Binary Microsoft office files (
.xls) are in the OLE2 format.
OOXML Office files (
xlsm) are compressed
- VBA Macros are stored in an OLE2 binary file within the archive
- Excel allows XLM macros without the OLE2 binary file
- RTF documents cannot contain macros, but can contain embedded files and objects
||Examine contents of OOXML file file.pptx.|
||Extract file with index 3 from file.pptx to STDOUT.|
||Locate and extract macros from file.xlsm.|
||List all OLE2 streams present in file.xls.|
||Extract VBA source code from stream 3 in file.xls.|
||Format XML file supplied via STDIN for easier analysis.|
||Find obfuscated URLs in file.xls macros.|
||Extract VBA macros in clear text with deobfuscation and analysis|
||Extract file revision history|
||High-level IOC extraction, good first place to look.|
||Emulate the execution of macros in file.doc to analyze them.|
||Remove the password prompt from macros in file.ppt.msoffcrypto-tool|
||using specified password to create outfile.docm.|
||Disassemble VBA-stomped p-code macro from file.doc.|
||Decompile VBA-stomped p-code macro from file.doc.|
||Extract objects embedded into RTF file.rtf.|
||List groups and structure of RTF file file.rtf.|
||Examine objects in RTF file file.rtf.|
||Extract hex contents from group in RTF file file.rtf.|
||Deobfuscate XLM (Excel 4) macros in file.xlsm.|
Often, you can upload a malicious document to sites like
virustotal.com and they’ll already have a large detailed report of it’s decomposition.
/AA specify the script or action to run automatically.
/URI accesses a URL, perhaps for phishing.
/GoToR can send data to URL.
/ObjStm can hide objects inside an object stream.
/XObject can embed an image for phishing.
Be mindful of obfuscation with hex codes, such as
/J#61vaScript. (See examples.)