oledump

Analyzing maldocs with oledump.py

How to spot Malicious VBA and how to extract it

Malicious VBA Macros in Microsoft Word file (*.docx / *.doc) or Microsoft Excel file (*.xlsx / *.xls) aren’t new, so we’ll try to extract VBA from them to understand what it does. Notice this, if you received an empty document with no content or some content that doesn’t make any sense – most probably it is malicious. In addition, Microsoft will ask you to enable the Macro to execute it (if you didn’t change the default security settings of your Microsoft Office). We’ll be using the mighty Didier Stevens oledump python tool to Extract VBA Macro.

Setting up Prerequisites and oledump

It is important to note that oledump tool and its prerequisites are installed in FLARE VM. To know more about the VM, you can visit our FLARE VM installation article.

How to setup oledump:
1. Download Python 2.7 (choose your OS version there) – python 2.7 is the version that is supported by oledump.
*** Python 2.7.16 is the last version of python 2.7, since it is not supported anymore.
2. Setup python version that you downloaded.
3. You will need to install oledump dependency OleFileIO module (they have installation instructions onsite).
*** Or you can use pip installer that comes with python after version 2.7.9
3.1. If you installed python to its default directory then “pip2.exe” should be in “C:\Python27\Scripts\pip2.exe”. Pip2 is used to install packages for python 2. This is needed if you have python 3 also installed and your package is python 2 only supported (to install packages for python 3 you will use “pip3.exe”). So , open Command Line and execute:

C:\Python27\Scripts\pip2.exe install olefile

Updating olefile through pip:

C:\Python27\Scripts\pip2.exe install -U olefile

If you installed python 2 with PATH environment variable then you can use it without full path:

pip2 install olefile
pip2 install -U olefile

4. Download Didier Stevens oledump tool (you will find a lot of usage information of the tool, which is very powerful for anything OLE dumping related in Microsoft files) and extract it somewhere that is easy for you to navigate.

Oledump tool usage

The syntax is simple. To check for available VBA streams run in CMD:

oledump.py YourDocument.doc

If for some reason it is not working or you didn’t add python to the PATH environment variable, you can try using the full path to python with oledump:

C:\Python27\python.exe oledump.py YourDocument.doc

The above example is also useful if you have python 3 and python 2 installed on the same computer, but if you added the PATH environmental variable, then use can use easier syntax to execute python scripts with python 2:

py -2 oledump.py YourDocument.doc

After successful execution, you will receive something like this:

  1:       114 '\x01CompObj'
2: 4096 '\x05DocumentSummaryInformation'
3: 4096 '\x05SummaryInformation'
4: 7440 '1Table'
5: 380 'Macros/PROJECT'
6: 41 'Macros/PROJECTwm'
7: M 1329539 'Macros/VBA/ThisDocument'
8: 3449 'Macros/VBA/_VBA_PROJECT'
9: 2909 'Macros/VBA/__SRP_0'
10: 780 'Macros/VBA/__SRP_1'

You can see that there’s “M” character (Macro) next to the 7th stream. To Dump / Extract VBA from the 7th stream, use:

oledump.py -s 7 --vbadecompressskipattributes YourDocument.doc > YourDocumentExportedMacro.txt

It is important to use specific paths for all the files as I’m using relative paths here. Example:

C:\oledump\oledump.py -s 7 --vbadecompressskipattributes C:\Users\User1\Documents\YourDocument.doc > C:\Users\User1\Documents \YourDocumentExportedMacro.txt

There can be other stream numbers in your case, watch for that “M”.
Switches explanations:

“-s 7”
Dump the 7th stream

“–vbadecompressskipattributes”
This is “VBA decompression, skipping initial attributes”

“YourDocument.doc”
Is the Microsoft Office file that you want to extract you from

“>”
Pipe all the CMD output to a text file

“YourDocumentExportedMacro.txt”
The path to the text file to pipe the output to

For full Manual / switches / help / examples of oledump.py, you can use this line:

oledump.py -m