Extracting Macros – OfficeMalScanner

There are a couple of ways that you can extract macros from a Word document. What follows is one of my go-to tools called OfficeMalScanner. We’re going to be using a .docm file called Order_details_U96144.docm. You can download it here.

SHA256: ABD44B168E3E0E5585570BE6695E3511FAADE07301A64550282D98704A57B525

OfficeMalScanner (link)

This tool is an old one, but it is a workhorse for me. There are a few options here, but when it comes to ripping out macros, you’re going to need the two options called ‘info’ and ‘inflate’.

scan: Use this for the older style .doc files and the like; it will save any macros to a new folder.

inflate: Use this for the newer style .docx files and the like; it will decompress the document into a temporary directory.

OfficeMalScanner
OfficeMalScanner

Using OfficeMalScanner with the switch inflate below, you can see that it decompressed the document and saved it here: C:\Users\REM\AppData\Local\Temp\DecompressedMsOfficeDocument.

OfficeMalScanner-inflate
Note the yellow text at the bottom. It tells you what to do next.

You will want to find the file named VBAPROJECT.BIN under the WORD folder and use OfficeMalScanner on it. Note how it says to use the info switch on it.

OfficeMalScanner-vbaproject

Two macros have been extracted. You can now check them out with your favorite text editor.

2 thoughts on “Extracting Macros – OfficeMalScanner

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s