx
, xlsm
) are compressed .zip
archives.
- VBA Macros are stored in an OLE2 binary file within the archive
- Excel allows XLM macros without the OLE2 binary file
- RTF documents cannot contain macros, but can contain embedded files and objects
Command | Description |
---|---|
zipdump.py file.pptx |
Examine contents of OOXML file file.pptx. |
zipdump.py file.pptx -s 3 -d |
Extract file with index 3 from file.pptx to STDOUT. |
olevba file.xlsm |
Locate and extract macros from file.xlsm. |
oledump.py file.xls -i |
List all OLE2 streams present in file.xls. |
oledump.py file.xls -s 3 -v |
Extract VBA source code from stream 3 in file.xls. |
xmldump.py pretty |
Format XML file supplied via STDIN for easier analysis. |
oledump.py file.xls -p plugin_http_heuristics |
Find obfuscated URLs in file.xls macros. |
olevba file.doc |
Extract VBA macros in clear text with deobfuscation and analysis |
oletime file.doc |
Extract file revision history |
oldid file.doc1 |
High-level IOC extraction, good first place to look. |
vmonkey file.doc |
Emulate the execution of macros in file.doc to analyze them. |
evilclippy -uu file.ppt |
Remove the password prompt from macros in file.ppt.msoffcrypto-tool |
infile.docm outfile.docm -p Decrypt outfile.docm |
using specified password to create outfile.docm. |
pcodedmp file.doc |
Disassemble VBA-stomped p-code macro from file.doc. |
pcode2code file.doc |
Decompile VBA-stomped p-code macro from file.doc. |
rtfobj.py file.rtf |
Extract objects embedded into RTF file.rtf. |
rtfdump.py file.rtf |
List groups and structure of RTF file file.rtf. |
rtfdump.py file.rtf -O |
Examine objects in RTF file file.rtf. |
rtfdump.py file.rtf -s 5 -H -d |
Extract hex contents from group in RTF file file.rtf. |
xlmdeobfuscator --file file.xlsm |
Deobfuscate XLM (Excel 4) macros in file.xlsm. |
Often, you can upload a malicious document to sites like virustotal.com
and they’ll already have a large detailed report of it’s decomposition.
/OpenAction
and /AA
specify the script or action to run automatically.
/JavaScript
, /JS
, /AcroForm
, and /XFA
can specify JavaScript to run.
/URI
accesses a URL, perhaps for phishing.
/SubmitForm
and /GoToR
can send data to URL.
/ObjStm
can hide objects inside an object stream.
/XObject
can embed an image for phishing.
Be mindful of obfuscation with hex codes, such as /JavaScript
vs. /J#61vaScript
. (See examples.)